Hi, On Wed, Aug 15, 2018 at 04:02:59PM +0200, Matus UHLAR - fantomas wrote: > Hello, > > On 14.08.18 21:52, Salvatore Bonaccorso wrote: > > CVE-2018-5391 (FragmentSmack) > > > > Juha-Matti Tilli discovered a flaw in the way the Linux kernel > > handled reassembly of fragmented IPv4 and IPv6 packets. A remote > > attacker can take advantage of this flaw to trigger time and > > calculation expensive fragment reassembly algorithms by sending > > specially crafted packets, leading to remote denial of service. > > > > This is mitigated by reducing the default limits on memory usage > > for incomplete fragmented packets. The same mitigation can be > > achieved without the need to reboot, by setting the sysctls: > > > > net.ipv4.ipfrag_high_thresh = 262144 > > net.ipv6.ip6frag_high_thresh = 262144 > > net.ipv4.ipfrag_low_thresh = 196608 > > net.ipv6.ip6frag_low_thresh = 196608 > > It seems that the thresholds should be applied in reverse order, the stretch > kernel complains if we try to shring the high threshold below the low one > (and is probably right).
Yes that's right. I have fixed this information/listing in the webversion of the DSA, but cannot be fixed for the sent mail. I asked debian-www team if the listing can be improved there. Regards, Salvatore
