diff options
Diffstat (limited to 'website/static/security/advisories/FreeBSD-EN-22:25.tcp.asc')
-rw-r--r-- | website/static/security/advisories/FreeBSD-EN-22:25.tcp.asc | 140 |
1 files changed, 140 insertions, 0 deletions
diff --git a/website/static/security/advisories/FreeBSD-EN-22:25.tcp.asc b/website/static/security/advisories/FreeBSD-EN-22:25.tcp.asc new file mode 100644 index 0000000000..34870f06c0 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-22:25.tcp.asc @@ -0,0 +1,140 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-22:25.tcp Errata Notice + The FreeBSD Project + +Topic: Possible data corruption with TCP SACK retransmissions + +Category: core +Module: tcp +Announced: 2022-08-28 +Credits: Richard Scheffenegger +Affects: FreeBSD 13.1 +Corrected: 2022-09-14 01:28:03 UTC (stable/13, 13.1-STABLE) + 2022-11-01 13:28:11 UTC (releng/13.1, 13.1-RELEASE-p3) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +TCP supports an enhancement that allows faster recovery and retransmission of +data when loss is discovered called Selected Acknowledgements (SACK). + +SACK allows a TCP sender to communicate more information about which segments +are lost. During a SACK episode a TCP sender will reduce its rate to avoid +causing congestion on the network. + +II. Problem Description + +A change made to make TCP more resilient and effective when handling loss +recovery by SACK, could lead to connection interruption when incoming ACKs +suddenly no longer contain SACK blocks. + +III. Impact + +This can lead to correct data being placed at the wrong offset in the +stream in a non-deterministic manner. This can result in termination of +the TCP connection by the application or in the worst case silent data +corruption. + +IV. Workaround + +Disable SACK globally by setting the net.inet.tcp.sack.enable sysctl to 0: + + # sysctl net.inet.tcp.sack.enable=0 + +Note that this will only affect new connections. Thus, either persist the +setting in /etc/sysctl.conf and reboot, or ensure that any critical connections +are restarted after modifying the sysctl setting. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +A reboot is required for these changes to be applied. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +A reboot is required for these changes to be applied. + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-22:25/tcp.patch +# fetch https://security.FreeBSD.org/patches/EN-22:25/tcp.patch.asc +# gpg --verify tcp.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 2b8ee332b938 stable/13-n252399 +releng/13.1/ dd35207e2025 releng/13.1-n250162 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-22:25.tcp.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmNhmIQACgkQ05eS9J6n +5cLiKA/+NSB8VRq7tjXC0+MFQAPEL9YUtQYyRfn8u3YywHli/6RTeTQPKfd6BnvK +T1clrnVFgp97QG948WAQ7ehct1GRAlrOagVHP0DnQqqQnTmoIVO0vyMVlQ1ONcAY +GO3VxZfEUJhbtcSLIdT03RG3Y+lK7R4Bs6mplkBUpVGOtrhtdmNBULgC8N1HiwHg +wJJpr/9/EMPqGXVtm1MzvgeKH4SIfNsDoiS4W90g1CepsPWylY+vsVjPhXR74gxz +peNHKFQM7SpTm1hc9YqwjyU5qFExq/O+je273sykyld6ZcJCpKe50+dE8D+gHpu6 +6CwiLb+uDQcF3RN9ofunRDvpYdtl1muT2/zQQ6yJ6DWJzvWpav+PTA4gEeDj8b+b +eu8wR7IoSPAHxqnGrvmB1EVn1tvFLF/mtcsrE1fdGviNf5LI/P5OYgZ6pkHaEJoN +NNnhPWZlteFsXYvD+Rz6rlhM86wE2/5Zj88oR36K6xUtbUimmES4NOU82q9MFMPU +nzOqflNf194o71ZbjdJK1gIemijRP90helrhGNHMBVdRM6UD/MywL349jIDzwp7Y +V3Jlpd+yU6K5Yuw5+nG7Z6oEJTwQI7vKNkEg6xnjpaaH47NaijGZDFb3SXvvCW4e +f/x3Y7sMPIRJIaKxKIbcRodeGChkkMZDEQ69OyuxBeP6Xo6OKOg= +=GANq +-----END PGP SIGNATURE----- |