I-ProHoster > Π‘Π»ΠΎΠ³ > izindaba ze-inthanethi > Ubungozi ku-Linux kanye nezitaki ze-FreeBSD TCP eziholela ekunqatshelweni kwesevisi ukude

Ubungozi ku-Linux kanye nezitaki ze-FreeBSD TCP eziholela ekunqatshelweni kwesevisi ukude

Inkampani yeNetflix kwembulwa eziningana ezibucayi ubuthakathaka kuzitaki ze-Linux ne-FreeBSD TCP, ezikuvumela ukuthi uqalise ukude ukuphahlazeka kwe-kernel noma ubangele ukusetshenziswa ngokweqile kwensiza lapho ucubungula amaphakethe e-TCP aklanywe ngokukhethekile (iphakethe lokufa). Izinkinga kubangelwa amaphutha kuzibambi zobukhulu bosayizi webhulokhi yedatha kuphakethe le-TCP (MSS, Ubukhulu besayizi yesegimenti) kanye nendlela yokuvuma okukhethiwe koxhumo (SACK, I-TCP Selective Acknowledgment).

  • I-CVE-2019-11477 (I-SACK Panic) - inkinga evela ku-Linux kernels eqala ku-2.6.29 futhi ikuvumela ukuthi ubangele i-kernel panic ngokuthumela uchungechunge lwamaphakethe e-SACK ngenxa yokuchichima okuphelele kusibambi. Ukuze uhlasele, kwanele ukusetha inani le-MSS lokuxhuma kwe-TCP kumabhayithi angu-48 (umkhawulo ophansi ubeka usayizi wesigaba kumabhayithi angu-8) futhi uthumele ukulandelana kwamaphakethe we-SACK ahlelwe ngendlela ethile.

    Njengezindlela zokuphepha, ungakhubaza ukucutshungulwa kwe-SACK (bhala 0 kuya /proc/sys/net/ipv4/tcp_sack) noma ukuvimba uxhumo olune-MSS ephansi (isebenza kuphela uma i-sysctl net.ipv4.tcp_mtu_probing isethelwe ku-0 futhi ingase iphazamise okunye ukuxhumana okuvamile nge-MSS ephansi);

  • I-CVE-2019-11478 (SACK Slowness) - kuholela ekuphazamisekeni kwendlela ye-SACK (uma usebenzisa i-Linux kernel encane kuno-4.15) noma ukusetshenziswa ngokweqile kwezinsiza. Inkinga yenzeka lapho kusetshenzwa ngokukhethekile amaphakethe e-SACK aklanywe ngokukhethekile, angasetshenziswa ukuhlukanisa ulayini wokudlulisela kabusha (i-TCP retransmission). Ama-workaround okuvikela afana nokuba sengozini kwangaphambilini;
  • I-CVE-2019-5599 (I-SACK Slowness) - ikuvumela ukuthi ubangele ukuhlukana kwemephu yamaphakethe athunyelwe lapho ucubungula ukulandelana okukhethekile kwe-SACK ngaphakathi koxhumano olulodwa lwe-TCP futhi ubangele ukuba kwenziwe umsebenzi wokubala uhlu olubanzi lwezinsiza. Inkinga ivela ku-FreeBSD 12 ngendlela yokuthola ukulahleka kwephakethe le-RACK. Njengendlela yokusebenza, ungakhubaza imojula ye-RACK;
  • I-CVE-2019-11479 - umhlaseli angabangela ukuthi i-Linux kernel ihlukanise izimpendulo zibe izingxenye ezimbalwa ze-TCP, ngayinye equkethe amabhayithi angu-8 kuphela wedatha, okungaholela ekwenyukeni okukhulu kwethrafikhi, ukukhuphuka kwe-CPU umthwalo kanye nokuvala isiteshi sokuxhumana. Kunconywa njengendlela yokuzivikela ukuze kuvikelwe. ukuvimba ukuxhumana ne-MSS ephansi.

    Ku-Linux kernel, izinkinga zaxazululwa ekukhishweni okungu-4.4.182, 4.9.182, 4.14.127, 4.19.52, kanye no-5.1.11. Ukulungiswa kwe-FreeBSD kuyatholakala njenge isichibi. Ekusabalaliseni, izibuyekezo zamaphakheji e-kernel sezivele zikhishelwe Debian, RHEL, SUSE/openSUSE. Ukulungiswa ngesikhathi sokulungiselela Ubuntu, Fedora ΠΈ I-Arch Linux.

    Source: opennet.ru

    • Engeza amazwana