Control: reassign 905751 src:linux 4.9~rc3-1~exp1 Control: retitle -1 linux: CVE-2018-5390 Control: severity -1 grave Control: fixed -1 4.9.110-3+deb9u1
Hi, On Wed, Aug 08, 2018 at 04:42:42PM -0600, Jamie wrote: > Package: Kernel > > Version: 4.9+ > > Severity: Critical > > > > So I was reading isc.sans.edu and came across this > > That people are dubbing "segmentsmack" > > > > https://isc.sans.edu/forums/diary/What+Do+I+Need+To+Know+about+SegmentSmack/ > 23964/ > > Which affects Linux Kernels 4.9+ > > > > https://www.kb.cert.org/vuls/id/962459 > > "The Linux kernel versions 4.9+ and supported versions of > > FreeBSD are vulnerable to denial of service conditions with low > > rates of specially modified packets." > > > > > > Vulnerability Note VU#962459 > > TCP implementations vulnerable to Denial of Service > > > > The Linux kernel versions 4.9+ and supported versions of FreeBSD are > vulnerable > > to denial of service conditions with low rates of specially modified > packets. > > Description > > > > CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') - > CVE-2018-5390 > > > > Linux kernel versions 4.9+ can be forced to make very expensive calls to > tcp_collapse_ofo_queue() > > and tcp_prune_ofo_queue() for every incoming packet which can lead to a > denial of service. > > > > CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') - > CVE-2018-6922 > > A TCP data structure in supported versions of FreeBSD (11, 11.1, 11.2, 10, > and 10.4) use an > > inefficient algorithm to reassemble the data. > > > > Now it does say that Debian is susceptible to this bug as well. > > > > "Debian GNU/Linux Affected 23 Jul 2018" > > > > uname -a > > Linux server1 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) > x86_64 GNU/Linux > > > > As you can see I am on Debian 9.5 using a kernel version of 4.9.88-1+deb9u1 It is already fixed for stable via DSA-4266-1 (https://www.debian.org/security/2018/dsa-4266). Regards, Salvatore
