Security bulletins
Below are security bulletins compiled by Yandex.Cloud engineers.
28.08.2019 — TCP SACK
Description
There are three TCP vulnerabilities in Linux kernel disclosed by Netflix:
Original Netflix report: NFLX-2019-001.
Comprehensive vulnerabilities analysis by Red Hat: TCP SACK PANIC.
Yandex.Cloud services impact
- Yandex.Cloud infrastructure was patched immediately.
- Public VM images available to Yandex Cloud Compute users were updated as soon as the corresponding fixes became available. New virtual machines created in Yandex Compute Cloud are not affected by the listed vulnerabilities.
19.08.2019 — Several Yandex.Cloud domains were added to the Public Suffix List
Description
The following Yandex.Cloud domains were added to the Public Suffix List:
- yandexcloud.net
- storage.yandexcloud.net
- website.yandexcloud.net
Domains in the Public Suffix List gain properties of top-level domains such as .ru or .com:
- browsers don't set cookies on the listed domains,
- browsers don't allow changing the
Originheader of the page to the root domains.
More information can be found in our blog post (in Russian).
Yandex.Cloud services impact
This will improve security and isolation for Yandex.Cloud customers.