+ |
- CVE-2019-11477 and CVE-2019-11478 |
+ |
|
+ |
$ sudo sysctl -w net.ipv4.tcp_sack=0 |
+ |
|
+ |
The mitigation described below for CVE-2019-11479 is also sufficient for CVE-2019-11477 and CVE-2019-11478 if disabling TCP SACK support is not viable. |
+ |
|
+ |
- CVE-2019-11479 |
+ |
|
+ |
$ sudo iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP |
+ |
|
+ |
The net.ipv4.tcp_mtu_probing sysctl must be disabled (set to 0) when using the iptables rules shown above. |