Workaround by Evolix security team for old kernels and vulnerabiliy CVE-2018-5391 (FragmentSmack)

2018-08-17 21:28:14 +02:00 · 2018-08-17 21:28:14 +02:00 · 51f41ff14a
parent dbb72ef2a0
commit 51f41ff14a
1 changed files with 32 additions and 0 deletions
--- a/evolinux-base/tasks/kernel.yml
+++ b/evolinux-base/tasks/kernel.yml
@ -50,4 +50,36 @@
    reload: yes
  when: evolinux_kernel_cve20165696

+- name: Patch for TCP stack vulnerabiliy CVE-2018-5391 (FragmentSmack)
+  sysctl:
+    name: net.ipv4.ipfrag_low_thresh
+    value: 196608
+    sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
+    state: present
+    reload: yes
+
+- name: Patch for TCP stack vulnerabiliy CVE-2018-5391 (FragmentSmack)
+  sysctl:
+    name: net.ipv6.ip6frag_low_thresh
+    value: 196608
+    sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
+    state: present
+    reload: yes
+
+- name: Patch for TCP stack vulnerabiliy CVE-2018-5391 (FragmentSmack)
+  sysctl:
+    name: net.ipv4.ipfrag_high_thresh
+    value: 262144
+    sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
+    state: present
+    reload: yes
+
+- name: Patch for TCP stack vulnerabiliy CVE-2018-5391 (FragmentSmack)
+  sysctl:
+    name: net.ipv6.ip6frag_high_thresh
+    value: 262144
+    sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
+    state: present
+    reload: yes
+
 - meta: flush_handlers