Re: (OT kinda) Newly-discovered TCP flaw

On 2016-08-13, Reco wrote: > Hi. > > On Sat, 13 Aug 2016 09:04:34 + (UTC) > Curt wrote: > >> I am reading (see link below) that "The RFC 5961 spec is implemented in >> Linux kernel v 3.6 and later." >> >> http://www.linuxinsider.com/story/83798.html >> >> As I'm running a v 3.2 kernel

Re: (OT kinda) Newly-discovered TCP flaw

On 2016-08-13, Pascal Hambourg wrote: >> >> As I'm running a v 3.2 kernel, I guess I'm actually not concerned by the >> matter (or am I)? > > You are if you are using the latest Debian 3.2 kernel. Please see my > previous reply to the same assumption in this thread. Thank you. > "Later" does no

Re: (OT kinda) Newly-discovered TCP flaw

Hi. On Sat, 13 Aug 2016 09:04:34 + (UTC) Curt wrote: > I am reading (see link below) that "The RFC 5961 spec is implemented in > Linux kernel v 3.6 and later." > > http://www.linuxinsider.com/story/83798.html > > As I'm running a v 3.2 kernel, I guess I'm actually not concerned by

Re: (OT kinda) Newly-discovered TCP flaw

Le 13/08/2016 à 11:04, Curt a écrit : I am reading (see link below) that "The RFC 5961 spec is implemented in Linux kernel v 3.6 and later." As I'm running a v 3.2 kernel, I guess I'm actually not concerned by the matter (or am I)? You are if you are using the latest Debian 3.2 kernel. Please

Re: (OT kinda) Newly-discovered TCP flaw

Hi. On Fri, 12 Aug 2016 16:35:59 -0500 Hugo Vanwoerkom wrote: > On 08/11/2016 11:46 AM, Curt wrote: > > On 2016-08-11, Reco wrote: > >>Hi. > >> > >> On Thu, Aug 11, 2016 at 03:55:56PM +, Curt wrote: > >>> > >>> http://www.pcworld.com/article/3106180/security/use-the-internet-thi

Re: (OT kinda) Newly-discovered TCP flaw

On 2016-08-12, Hugo Vanwoerkom wrote: >>> >>> If you're relying on HTTP or FTP - you're screwed. If you prefer HTTPS >>> and SSH - it does not concern you. >>> >>> To workaround the problem, use (/etc/sysctl.conf is preferred): >>> >>> sysctl -w net.ipv4.tcp_challenge_ack_limit=9 >> >> Tha

Re: The Debian/Ubuntu/Mint installer was Re: (OT kinda) Newly-discovered TCP flaw

On Saturday 13 August 2016 04:11:19 Gene Heskett wrote: > On Friday 12 August 2016 19:02:15 Lisi Reisz wrote: > > On Friday 12 August 2016 16:57:09 Gene Heskett wrote: > > > If that works, I will STFU about their broken installer, if not, > > > that campaign to get it fixed to work with a pre-parti

Re: The Debian/Ubuntu/Mint installer was Re: (OT kinda) Newly-discovered TCP flaw

On Friday 12 August 2016 19:02:15 Lisi Reisz wrote: > On Friday 12 August 2016 16:57:09 Gene Heskett wrote: > > If that works, I will STFU about their broken installer, if not, > > that campaign to get it fixed to work with a pre-partitioned disk > > will continue. > > It does in general work with

The Debian/Ubuntu/Mint installer was Re: (OT kinda) Newly-discovered TCP flaw

On Friday 12 August 2016 16:57:09 Gene Heskett wrote: > If that works, I will STFU about their broken installer, if not, that > campaign to get it fixed to work with a pre-partitioned disk will > continue. It does in general work with a pre-partitioned disk. Anyhow it works for me, and many othe

Re: (OT kinda) Newly-discovered TCP flaw

On 08/11/2016 11:46 AM, Curt wrote: On 2016-08-11, Reco wrote: Hi. On Thu, Aug 11, 2016 at 03:55:56PM +, Curt wrote: http://www.pcworld.com/article/3106180/security/use-the-internet-this-linux-flaw-could-open-you-up-to-attack.html?google_editors_picks=true Calling all experts: c

Re: (OT kinda) Newly-discovered TCP flaw

Gene Heskett wrote: > Wouldn't a network restart fix that?  Or are there other low hanging > fruit in this scene? I'm not sure as it is in the kernel - I don't know what and how is using this piece of code.

Re: (OT kinda) Newly-discovered TCP flaw

A report on this showed up on ZDNet this morning: http://www.zdnet.com/article/linux-tcp-flaw-lets-anyone-hijack-internet-traffic Apparently, it affects Linux 3.6 and up. Hopefully, I don't have to root my Android devices to fix the problem there (we'll see how quickly Samsung rolls out the patc

Re: (OT kinda) Newly-discovered TCP flaw

On 2016-08-12, rhkra...@gmail.com wrote: > On Friday, August 12, 2016 08:22:26 AM Curt wrote: >> On 2016-08-12, Gene Heskett wrote: >> > I interpret that, since the word "at run time" in that README to mean a >> > reboot. And I do not see an exception in that README that should muddy >> > that m

Re: (OT kinda) Newly-discovered TCP flaw

On Friday 12 August 2016 08:22:26 Curt wrote: > On 2016-08-12, Gene Heskett wrote: > >> Simply using the command 'net.ipv4.tcp_challenge_ack_limit = > >> 9' as root sets the value, but does not survive a reboot. > >> Running 'sysctl -p' with no argument after having issued the above > >>

Re: (OT kinda) Newly-discovered TCP flaw

On Fri, Aug 12, 2016 at 05:19:21PM +0200, Pascal Hambourg wrote: > Why then is the sysctl present in the current Wheezy's 3.2 kernel ? > > The patches which introduced the flawed feature were backported in > upstream 3.2.37 kernel. > >

Re: (OT kinda) Newly-discovered TCP flaw

Oops, my apologies, I did have a senior moment (but not the one I allluded to earlier)--the reference I found to runtime was in the man page for sysctl, not the README. On Friday, August 12, 2016 10:54:52 AM Greg Wooledge wrote: > I did some web surfing when this thread was posted, to try to tr

Re: (OT kinda) Newly-discovered TCP flaw

Le 12/08/2016 à 16:54, Greg Wooledge a écrit : So the flaw appears to be in Linux kernels from 3.6 to 4.6 inclusive, which includes Jessie (3.16) but not Wheezy (3.2) or earlier. Why then is the sysctl present in the current Wheezy's 3.2 kernel ? The patches which introduced the flawed featur

Re: (OT kinda) Newly-discovered TCP flaw

I did some web surfing when this thread was posted, to try to track down *which kernel versions* are affected by this TCP security flaw. I haven't seen this information posted yet. http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf says: "The feature is outlined in RFC 5961, which is im

Re: (OT kinda) Newly-discovered TCP flaw

On Friday, August 12, 2016 08:22:26 AM Curt wrote: > On 2016-08-12, Gene Heskett wrote: > > I interpret that, since the word "at run time" in that README to mean a > > reboot. And I do not see an exception in that README that should muddy > > that meaning. > > I do not have the phrase "at run ti

Re: (OT kinda) Newly-discovered TCP flaw

On 2016-08-12, Gene Heskett wrote: >> >> Simply using the command 'net.ipv4.tcp_challenge_ack_limit = >> 9' as root sets the value, but does not survive a reboot. >> Running 'sysctl -p' with no argument after having issued the above >> command does nothing but reread '/etc/sysctl.conf' (an

Re: (OT kinda) Newly-discovered TCP flaw

On Friday 12 August 2016 06:40:27 deloptes wrote: > Gene Heskett wrote: > > And if this has been installed into the /etc/sysctl.conf file, what > > will it be set to after a reboot? > > > > I interpret that, since the word "at run time" in that README to > > mean a reboot.  And I do not see an exc

Re: (OT kinda) Newly-discovered TCP flaw

Gene Heskett wrote: > And if this has been installed into the /etc/sysctl.conf file, what will > it be set to after a reboot? > > I interpret that, since the word "at run time" in that README to mean a > reboot.  And I do not see an exception in that README that should muddy > that meaning. you

Re: (OT kinda) Newly-discovered TCP flaw

On Friday 12 August 2016 04:58:06 Curt wrote: > On 2016-08-11, Bob Weber wrote: > > The way to do it is to put the line: > > > > net.ipv4.tcp_challenge_ack_limit = 9 > > > > in a file in the /etc/sysctl.d directory named xxx.conf (replace xxx > > with your preferred name). > > > > Then ru

Re: (OT kinda) Newly-discovered TCP flaw

On 2016-08-11, Bob Weber wrote: > The way to do it is to put the line: > > net.ipv4.tcp_challenge_ack_limit = 9 > > in a file in the /etc/sysctl.d directory named xxx.conf (replace xxx with your > preferred name). > > Then run "sysctl -p xxx.conf" and the new value is installed in the kern

Re: (OT kinda) Newly-discovered TCP flaw

On Thursday 11 August 2016 16:35:06 deloptes wrote: > Joe wrote: > > On Thu, 11 Aug 2016 20:31:37 +0100 > > > > Lisi Reisz wrote: > >> I copied and pasted the commands exactly, and ran them as root, and > >> got an echo of net.ipv4.tcp_challenge_ack_limit = 9 in > >> response to the first

Re: (OT kinda) Newly-discovered TCP flaw

On Thursday 11 August 2016 15:31:37 Lisi Reisz wrote: > On Thursday 11 August 2016 20:06:26 Gene Heskett wrote: > > On Thursday 11 August 2016 15:44:24 Doug wrote: > > > On 08/11/2016 12:50 PM, Gene Heskett wrote: > > > > On Thursday 11 August 2016 12:47:09 Nicolas George wrote: > > > > CC:ing emc

Re: (OT kinda) Newly-discovered TCP flaw

The way to do it is to put the line: net.ipv4.tcp_challenge_ack_limit = 9 in a file in the /etc/sysctl.d directory named xxx.conf (replace xxx with your preferred name). Then run "sysctl -p xxx.conf" and the new value is installed in the kernel tree. My system had a value of 100 before

Re: (OT kinda) Newly-discovered TCP flaw

Joe wrote: > /sys/ I compiled the kernels (4.6.4 and 2.6.26.2) myself and this is not present in any of them. It is present only in the debian kernel ... need to read more tomorrow where it is coming from. One good reason to keep compiling the kernels on the critical machines with only the option

Re: (OT kinda) Newly-discovered TCP flaw

On Thu, 11 Aug 2016 22:35:06 +0200 deloptes wrote: > Joe wrote: > > > On Thu, 11 Aug 2016 20:31:37 +0100 > > Lisi Reisz wrote: > > > > > >> > >> I copied and pasted the commands exactly, and ran them as root, and > >> got an echo of net.ipv4.tcp_challenge_ack_limit = 9 in > >> resp

Re: (OT kinda) Newly-discovered TCP flaw

Joe wrote: > On Thu, 11 Aug 2016 20:31:37 +0100 > Lisi Reisz wrote: > > >> >> I copied and pasted the commands exactly, and ran them as root, and >> got an echo of net.ipv4.tcp_challenge_ack_limit = 9 in >> response to the first and a blank return in response to the second. >> I don't

Re: (OT kinda) Newly-discovered TCP flaw

On Thu, 11 Aug 2016 20:31:37 +0100 Lisi Reisz wrote: > > I copied and pasted the commands exactly, and ran them as root, and > got an echo of net.ipv4.tcp_challenge_ack_limit = 9 in > response to the first and a blank return in response to the second. > I don't know the significance. >

Re: (OT kinda) Newly-discovered TCP flaw

On Thursday 11 August 2016 20:06:26 Gene Heskett wrote: > On Thursday 11 August 2016 15:44:24 Doug wrote: > > On 08/11/2016 12:50 PM, Gene Heskett wrote: > > > On Thursday 11 August 2016 12:47:09 Nicolas George wrote: > > > CC:ing emc-developers, and trinity-users who may not yet be aware of > > >

Re: (OT kinda) Newly-discovered TCP flaw

On Thursday 11 August 2016 15:44:24 Doug wrote: > On 08/11/2016 12:50 PM, Gene Heskett wrote: > > On Thursday 11 August 2016 12:47:09 Nicolas George wrote: > > CC:ing emc-developers, and trinity-users who may not yet be aware of > > this tcp attack vector thats quite dangerous. And my post to > >

Re: (OT kinda) Newly-discovered TCP flaw

On 08/11/2016 12:50 PM, Gene Heskett wrote: On Thursday 11 August 2016 12:47:09 Nicolas George wrote: CC:ing emc-developers, and trinity-users who may not yet be aware of this tcp attack vector thats quite dangerous. And my post to trinity-users was in error, so this corrects it. Le quintidi 2

Re: (OT kinda) Newly-discovered TCP flaw

On Thursday 11 August 2016 12:47:09 Nicolas George wrote: CC:ing emc-developers, and trinity-users who may not yet be aware of this tcp attack vector thats quite dangerous. And my post to trinity-users was in error, so this corrects it. > Le quintidi 25 thermidor, an CCXXIV, Gene Heskett a écrit

Re: (OT kinda) Newly-discovered TCP flaw

On 2016-08-11, Gene Heskett wrote: > On Thursday 11 August 2016 12:47:09 Nicolas George wrote: > >> Le quintidi 25 thermidor, an CCXXIV, Gene Heskett a écrit : >> > to add should be changed to forward slashes: >> >> You are wrong, sysctl supports both slashes and dots as separators. >> >> Regards,

Re: (OT kinda) Newly-discovered TCP flaw

Le quintidi 25 thermidor, an CCXXIV, Gene Heskett a écrit : > to add should be changed to forward slashes: You are wrong, sysctl supports both slashes and dots as separators. Regards, -- Nicolas George

Re: (OT kinda) Newly-discovered TCP flaw

On Thursday 11 August 2016 12:47:09 Nicolas George wrote: > Le quintidi 25 thermidor, an CCXXIV, Gene Heskett a écrit : > > to add should be changed to forward slashes: > > You are wrong, sysctl supports both slashes and dots as separators. > > Regards, Apparently not on my wheezy based install,

Re: (OT kinda) Newly-discovered TCP flaw

On Thu, Aug 11, 2016 at 12:16:30PM -0400, Gene Heskett wrote: > On Thursday 11 August 2016 11:55:56 Curt wrote: > > > http://www.pcworld.com/article/3106180/security/use-the-internet-this- > >linux-flaw-could-open-you-up-to-attack.html?google_editors_picks=true > > > > Calling all experts: cause f

Re: (OT kinda) Newly-discovered TCP flaw

On 2016-08-11, Reco wrote: > Hi. > > On Thu, Aug 11, 2016 at 03:55:56PM +, Curt wrote: >> >> http://www.pcworld.com/article/3106180/security/use-the-internet-this-linux-flaw-could-open-you-up-to-attack.html?google_editors_picks=true >> >> Calling all experts: cause for concern? > > Deb

Re: (OT kinda) Newly-discovered TCP flaw

On Thursday 11 August 2016 11:55:56 Curt wrote: > http://www.pcworld.com/article/3106180/security/use-the-internet-this- >linux-flaw-could-open-you-up-to-attack.html?google_editors_picks=true > > Calling all experts: cause for concern? I do not know if wheezy is/can be affected, however the fix p

Re: (OT kinda) Newly-discovered TCP flaw

Hi. On Thu, Aug 11, 2016 at 03:55:56PM +, Curt wrote: > > http://www.pcworld.com/article/3106180/security/use-the-internet-this-linux-flaw-could-open-you-up-to-attack.html?google_editors_picks=true > > Calling all experts: cause for concern? Debian stable is affected. If you're rel

(OT kinda) Newly-discovered TCP flaw

http://www.pcworld.com/article/3106180/security/use-the-internet-this-linux-flaw-could-open-you-up-to-attack.html?google_editors_picks=true Calling all experts: cause for concern? -- Même l’avenir n’est plus ce qu’il était. Paul Valéry