freebsd security - Feb 2004 - Status Check: CVE CAN-2004-0002

Hi,

Just want to ask about the status of this:-

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0002
>From list archives I gather the fix is still under refinement (but
committed (and removed?) in HEAD and RELENG_5_2).

One paranoid little shop is running a public web server on RELENG_4_9, and
contemplating this patch:-

http://marc.theaimsgroup.com/?l=freebsd-cvs-all&m=107358506010148&w=2

Before I go ahead, any new developments on this?

Thanks.

--sazli
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x270BD43E
Key fingerprint: 47F4 6E37 48D2 5FF1 8C67  A14F D7B5 05F8 270B D43E

On Thu, Feb 05, 2004 at 10:58:30AM +0800, Syahrul Sazli Shaharir wrote:
> Just want to ask about the status of this:-
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0002
Some discuss took place about this issue. Unfortuanatelly, the commit
seemed to generating some problem, and that delaied the MFC to -STABLE.
This will be hopefully better resolved, and you may want to manually
apply the -STABLE patch available here:

  http://www.nrg4u.com/freebsd/tcpminmss-4stable-20040107.diff

In my test, the patch will mitigate MSS exhaustion attacks, but
it also disrupt some normal operations, for example, if you ssh
to a remote box and do mergemaster and the computer responds fast
enough, the connection will be dropped, if you did not set the
sysctl's properly.

I am looking for some other mechanisms on mitigating this issue.
You may want to consult andre@ for detailed information.

--
Xin LI <delphij frontfree net>	http://www.delphij.net/
See complete headers for GPG key and other information.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-security/attachments/20040205/a22ee13c/attachment-0001.bin

Syahrul Sazli Shaharir <sazli@jaring.my> writes:
> Just want to ask about the status of this:-
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0002
>
> From list archives I gather the fix is still under refinement (but
> committed (and removed?) in HEAD and RELENG_5_2).
Not removed, just not enabled by default.  They cause problems for
legitimate applications (such as database servers and sshd) which
generate large numbers of small packets.

DES
-- 
Dag-Erling Sm?rgrav - des@des.no