CVE-2019-11477 (TCP SACK panic) and an Intel i40e driver issue
Posted 18 Jun, 2019 by Daniil Baturin
Recently discovered vulnerability in the Linux kernel's TCP selective acknowledgement processing code potentially allows a remote attacker to cause a kernel panic with a specially crafted packet sequence. You can read the details in the announcement
This is serious enough to require a quick fix, which we've done already.
The rolling release has it fixed and the fix will be in the tomorrow's nightly build. It's fixed in the Crux branch as well, so if you build a 1.2.x LTS image from it now, you'll have it fixed.
We are also sending a link to a hotfix LTS image to our subscribers.
If you cannot update right now, you can disable TCP SACK processing as a workaround:
sudo sysctl -w net.ipv4.tcp_sack=0
The rolling release got another kernel fix: for a broken Intel i40e module that failed to load. It's been broken from the latest update about a week ago, and the issue is still present in the latest version of the upstream package, so we had to downgrade it to a previous working version (2.7.29).
This issue never affected the Crux branch so if you are a subscriber or you build your own LTS images, you need not worry about it.