On 2016-08-12, Hugo Vanwoerkom <hvw59...@care2.com> wrote: >>> >>> If you're relying on HTTP or FTP - you're screwed. If you prefer HTTPS >>> and SSH - it does not concern you. >>> >>> To workaround the problem, use (/etc/sysctl.conf is preferred): >>> >>> sysctl -w net.ipv4.tcp_challenge_ack_limit=999999999 >> >> Thank you very much for this. >> >>> To solve the problem you should wait until Debian-provided kernels gain >>> a backport for CVE-2016-5696. >>> > > And how will one know when to remove this patch? Or rather what effect > will it have if it never is removed?
My guess is nothing (will or would happen). Surely the consultation of your favorite search engine should keep you informed on the evolution of this affair. What's ironic is in attempting to throttle the number of challenge acks as a security measure they opened up the big flaw. Must be one of those moral lessons hiding in there somewhere. I am reading (see link below) that "The RFC 5961 spec is implemented in Linux kernel v 3.6 and later." http://www.linuxinsider.com/story/83798.html As I'm running a v 3.2 kernel, I guess I'm actually not concerned by the matter (or am I)? I applied the patch anyway, as I'm in doubt. > Hugo > > > > -- Même l’avenir n’est plus ce qu’il était. Paul Valéry
