1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-EN-08:02.tcp Errata Notice
The FreeBSD Project
Topic: TCP options padding
Category: core
Module: sys_netinet
Announced: 2008-06-19
Credits: Bjoern A. Zeeb, Mike Silbersack, Andre Oppermann
Affects: 7.0-RELEASE
Corrected: 2008-05-05 20:59:36 UTC (RELENG_7, 7.0-STABLE)
2008-06-19 06:36:10 UTC (RELENG_7_0, 7.0-RELEASE-p2)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:http://security.freebsd.org/>.
I. Background
The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
provides a connection-oriented, reliable, sequence-preserving data
stream service. TCP packets can contain "TCP options" which allow for
enhancements to basic TCP functionality; depending on the length of
these options, it may be necessary for padding to be added.
II. Problem Description
Under certain conditions, TCP options are not correctly padded.
III. Impact
A small number of firewalls have been reported to block incorrectly
padded TCP SYN and SYN/ACK packets generated by FreeBSD 7.0, with the
result that an attempt to open a TCP connection to or from an affected
host across such a firewall will fail.
IV. Workaround
Disabling RFC 1323 extensions and selective acknowledgments will
eliminate the need for TCP option padding and restore interoperability.
Note that disabling these features may cause a reduction in performance
on high latency networks and networks that experience frequent packet
loss.
To disable these features, add the following lines to /etc/sysctl.conf:
net.inet.tcp.rfc1323=0
net.inet.tcp.sack.enable=0
And then run "/etc/rc.d/sysctl restart" to make the change effective.
V. Solution
Perform one of the following:
1) Upgrade your affected system to 7-STABLE, or the RELENG_7_0 security
branch dated after the correction date.
2) To patch your present system:
The following patch has been verified to apply to FreeBSD 7.0 systems:
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/EN-08:02/tcp.patch
# fetch http://security.FreeBSD.org/patches/EN-08:02/tcp.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_7
src/sys/netinet/tcp.h 1.40.2.1
src/sys/netinet/tcp_output.c 1.141.2.6
RELENG_7_0
src/UPDATING 1.507.2.3.2.6
src/sys/conf/newvers.sh 1.72.2.5.2.6
src/sys/netinet/tcp.h 1.40.4.1
src/sys/netinet/tcp_output.c 1.141.2.3.2.1
- -------------------------------------------------------------------------
VII. References
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-EN-08:02.tcp.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
iEYEARECAAYFAkhaAaQACgkQFdaIBMps37KmwgCfdC7qerBUDdmxPLe6yKZEwb7/
TqwAoJGFuowGOY/oeEQr6/AQZm3zgRY3
=UlPD
-----END PGP SIGNATURE-----
|
