128 lines
4.5 KiB
Text
128 lines
4.5 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-EN-19:02.tcp Errata Notice
|
|
The FreeBSD Project
|
|
|
|
Topic: TCP connections may stall and eventually fail in case of
|
|
packet loss
|
|
|
|
Category: core
|
|
Module: kernel
|
|
Announced: 2019-01-09
|
|
Credits: Michael Tuexen
|
|
Affects: FreeBSD 12.0
|
|
Corrected: 2018-12-23 09:48:36 UTC (stable/12, 12.0-STABLE)
|
|
2019-01-09 18:42:40 UTC (releng/12.0, 12.0-RELEASE-p2)
|
|
|
|
For general information regarding FreeBSD Errata Notices and Security
|
|
Advisories, including descriptions of the fields above, security
|
|
branches, and the following sections, please visit
|
|
<URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
The TCP stack limits the resources used for TCP connections. Once a limit
|
|
is reached, further received TCP segments for the TCP connection are dropped.
|
|
|
|
II. Problem Description
|
|
|
|
To continue delivering data to the application, accepting the TCP segment
|
|
with the next expected sequence number is required. If this TCP segment is
|
|
dropped due to a resource limit, no further progress can be made. Therefore
|
|
exceptions for this particular TCP segment have to be implemented.
|
|
|
|
III. Impact
|
|
|
|
In case of lost TCP segments, TCP connections may stall and then eventually
|
|
fail.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available.
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
1) Upgrade your system to a supported FreeBSD stable or release / security
|
|
branch (releng) dated after the correction date.
|
|
|
|
Afterward, reboot the system.
|
|
|
|
2) To update your system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
Afterward, reboot the system.
|
|
|
|
3) To update your system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
[FreeBSD 12.0]
|
|
# fetch https://security.FreeBSD.org/patches/EN-19:02/tcp.patch
|
|
# fetch https://security.FreeBSD.org/patches/EN-19:02/tcp.patch.asc
|
|
# gpg --verify tcp.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile your kernel as described in
|
|
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
|
system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/12/ r342378
|
|
releng/12.0/ r342894
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-19:02.tcp.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlx/+rVfFIAAAAAALgAo
|
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
|
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
|
5cJNEw/+NLQLvkh/q4kOhom0RG8LDNmOvNd6Uuvigf78+3u34rh7ggTnVqUcP9dK
|
|
daWyGfel5v/7n1EfT4tCyvnQlj2idbo2ptu3gvWTqDiTj9xBSHpXDS9YaZRHDTB8
|
|
u3Odkyt8IigP44zJcviFdvRV5dM9zbYXEEy5toVQ0NED6ryhgnYMpsl3LMr857T5
|
|
6ZAoQHEeD0VVWXnpmjbFXaRcRL7YkrgE+Y9e5I95+CrxIRu1IJ+13oMhzhstR9Ci
|
|
S5Ik5VtNFH2VPEDkfiXIAjn05lK03IT+hUcFbgPZQF2e04reZMXz0x5kkOVz5TxS
|
|
0K7GcCmZGXmVgRchkTnLz9fMvEmtTZDwWCsiZ29fdit3mkayUiib0fVeQKEAz1Uu
|
|
LBDPfrG4HrhgEczT/D+NiySoNp+LIsKMM0LUEjk5a1Wg8YGXkjTccQD6VYHDJeq5
|
|
TRx/sI/Y2sutDkZEDfQ58+cpstTT8XfJpvxJ8l/lBTBaP9gQWY6ITqLDvVRDdMtO
|
|
/oJcxR/eNk940zpikA+An5ONg2aq1JHwyY2D23Zly5L13CM10fwZZ5To2cL5ukax
|
|
WlzRA9P+tFTI/+mwq5cNINznWPAyFPSaRhEJ/kpL44GHP46z2Ov11CnbgmgYddUT
|
|
0JQllzneCXDuWJT+XI03yEyUMdSQNWQA07YikdUYUj0H18aIBcQ=
|
|
=bV20
|
|
-----END PGP SIGNATURE-----
|