---
- branch: netbsd-8
  date: Fri Mar 30 11:17:19 UTC 2018
  files:
  - new: 1.357.4.3
    old: 1.357.4.2
    path: src/sys/netinet/tcp_input.c
    pathrev: src/sys/netinet/tcp_input.c@1.357.4.3
    type: modified
  id: 20180330T111719Z.b6715d450712ef6d55ef0195d3de0fb467aa6a0d
  log: "Pull up following revision(s) (requested by maxv in ticket #662):\n\n\tsys/netinet/tcp_input.c:
    revision 1.383 (via patch)\n\nRevert rev1.183 (2003).\n\nIt was intended as an
    optimization, but it increases the attack surface:\n\nthe IPsec policy is not
    enforced on RST packets when the socket is in the\nLISTEN state, and an (unauthenticated)
    attacker could jam the connection\nbetween two IPsec hosts by sending RST packets
    between the client's SYN\nand ACK packets.\n\nDiscussed with ozaki-r@.\n"
  module: src
  subject: 'CVS commit: [netbsd-8] src/sys/netinet'
  unixtime: '1522408639'
  user: martin