Bug 843129

Summary: RFE kernel: net: mitigate blind reset attacks using RST and SYN bits
Product: Red Hat Enterprise Linux 5 Reporter: Petr Matousek <pmatouse>
Component: kernelAssignee: Red Hat Kernel Manager <kernel-mgr>
Status: CLOSED WONTFIX QA Contact: Red Hat Kernel QE team <kernel-qe>
Severity: high Docs Contact:
Priority: high    
Version: 5.9CC: jpirko
Target Milestone: rcKeywords: FutureFeature, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 843126 Environment:
Last Closed: 2012-10-30 14:14:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 843126, 843130    
Bug Blocks:    

Description Petr Matousek 2012-07-25 16:22:32 UTC 
+++ This bug was initially created as a clone of Bug #843126 +++

Description of problem:

RHEL is prone to blind reset attacks.
Blind reset attacks together with mitigations are described in RFC 5691.
Please backport the Linux kernel upstream fixes below.

Upstream fixes
--------------

Implement the RFC 5691 mitigation against Blind
Reset attack using RST bit.

Upstream Linux kernel commit:
282f23c6ee343126156dd41218b22ece96d747e3 RFC 5961 3.2 Mitigation

Implement the RFC 5691 mitigation against Blind
Reset attack using SYN bit.

Upstream Linux kernel commit:
0c24604b68fc7810d429d6c3657b6f148270e528 RFC 5961 4.2 Mitigation

Followup of commit 0c24604b68fc (tcp: implement RFC 5961 4.2)

Upstream Linux kernel commit:
e371589917011efe6ff8c7dfb4e9e81934ac5855 0c24604b68fc follow up
Comment 2 Libor Miksik 2012-10-25 12:30:52 UTC 
Thank you for submitting this issue for consideration. Red Hat Enterprise Linux 5 has reached the end of Production 1 Phase of its Life Cycle.  Red Hat does not plan to incorporate the suggested capability in a future Red Hat Enterprise Linux 5 minor release. If you would like Red  Hat to re-consider this feature request and the requested functionality is not currently in Red Hat Enterprise Linux 6, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.