projects
/
noc.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
(from parent 1:
f757448
)
Merge pull request #63 from realraum/sack-workaround
author
Christian Pointner
<equinox@realraum.at>
Mon, 17 Jun 2019 21:39:27 +0000
(23:39 +0200)
committer
GitHub
<noreply@github.com>
Mon, 17 Jun 2019 21:39:27 +0000
(23:39 +0200)
ansible/base: Workaround SACK DoS ([NFLX-2019-001])
ansible/roles/base/tasks/06net.yml
patch
|
blob
|
history
diff --git
a/ansible/roles/base/tasks/06net.yml
b/ansible/roles/base/tasks/06net.yml
index
04e33cd
..
e257b9b
100644
(file)
--- a/
ansible/roles/base/tasks/06net.yml
+++ b/
ansible/roles/base/tasks/06net.yml
@@
-24,5
+24,10
@@
# C.f. https://queue.acm.org/detail.cfm?id=3022184
net.ipv4.tcp_congestion_control: bbr
+ # Disable Selective Acknowledgement (SACK)
+ # Workaround CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
+ # See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
+ net.ipv4.tcp_sack: 0
+
loop_control:
label: "{{ item.key }}"