[LEDE-DEV] [PATCH 1/3] Remove ttl==255 restriction for queries
Bjørn Mork
bjorn at mork.no
Fri Sep 29 05:32:40 PDT 2017
Matthias May <matthias.may at neratec.com> writes:
> While unfortunate that the actual patch which got merged didn't have the explanation why the patch was done, if you look
> at the mailing list archive you will see that there was a thread discussing this topic:
> http://lists.infradead.org/pipermail/lede-dev/2017-September/009004.html
This fails to discuss the reason that TTL restriction was there in the
first place, as well as any security implications of the change.
Please see
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6520
https://www.kb.cert.org/vuls/id/550620
and more. This is a well known can of worms.
As said before: You should disuss such issues with your proposed
patches. Not doing so gives the impression that you either
a) don't understand the implications, or
b) don't care about security
I hope neither is true. Please reassure me by fixing this up.
Bjørn
More information about the Lede-dev
mailing list