| + |
- CVE-2019-11477 and CVE-2019-11478 |
| + |
|
| + |
$ sudo sysctl -w net.ipv4.tcp_sack=0 |
| + |
|
| + |
The mitigation described below for CVE-2019-11479 is also sufficient |
| + |
for CVE-2019-11477 and CVE-2019-11478 if disabling TCP SACK support is |
| + |
not viable. |
| + |
|
| + |
- CVE-2019-11479 |
| + |
|
| + |
$ sudo iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP |
| + |
|
| + |
The net.ipv4.tcp_mtu_probing sysctl must be disabled (set to 0) when |
| + |
using the iptables rules shown above. |