Mitigate CVE-2018-5391 by sysctl#1948
Merged
lguohan merged 1 commit intosonic-net:201803from Aug 19, 2018
Merged
Conversation
Signed-off-by: Qi Luo <qiluo-msft@users.noreply.github.com>
jleveque
approved these changes
Aug 18, 2018
| EOF | ||
|
|
||
| ## Config sysctl | ||
| ## TODO: ipfrag* are for mitigating CVE-2018-5391, remove after kernel upgraded |
Contributor
There was a problem hiding this comment.
Suggest moving TODO line directly above the lines it refers to. #WontFix
Collaborator
Author
There was a problem hiding this comment.
There is technical difficulty to move because the block after "sudo augtool --autosave" is one huge command. Let me know if you have better idea.
In reply to: 211062664 [](ancestors = 211062664)
Collaborator
Author
|
This PR is against 201803 branch, which has Debian Jessie kernel. |
vivekrnv
added a commit
to vivekrnv/sonic-buildimage
that referenced
this pull request
Dec 6, 2021
3fa0854 [CLI][show bgp] On chassis don't show internal BGP sessions by default (sonic-net#1927) 6de91af [Auto-Techsupport] Issues related to Multiple Cores crashing handled (sonic-net#1948) 656ade1 SFP-Refactor: Vendor revision is not displayed properly (sonic-net#1950) 67466cb [port] Fix port speed set (sonic-net#1952) 5172972 Fix invalid output of syslog IPv6 servers (sonic-net#1933) 290ff5f Routed subinterface enhancements (sonic-net#1821) 1ea88e2 Enhance sfputil for CMIS QSFP (sonic-net#1949) Signed-off-by: Vivek Reddy Karri <vkarri@nvidia.com>
qiluo-msft
added a commit
that referenced
this pull request
Dec 20, 2021
#### Why I did it Including below commits: ``` fe00bbf 2021-12-17 | Revert "[sonic-package-manager] support sonic-cli-gen and packages with YANG model (#1650)" (#1972) [Prince George] 5fe6d92 2021-12-16 | [warm/fast-reboot] Fix kexec portion to support platforms based on Device Tree (#1966) [dflynn-Nokia] 74d2a09 2021-12-17 | [portstat] check TX/RX utilization calculation correctness (#1840) [Andriy Yurkiv] e44c3f6 2021-12-16 | [generic-config-updater] Improving CreateOnly validator and marking /LOOPBACK_INTERFACE/LOOPBACK#/vrf_name as create-only (#1969) [Mohamed Ghoneim] 0067cc4 2021-12-15 | [build] adapt for upstream target path change (#1971) [Qi Luo] 96143ee 2021-12-09 | preserve old order for config reload (#1964) [arlakshm] f08c81d 2021-12-10 | [vxlan] remove unnecessary whitespace for show commands (#1792) [Gord Chen] 14889ce 2021-12-09 | [soft-reboot] Add support for platforms based on Device Tree (#1963) [dflynn-Nokia] 7ceccd7 2021-12-08 | [generic-config-updater] Adding non-strict mode (#1929) [Mohamed Ghoneim] 2e462ef 2021-12-07 | [sfputil] Firmware download/upgrade CLI support for QSFP-DD (#1947) [Prince George] 7c34b79 2021-12-07 | [config] Add portchannel support for static route (#1857) [Dmytro] 54cc370 2021-12-06 | [doc] Refine doc on show loopback/mgmt ports (#1958) [Qi Luo] 3714f63 2021-12-06 | [port2alias]: Fix to get right number of return values (#1906) [SuvarnaMeenakshi] 3fa0854 2021-12-06 | [CLI][show bgp] On chassis don't show internal BGP sessions by default (#1927) [Mahesh Maddikayala] 6de91af 2021-12-06 | [Auto-Techsupport] Issues related to Multiple Cores crashing handled (#1948) [Vivek Reddy] 656ade1 2021-12-06 | SFP-Refactor: Vendor revision is not displayed properly (#1950) [Aravind Mani] 67466cb 2021-12-05 | [port] Fix port speed set (#1952) [Mykola Gerasymenko] 5172972 2021-12-04 | Fix invalid output of syslog IPv6 servers (#1933) [jingwenxie] 290ff5f 2021-12-03 | Routed subinterface enhancements (#1821) [Preetham] 1ea88e2 2021-12-01 | Enhance sfputil for CMIS QSFP (#1949) [andywongarista] 4e132c1 2021-11-30 | [debug dump] Refactoring Modules and Unit Tests (#1943) [Vivek Reddy] b550c44 2021-11-30 | Add command reference for trap flow counters (#1876) [Junchao-Mellanox] 67a267b 2021-11-30 | [Reclaim buffer] [Mellanox] Db migrator support reclaiming reserved buffer for unused ports (#1822) [Stephen Sun] 30e4654 2021-11-25 | Add show command for BFD sessions (#1942) [Shi Su] e63f47e 2021-11-25 | [warm-reboot] Fix failures of warm reboot on disconnect of ssh session (#1529) [maksymbelei95] c05845d 2021-11-25 | Add trap flow counter support (#1868) [Junchao-Mellanox] ef82f00 2021-11-24 | [load_minigraph] Delay pfcwd start until the buffer templates are rendered (#1937) [Neetha John] f5e5a56 2021-11-24 | [sonic-package-manager] support sonic-cli-gen and packages with YANG model (#1650) [Stepan Blyshchak] 64777a4 2021-11-23 | generic_config_updater: Filename changed & VLAN validator added (#1919) [Renuka Manavalan] 1f8f6ab 2021-11-23 | [config reload] Update command reference (#1941) [Sudharsan Dhamal Gopalarathnam] ```
judyjoseph
added a commit
that referenced
this pull request
Jan 9, 2022
4236bc4 [config reload] Fixing config reload when timer based delayed services are disabled (#1967) d2514e4 [GCU] Different apply-patch runs should produce same sorted steps (#1988) 2878adb [GCU] Using simulated config instead of target config when validating replace operation in NoDependencyMoveValidator (#1987) fb8ca98 [GCU] Loading yang-models only once (#1981) f88ee92 [GCU] Copying config_db before callding sonic_yang.loadData (#1983) 9ed0e91 [GCU] Implementing DryRun by printing patch-sorter steps/imitating config_db (#1973) b36b5e3 [GCU] Moving PatchSorter unit-test to json file to make it easier to read/maintain (#1977) c0fa28b [generic-config-updater] Improving CreateOnly validator and marking /LOOPBACK_INTERFACE/LOOPBACK#/vrf_name as create-only (#1969) 0559d04 [generic-config-updater] Adding non-strict mode (#1929) b07f477 [debug dump util] FDB debug dump util changes (#1968) 6d8757a [warm/fast-reboot] Fix kexec portion to support platforms based on Device Tree (#1966) cc1409e [Auto Techsupport] Event driven Techsupport Bug Fixes (#1986) 6c48bd5 Fix wrong help message for cable length setting (#1978) c0bbbe3 [breakout] Fix the check when port is not present in BREAKOUT_CFG table (#1765) 5bb8cad [doc][DPB] Update DPB related interface breakout command Info (#1438) e6fd990 [config] Fix 'config reload -l' command to get filename by default (#1611) bd8f7bb Update swss_ready check to check per namespace swss service (#1974) 5439f94 [soft-reboot] Add support for platforms based on Device Tree (#1963) 7c5810a [config] Add portchannel support for static route (#1857) 7cb6a1b preserve old order for config reload (#1964) 20bddbd [Auto-Techsupport] Issues related to Multiple Cores crashing handled (#1948)
taras-keryk
pushed a commit
to taras-keryk/sonic-buildimage
that referenced
this pull request
Apr 28, 2022
…onic-net#1948) #### What I did **Issues seen when multiple cores are crashed in very quick succession:** 1) The **rate_limit_interval** is not honored. Because, i previously was finding out the last created tech-support using the glob pattern `sonic_dump_*tar*`, which will not include the dumps which are being currently run. These existing dump will not have .tar.gz extension. Thus, modified the `get_ts_dumps` to search based on the TS_ROOT i.e `sonic_dump_*` 2) **show auto-tech support history** is not showing all the created dumps. I've previously used to take the diff of tech support dumps before and after running the invocation and used to assign the diff as the corresponding techsupport for this core. This approach is prone to race condition as we can have multiple dumps in the diff found in the interval. Avoided this by parsing the stdout returned by `show techsupport` invocation #### How to verify it 1) Unit Tests 2) Generate core-dumps in very quick succession. Use the default rate limit interval. Should only see one entry in tech-support history 3) Set global rate limit interval to 0. Generate cores in quick succession. Should see a few entries in the history.
Staphylo
pushed a commit
to Staphylo/sonic-buildimage
that referenced
this pull request
Feb 5, 2026
…et#1948) <!-- Please make sure you've read and understood our contributing guidelines: https://github.com/Azure/SONiC/blob/gh-pages/CONTRIBUTING.md ** Make sure all your commits include a signature generated with `git commit -s` ** If this is a bug fix, make sure your description includes "fixes #xxxx", or "closes #xxxx" or "resolves #xxxx" Please provide the following information: --> #### Why I did it The hft table in state db wasn't cleanup after config reload ##### Work item tracking - Microsoft ADO **(number only)**: #### How I did it Add hft table name in swss.sh #### How to verify it Check it locally <!-- If PR needs to be backported, then the PR must be tested against the base branch and the earliest backport release branch and provide tested image version on these two branches. For example, if the PR is requested for master, 202211 and 202012, then the requester needs to provide test results on master and 202012. --> #### Which release branch to backport (provide reason below if selected) <!-- - Note we only backport fixes to a release branch, *not* features! - Please also provide a reason for the backporting below. - e.g. - [x] 202006 --> - [ ] 202305 - [ ] 202311 - [ ] 202405 - [ ] 202411 - [ ] 202505 - [ ] 202511 #### Tested branch (Please provide the tested image version) <!-- - Please provide tested image version - e.g. - [x] 20201231.100 --> - [ ] <!-- image version 1 --> - [ ] <!-- image version 2 --> #### Description for the changelog <!-- Write a short (one line) summary that describes the changes in this pull request for inclusion in the changelog: --> <!-- Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU. --> #### Link to config_db schema for YANG module changes <!-- Provide a link to config_db schema for the table for which YANG model is defined Link should point to correct section on https://github.com/Azure/sonic-buildimage/blob/master/src/sonic-yang-models/doc/Configuration.md --> #### A picture of a cute animal (not mandatory but encouraged)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Mitigation suggested by https://security-tracker.debian.org/tracker/CVE-2018-5391 for Debian Jessie
Tested in DUT: