Gordon Tetlow
2019-Jul-03 17:18 UTC
CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack)
Sorry for the late response, only so many hours in the day. On Tue, Jun 18, 2019 at 08:06:55PM -0400, Shawn Webb wrote:> It appears that Netflix's advisory (as of this writing) does not > include a timeline of events. Would FreeBSD be able to provide its > event timeline with regards to CVE-2019-5599?I don't generally document a timeline of events from our side. This particular disclosure was a bit unusual as it wasn't external but instead was an internal FreeBSD developer the security team often works with. As such, our process was a bit out of sync with normal (as much as we have a normal with our current processes). All of that said, we got notice in early June, about 10 days before public disclosure.> Were any FreeBSD derivatives given advanced notice? If so, which ones?They were not. I would like to get to a point where we feel we could give some sort of heads up for downstream, but we aren't there yet. Best, Gordon -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 618 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20190703/dd4343f6/attachment.sig>
Shawn Webb
2019-Jul-05 13:40 UTC
CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack)
On Wed, Jul 03, 2019 at 10:18:12AM -0700, Gordon Tetlow wrote:> Sorry for the late response, only so many hours in the day.Completely understood. Thanks for taking the time to respond!> > On Tue, Jun 18, 2019 at 08:06:55PM -0400, Shawn Webb wrote: > > It appears that Netflix's advisory (as of this writing) does not > > include a timeline of events. Would FreeBSD be able to provide its > > event timeline with regards to CVE-2019-5599? > > I don't generally document a timeline of events from our side. This > particular disclosure was a bit unusual as it wasn't external but > instead was an internal FreeBSD developer the security team often works > with. As such, our process was a bit out of sync with normal (as much as > we have a normal with our current processes). All of that said, we got > notice in early June, about 10 days before public disclosure.Perhaps this might be a good time to start keeping records for future vulnerability reports, regardless of source of disclosure. Does FreeBSD publish its vulnerability response process documentation? If not, would FreeBSD be open to such transparency?> > > Were any FreeBSD derivatives given advanced notice? If so, which ones? > > They were not. I would like to get to a point where we feel we could > give some sort of heads up for downstream, but we aren't there yet.Sounds good. Let me know how I can help. I'm at your service. Thanks, -- Shawn Webb Cofounder / Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: lattera at is.a.hacker.sx GPG Key ID: 0xFF2E67A277F8E1FA GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20190705/84a51e17/attachment.sig>