Bug 1428684 - RFE: Backport of ICMP ratelimit fixes.
Summary: RFE: Backport of ICMP ratelimit fixes.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: kernel
Version: 7.4
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Sabrina Dubroca
QA Contact: Jianlin Shi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-03 06:51 UTC by Wade Mealing
Modified: 2017-08-02 05:47 UTC (History)
10 users (show)

Fixed In Version: kernel-3.10.0-647.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-02 05:47:36 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1461282 medium CLOSED kernel: ICMP rate limiting is too aggressive on loopback 2020-10-14 00:28:05 UTC
Red Hat Product Errata RHSA-2017:1842 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2017-08-01 18:22:09 UTC

Internal Links: 1461282

Description Wade Mealing 2017-03-03 06:51:49 UTC
Description of problem:

As per discussion with Jesper Dangaard Brouer, he suggests that we need to backport specific fixes to reduce the icmp_send() ratelimit, which in turn has an affect on CVE-2017-5972 ( https://bugzilla.redhat.com/show_bug.cgi?id=1422081 ).

Version-Release number of selected component (if applicable):

Current RHEL 7.

Required backports:

 https://git.kernel.org/davem/net-next/c/9f2f27a9a518c
 https://git.kernel.org/davem/net-next/c/7ba91ecb16824
 https://git.kernel.org/davem/net-next/c/c0303efeab739
 https://git.kernel.org/davem/net-next/c/8d9ba388f35b3

I have not tested these, this is not considered a security flaw but a reccomended hardening fix.

Thanks,

Wade Mealing
Red Hat Product Security.

Comment 4 Rafael Aquini 2017-04-10 16:50:41 UTC
Patch(es) committed on kernel repository and an interim kernel build is undergoing testing

Comment 6 Rafael Aquini 2017-04-11 15:07:41 UTC
Patch(es) available on kernel-3.10.0-647.el7

Comment 8 Jianlin Shi 2017-05-11 06:31:45 UTC
related test passed:

https://beaker.engineering.redhat.com/jobs/1851885

Comment 9 Florian Weimer 2017-06-14 06:32:47 UTC
This changes introduces a regression, see bug 1461282.

Comment 11 errata-xmlrpc 2017-08-02 05:47:36 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:1842


Note You need to log in before you can comment on or make changes to this bug.