Hi all, With respect to the bugs describe in
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md *<quote> * SACK Slowness (FreeBSD 12 using the RACK TCP Stack) *Description:* It is possible to send a crafted sequence of SACKs which will fragment the RACK send map. An attacker may be able to further exploit the fragmented send map to cause an expensive linked-list walk for subsequent SACKs received for that same TCP connection. *Workaround #1:* Apply the patch split_limit.patch <https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001/split_limit.patch> and set the |net.inet.tcp.rack.split_limit| sysctl to a reasonable value to limit the size of the SACK table. *Workaround #2:* Temporarily disable the RACK TCP stack. (Note that either workaround should be sufficient on its own. It is not necessary to apply both workarounds.) *</quote>* *How does I know if this is enabled in my default kernel on RELENG_12 ? There is some vague mention in various forums this is not the default on FreeBSD ? Can anyone shed more light as to how this does/does not impact FreeBSD ? * * * * ---Mike * _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
