grarpamp
2019-Jun-18 21:34 UTC
CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack)
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5599 NFLX-2019-001 Date Entry Created: 20190107 Preallocated to nothing? Or witheld under irresponsible disclosure thus keeping users vulnerable to leaks, parallel discovery, and exploit for at least five months more than necessary, and unaware thus unable to consider potential local mitigations? Older references... https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=freebsd https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=freebsd&search_type=all
Gordon Tetlow
2019-Jun-18 23:55 UTC
CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack)
On Tue, Jun 18, 2019 at 05:34:32PM -0400, grarpamp wrote:> https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5599 > NFLX-2019-001 > > Date Entry Created: 20190107 > Preallocated to nothing? > Or witheld under irresponsible disclosure thus keeping > users vulnerable to leaks, parallel discovery, and exploit > for at least five months more than necessary, and > unaware thus unable to consider potential local mitigations?Other than the inappropriate tone, there is a reasonable question here. MITRE allocates blocks of CVEs to FreeBSD as a CNA. We can then decide when to assign and disclose them. The 2019-01-07 date is when MITRE allocated a block of CVEs to FreeBSD, not when they are assigned to an issue. We generally get a block in the beginning of each year. If you would like to have an actual discussion around disclosure policies, I'm happy to have one, but by your tone above, I don't think there is any reason to do so. It seems unlikely you are open to debate in a fashion that would be productive. Thanks, Gordon Hat: Security Officer