[kernel-sec-discuss] r5006 - active retired

Ben Hutchings benh at moszumanska.debian.org
Thu Feb 23 23:40:21 UTC 2017 

Author: benh
Date: 2017-02-23 23:40:21 +0000 (Thu, 23 Feb 2017)
New Revision: 5006

Added:
   retired/CVE-2017-5972
Removed:
   active/CVE-2017-5972
Log:
Triage and retire CVE-2017-5972

Deleted: active/CVE-2017-5972
===================================================================
--- active/CVE-2017-5972	2017-02-23 23:40:01 UTC (rev 5005)
+++ active/CVE-2017-5972	2017-02-23 23:40:21 UTC (rev 5006)
@@ -1,14 +0,0 @@
-Description: SYN cookie protection mechanism not properly implemented
-References:
- https://cxsecurity.com/issue/WLB-2017020112
- https://githubengineering.com/syn-flood-mitigation-with-synsanity/
-Notes:
-Bugs:
- https://bugzilla.redhat.com/show_bug.cgi?id=1422081
-upstream:
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-3.16-jessie-security:
-3.2-wheezy-security:

Copied: retired/CVE-2017-5972 (from rev 5005, active/CVE-2017-5972)
===================================================================
--- retired/CVE-2017-5972	                        (rev 0)
+++ retired/CVE-2017-5972	2017-02-23 23:40:21 UTC (rev 5006)
@@ -0,0 +1,20 @@
+Description: TCP SYN handling serialised by listening socket lock
+References:
+ https://cxsecurity.com/issue/WLB-2017020112
+ https://githubengineering.com/syn-flood-mitigation-with-synsanity/
+Notes:
+ bwh> This is described as a defect in SYN cookies, but it's really a
+ bwh> scaling limitation that was never intended to be addressed by
+ bwh> cookies.  The listening socket's lock is held while processing
+ bwh> SYN packets, so an attacker only needs to keep 1 CPU busy to
+ bwh> achieve DoS.  While the upstream fix looks simple, I think it
+ bwh> depends on a number of earlier commits.
+Bugs:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1422081
+upstream: released (4.4-rc1) [e994b2f0fb9229aeff5eea9541320bd7b2ca8714]
+4.9-upstream-stable: N/A "Fixed before branch point"
+3.16-upstream-stable: ignored "Known perfomance limitation"
+3.2-upstream-stable: ignored "Known perfomance limitation"
+sid: released (4.4~rc4-1~exp1)
+3.16-jessie-security: ignored "Known perfomance limitation"
+3.2-wheezy-security: ignored "Known perfomance limitation"

More information about the kernel-sec-discuss mailing list