[ale] Linux TCP Flaw

Lightner, Jeffrey JLightner at dsservices.com
Sat Aug 13 09:41:13 EDT 2016


No.   This isn’t POODLE it is a discussion about implementation of an RFC that started with kernel 3.6.    My OP noted that it also affects kernels in RHEL6.5 and higher even though those are based on lower upstream kernel versions.   Presumably RedHat backported the RFC implementation into those.   As I noted this means any derivative such as CentOS, OEL and others would be affected.

There may be other non RH derived distros that have done similar backporting.   You’d have to check for your distro but regardless, if you have kernel 3.6 and above you are impacted.

The link I sent is in your reply so I don’t know what you mean when you say you’re missing the OP with a link.


From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Wolf Halton
Sent: Saturday, August 13, 2016 3:18 AM
To: jimkinney at gmail.com; Atlanta Linux Enthusiasts
Subject: Re: [ale] Linux TCP Flaw

Talking about the POODLE exploit? I seem to be missing the OP with a link.
PCI DSS 3.1 came out anouncing SSL was compromised and could no longer pass compliance. Early TLS similarly were compromised. The openssh package was discovered to have a flaw-now patched. PCI DSS 3.2 gave orgs a little more time to fix (reconfigure) there existing hosts to deny SSL and early TLS.
You cannot believe the howling and gnashing of teeth from business unit owners who were terrified they would lose a penny because their customers might be using Internet Explorer six or eight. Apparently they don't know I don't care that their web servers are collecting information about the browser version, and they could check to see if there were any antique browsers contacting them.

Wolf Halton
Mobile/Text 678-687-6104

--
Sent from my iPhone. Creative word completion courtesy of Apple, Inc.

On Aug 12, 2016, at 11:05, Jim Kinney <jim.kinney at gmail.com<mailto:jim.kinney at gmail.com>> wrote:

My understanding is this can be used to force an ssh/ssl/tls connection to downgrade encryption to a version that's easily crackable. For high security systems, those formats should already be disabled. But for public facing sites that have to work with clients that may not yet support better methods, the mitigation method is essential. I see no reason to not implement the mitigation on hardened servers as a diaper. It should also be done on all client systems as those usually don't have hardened encryption initiated unless they are a rather new install with special follow-on procedures.

On Aug 12, 2016 9:56 AM, "Lightner, Jeffrey" <JLightner at dsservices.com<mailto:JLightner at dsservices.com>> wrote:
https://thehackernews.com/2016/08/linux-tcp-packet-hacking.html

Other stories related to this last night.

My read last night was Disturbing because it says it can be used to disrupt even ssh/sftp/https connections.

Although it says it is in the 3.6 kernel and later it appears some earlier kernels for RedHat (and therefore CentOS and other derivatives) are affected.    RedHat says all RHEL6.5 and above and RHEL 7.   Earlier versions they say are not affected.

There is a mitigation in the story which is the same being suggested by RedHat.

Jeffrey C. Lightner
Sr. UNIX/Linux Administrator

DS Services of America, Inc.
2300 Windy Ridge Pkwy
Suite 600 N
Atlanta, GA  30339-8461

P: 678-486-3516<tel:678-486-3516>
C: 678-772-0018<tel:678-772-0018>
F: 678-460-3603<tel:678-460-3603>
E: jlightner at dsservices.com<mailto:jlightner at dsservices.com>


CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you


_______________________________________________
Ale mailing list
Ale at ale.org<mailto:Ale at ale.org>
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
_______________________________________________
Ale mailing list
Ale at ale.org<mailto:Ale at ale.org>
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20160813/d42a1c19/attachment.html>


More information about the Ale mailing list