grarpamp
2019-Jun-19 01:16 UTC
CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack)
On 6/18/19, Gordon Tetlow <gordon at tetlows.org> wrote:> On Tue, Jun 18, 2019 at 05:34:32PM -0400, grarpamp wrote: >> https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5599 >> NFLX-2019-001 >> >> Date Entry Created: 20190107 >> Preallocated to nothing? >> Or witheld...?> MITRE allocates blocks of CVEs to FreeBSD as a CNA. We can then decide > when to assign and disclose them. The 2019-01-07 date is when MITRE > allocated a block of CVEs to FreeBSD, not when they are assigned to an > issue. We generally get a block in the beginning of each year.So preallocated to nothing, ok very well, no problem, priors amended herein as such, thx. As it is not in the current .md, when was the issue discovered by Netflix / Looney?> discussion around disclosure policiesIn today's world of parallel discovery, leaks, sec org infiltration by adversary, surveillance, no crypto, rapid automated exploit, etc... to wait for patch, polish, and press release advert, to not disclose, afford users local action up to immediate offlining for safety and wait, to draw upon entire community pool that has time*ability to fix... is thought by many [users] as irresponsible to users. There is no tone. And of course this one isn't currently a remote or local root. But what if it was... For those interested or new, there's lots of historical discussion with and without tone that can be found on any seclist, yet is no universal.. Having just noted these... https://www.freebsd.org/security/ https://www.freebsd.org/security/charter.html https://svnweb.freebsd.org/doc/head/en_US.ISO8859-1/htdocs/security/ The charter last marked current 2002... is there any actual and posted mandatory timeliness disclosure trigger component? One that gets overall reviewed for user input say every N-years? Perhaps something more security focused than the general... https://www.research.net/r/freebsd2019 Hack happily :) Netflix dedication to FreeBSD much appreciated by many too.
grarpamp
2019-Jun-24 17:55 UTC
CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack)
On 6/18/19, grarpamp <grarpamp at gmail.com> wrote:> https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md > As it is not in the current .md, when was the issue > discovered by Netflix / Looney?One week has gone by, so asking again... When was the issue discovered by Netflix / Looney? When did FreeBSD become aware of the issue?
grarpamp
2019-Jul-03 09:05 UTC
CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack)
On 6/24/19, grarpamp <grarpamp at gmail.com> wrote:> On 6/18/19, grarpamp <grarpamp at gmail.com> wrote: >> https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md >> As it is not in the current .md, when was the issue >> discovered by Netflix / Looney? > > One week has gone by, so asking again...This is now into *third* week and *third* time this very simple questions has been asked pursuant "actual discussion around disclosure policies", from two public and at least one private party, with zero response. Optics fogging up. Escalating as such. Thanks.> When was the issue discovered by Netflix / Looney?> When did FreeBSD become aware of the issue?