[Dnsmasq-discuss] CVE-2015-7547 tcp path mitigation hack
Louis Munro
lmunro at inverse.ca
Thu Feb 18 18:24:45 GMT 2016
> On Feb 18, 2016, at 12:23 , Simon Kelley <simon at thekelleys.org.uk> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> That would do it. Or just block port-53/TCP
>
> Cheers,
>
> Simon.
This is what I have come up with for now:
iptables -I INPUT -p tcp -m tcp --sport 53 -m length --length 1024:4096 -j DROP
iptables -I INPUT -p udp -m udp --sport 53 -m length --length 1024:4096 -j DROP
4096 is really just some large number here.
I could go higher if jumbo frames might be involved.
Of course, this is a band-aid solution.
There is no substitute for updating glibc in the end.
But I digress, this is getting off track and is not really relevant to this list.
Thanks everyone,
--
Louis Munro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20160218/d8f30ff7/attachment.html>
More information about the Dnsmasq-discuss
mailing list