7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.974 High
EPSS
Percentile
99.9%
This kernel update is based on the upstream 4.14.127 and fixes at least the following security issues: Jonathan Looney discovered that it is possible to send a crafted sequence of SACKs which will fragment the RACK send map. An attacker may be able to further exploit the fragmented send map to cause an expensive linked-list walk for subsequent SACKs received for that same TCP connection (CVE-2019-5599). Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service (CVE-2019-11477). Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment in the Linux kernel could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service (CVE-2019-11478). Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a remote peer to fragment TCP resend queues significantly more than if a larger MSS were enforced. A remote attacker could use this to cause a denial of service (CVE-2019-11479). WireGuard has been updated to 0.0.20190601. For other uptstream fixes in this update, see the referenced changelogs.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Mageia | 6 | noarch | kernel | < 4.14.127-1 | kernel-4.14.127-1.mga6 |
Mageia | 6 | noarch | kernel-userspace-headers | < 4.14.127-1 | kernel-userspace-headers-4.14.127-1.mga6 |
Mageia | 6 | noarch | kmod-vboxadditions | < 6.0.8-4 | kmod-vboxadditions-6.0.8-4.mga6 |
Mageia | 6 | noarch | kmod-virtualbox | < 6.0.8-4 | kmod-virtualbox-6.0.8-4.mga6 |
Mageia | 6 | noarch | kmod-xtables-addons | < 2.13-88 | kmod-xtables-addons-2.13-88.mga6 |
Mageia | 6 | noarch | wireguard-tools | < 0.0.20190601-1 | wireguard-tools-0.0.20190601-1.mga6 |
bugs.mageia.org/show_bug.cgi?id=24972
cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.122
cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.123
cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.124
cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.125
cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.126
cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.127
github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.974 High
EPSS
Percentile
99.9%