/ Register

Join the community today
Register Now

TCP Flaw CVE-2016-5696 Workaround Update

Discussion in 'Centmin Mod News' started by eva2000, Aug 12, 2016.

Tags:
Thread Status:
Not open for further replies.
Previous Thread Next Thread
Loading...
  1. Aug 12, 2016 #1
    eva2000

    eva2000 Administrator Staff Member

    55,375
    12,255
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,835
    Local Time:
    5:28 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    TCP Flaw CVE-2016-5696 Workaround



    Update: August 21st, 2016 - RedHat has released RHEL7 Kernel update (kernel-3.10.0-327.28.3.el7.x86_64) for TCP fix but RHEL6 does not yet have a Kernel Update. Once Kernel is updated, you would require a server reboot. Full details here.

    Updated both Centmin Mod 123.08stable and 123.09beta01 builds with workaround fixes for TCP Flaw CVE-2016-5696 outlined here. Details for CVE-2016-5696 outlined here. After updating your Centmin Mod installs via below instructions, run centmin.sh once and the workaround will be applied automatically. You can verify the workaround fix is in place via command
    Code (Text):
    sysctl -a | grep ack_limit

    Which should return output of
    Code (Text):
    sysctl -a | grep ack_limit                                                           
net.ipv4.tcp_challenge_ack_limit = 999999999

    Note, OpenVZ VPS systems are unable to adjust TCP values at server level, so need your web host to do it for you

    If for whatever reason the auto fix doesn't apply, you can do it manually via these 2 commands

    For CentOS 6 (FYI some web hosts use custom kernels like Linode with 4.6+ kernels) and well CentOS 6 is affected despite using 2.6.x kernels
    Code (Text):
    echo "net.ipv4.tcp_challenge_ack_limit = 999999999" >> /etc/sysctl.conf; sysctl -p;
sysctl -a | grep ack_limit


    For CentOS 7
    Code (Text):
    echo "net.ipv4.tcp_challenge_ack_limit = 999999999" >> /etc/sysctl.d/101-sysctl.conf; sysctl -p;
sysctl -a | grep ack_limit


    To update your Centmin Mod builds follow instructions at centminmod.com/upgrade.html and respective version threads below:
     
    Last edited: Aug 21, 2016
  2. Aug 13, 2016 #2
    eva2000

    eva2000 Administrator Staff Member

    55,375
    12,255
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,835
    Local Time:
    5:28 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Just to clarify on Redhat/CentOS both version 6 and 7 are affected with 2.6.x kernels CVE-2016-5696 - Red Hat Customer Portal

     
  3. Aug 16, 2016 #3
    eva2000

    eva2000 Administrator Staff Member

    55,375
    12,255
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,835
    Local Time:
    5:28 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  4. Aug 21, 2016 #4
    eva2000

    eva2000 Administrator Staff Member

    55,375
    12,255
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,835
    Local Time:
    5:28 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Update: August 21st, 2016 - RedHat has released RHEL7 Kernel update (kernel-3.10.0-327.28.3.el7.x86_64) for TCP fix but RHEL6 does not yet have a Kernel Update. Once Kernel is updated, you would require a server reboot. Full details here.
     
Previous Thread Next Thread
Loading...
Thread Status:
Not open for further replies.

.