Shawn Webb
2019-Jun-19 00:06 UTC
CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack)
On Tue, Jun 18, 2019 at 04:55:35PM -0700, Gordon Tetlow wrote:> On Tue, Jun 18, 2019 at 05:34:32PM -0400, grarpamp wrote: > > https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5599 > > NFLX-2019-001 > > > > Date Entry Created: 20190107 > > Preallocated to nothing? > > Or witheld under irresponsible disclosure thus keeping > > users vulnerable to leaks, parallel discovery, and exploit > > for at least five months more than necessary, and > > unaware thus unable to consider potential local mitigations? > > Other than the inappropriate tone, there is a reasonable question here. > MITRE allocates blocks of CVEs to FreeBSD as a CNA. We can then decide > when to assign and disclose them. The 2019-01-07 date is when MITRE > allocated a block of CVEs to FreeBSD, not when they are assigned to an > issue. We generally get a block in the beginning of each year. > > If you would like to have an actual discussion around disclosure > policies, I'm happy to have one, but by your tone above, I don't think > there is any reason to do so. It seems unlikely you are open to > debate in a fashion that would be productive.Hey Gordon, Thank you for your reply, and especially for the respectful tone. I hope to drive a further positive discussion in the goal of enhanced transparency. It appears that Netflix's advisory (as of this writing) does not include a timeline of events. Would FreeBSD be able to provide its event timeline with regards to CVE-2019-5599? Were any FreeBSD derivatives given advanced notice? If so, which ones? Thanks for your time, resources, and continued correspondence. Thanks again, -- Shawn Webb Cofounder / Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: lattera at is.a.hacker.sx GPG Key ID: 0xFF2E67A277F8E1FA GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20190618/2fa5f46b/attachment.sig>
Gordon Tetlow
2019-Jul-03 17:18 UTC
CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack)
Sorry for the late response, only so many hours in the day. On Tue, Jun 18, 2019 at 08:06:55PM -0400, Shawn Webb wrote:> It appears that Netflix's advisory (as of this writing) does not > include a timeline of events. Would FreeBSD be able to provide its > event timeline with regards to CVE-2019-5599?I don't generally document a timeline of events from our side. This particular disclosure was a bit unusual as it wasn't external but instead was an internal FreeBSD developer the security team often works with. As such, our process was a bit out of sync with normal (as much as we have a normal with our current processes). All of that said, we got notice in early June, about 10 days before public disclosure.> Were any FreeBSD derivatives given advanced notice? If so, which ones?They were not. I would like to get to a point where we feel we could give some sort of heads up for downstream, but we aren't there yet. Best, Gordon -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 618 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20190703/dd4343f6/attachment.sig>