From owner-freebsd-security@FreeBSD.ORG Wed Feb 4 23:12:42 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E585916A4CE for ; Wed, 4 Feb 2004 23:12:42 -0800 (PST) Received: from ftp.bjpu.edu.cn (ftp.bjpu.edu.cn [202.112.78.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id B48FD43D2F for ; Wed, 4 Feb 2004 23:12:40 -0800 (PST) (envelope-from delphij@frontfree.net) Received: from localhost (localhost [127.0.0.1]) by ftp.bjpu.edu.cn (Postfix) with ESMTP id 8386C52CA for ; Thu, 5 Feb 2004 15:12:37 +0800 (CST) Received: from ftp.bjpu.edu.cn ([127.0.0.1]) by localhost (ftp.bjpu.edu.cn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 19138-09 for ; Thu, 5 Feb 2004 15:12:35 +0800 (CST) Received: from beastie.frontfree.net (beastie.frontfree.net [218.107.145.7]) by ftp.bjpu.edu.cn (Postfix) with ESMTP id 9F8DC52C9 for ; Thu, 5 Feb 2004 15:12:31 +0800 (CST) Received: by beastie.frontfree.net (Postfix, from userid 1001) id 21C53114F1; Thu, 5 Feb 2004 15:12:31 +0800 (CST) Date: Thu, 5 Feb 2004 15:12:30 +0800 From: Xin LI To: Syahrul Sazli Shaharir Message-ID: <20040205071230.GA34699@frontfree.net> References: <20040205103946.W1640@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="VS++wcV0S1rZb1Fb" Content-Disposition: inline In-Reply-To: <20040205103946.W1640@localhost> User-Agent: Mutt/1.4.1i X-GPG-key-ID/Fingerprint: 0xCAEEB8C0 / 43B8 B703 B8DD 0231 B333 DC28 39FB 93A0 CAEE B8C0 X-GPG-Public-Key: http://www.delphij.net/delphij.asc X-Operating-System: FreeBSD beastie.frontfree.net 5.2-RELEASE FreeBSD 5.2-RELEASE #16: Sat Jan 10 15:24:09 CST 2004 delphij@beastie.frontfree.net:/usr/obj/usr/src/sys/BEASTIE i386 X-URL: http://www.delphij.net X-By: delphij@beastie.frontfree.net X-Location: Beijing, China X-Virus-Scanned: by amavisd-new at frontfree.net cc: freebsd-security@freebsd.org Subject: Re: Status Check: CVE CAN-2004-0002 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Feb 2004 07:12:43 -0000 --VS++wcV0S1rZb1Fb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Feb 05, 2004 at 10:58:30AM +0800, Syahrul Sazli Shaharir wrote: > Just want to ask about the status of this:- > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0002 Some discuss took place about this issue. Unfortuanatelly, the commit seemed to generating some problem, and that delaied the MFC to -STABLE. This will be hopefully better resolved, and you may want to manually apply the -STABLE patch available here: http://www.nrg4u.com/freebsd/tcpminmss-4stable-20040107.diff In my test, the patch will mitigate MSS exhaustion attacks, but it also disrupt some normal operations, for example, if you ssh to a remote box and do mergemaster and the computer responds fast enough, the connection will be dropped, if you did not set the sysctl's properly. I am looking for some other mechanisms on mitigating this issue. You may want to consult andre@ for detailed information. -- Xin LI http://www.delphij.net/ See complete headers for GPG key and other information. --VS++wcV0S1rZb1Fb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAIezeOfuToMruuMARAjU4AJ9D4lBNV7Obcpi2njOjYSquBFA1sgCdHynd e8qfJ5fSwHZe7/8Q8732/3M= =ubBa -----END PGP SIGNATURE----- --VS++wcV0S1rZb1Fb--