projects / noc.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f757448)
ansible/base: Workaround [NFLX-2019-001] (CVE-2019-1147{7,8,9})
authornicoo <nicoo@realraum.at>
Mon, 17 Jun 2019 21:04:15 +0000 (17:04 -0400)
committernicoo <nicoo@realraum.at>
Mon, 17 Jun 2019 21:04:15 +0000 (17:04 -0400)
Disable Selective Acknowledgement (SACK)

[NFLX-2019-001]: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md

ansible/roles/base/tasks/06net.yml patch | blob | history

diff --git a/ansible/roles/base/tasks/06net.yml b/ansible/roles/base/tasks/06net.yml
index 04e33cd..e257b9b 100644 (file)
--- a/ansible/roles/base/tasks/06net.yml
+++ b/ansible/roles/base/tasks/06net.yml
@@ -24,5 +24,10 @@
     # C.f. https://queue.acm.org/detail.cfm?id=3022184
     net.ipv4.tcp_congestion_control: bbr
 
+    # Disable Selective Acknowledgement (SACK)
+    # Workaround CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
+    # See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
+    net.ipv4.tcp_sack: 0
+
   loop_control:
     label: "{{ item.key }}"
realraum noc documentation and public ressources