Bug 1146866 - stricter security settings on some netwpork sysctls
stricter security settings on some netwpork sysctls
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Basesystem
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Ruediger Oertel
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-08-22 12:55 UTC by Marcus Meissner
Modified: 2019-09-26 01:21 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-08-22 12:55:07 UTC
from internal https://jira.suse.com/browse/SLE-9132

 On SLES we currently have                                                                                                                                                                  
 - net.ipv4.conf.all.accept_redirects                                                                                                                                                       
  - net.ipv4.conf.default.accept_redirects                                                                                                                                                  
  - net.ipv4.conf.default.accept_source_route                                                                                                                                               
  - net.ipv6.conf.all.accept_redirects                                                                                                                                                      
  - net.ipv6.conf.default.accept_redirects                                                                                                                                                  
 set. This allows attackers on the network to manipulate traffic of the victim system (for one example please see http://www.enclaveforensics.com/Blog/files/dbe04629c14a2d07495a38bbf2fc98d9-5.html)                                                                                                         

We should make these defaults better.
Comment 1 Ruediger Oertel 2019-08-22 13:51:31 UTC
for factory/TW: created request id 725323
Comment 2 Ruediger Oertel 2019-08-22 13:58:16 UTC
for code15: created request id 199488
Comment 3 Swamp Workflow Management 2019-08-22 14:30:06 UTC
This is an autogenerated message for OBS integration:
This bug (1146866) was mentioned in
https://build.opensuse.org/request/show/725329 Factory / aaa_base
Comment 5 Swamp Workflow Management 2019-09-20 22:12:41 UTC
SUSE-RU-2019:2423-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1146866
CVE References: 
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    aaa_base-84.87+git20180409.04c9dae-3.15.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    aaa_base-84.87+git20180409.04c9dae-3.15.1
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    aaa_base-84.87+git20180409.04c9dae-3.15.1
SUSE Linux Enterprise Module for Development Tools 15 (src):    aaa_base-84.87+git20180409.04c9dae-3.15.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    aaa_base-84.87+git20180409.04c9dae-3.15.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    aaa_base-84.87+git20180409.04c9dae-3.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2019-09-26 01:20:16 UTC
openSUSE-RU-2019:2196-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1146866
CVE References: 
Sources used:
openSUSE Leap 15.1 (src):    aaa_base-84.87+git20180409.04c9dae-lp151.5.9.1
Comment 7 Swamp Workflow Management 2019-09-26 01:21:22 UTC
openSUSE-RU-2019:2194-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1146866
CVE References: 
Sources used:
openSUSE Leap 15.0 (src):    aaa_base-84.87+git20180409.04c9dae-lp150.17.1