CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack)

Gordon Tetlow gordon at
Wed Jul 3 17:18:17 UTC 2019

Sorry for the late response, only so many hours in the day.

On Tue, Jun 18, 2019 at 08:06:55PM -0400, Shawn Webb wrote:
> It appears that Netflix's advisory (as of this writing) does not
> include a timeline of events. Would FreeBSD be able to provide its
> event timeline with regards to CVE-2019-5599?

I don't generally document a timeline of events from our side. This
particular disclosure was a bit unusual as it wasn't external but
instead was an internal FreeBSD developer the security team often works
with. As such, our process was a bit out of sync with normal (as much as
we have a normal with our current processes). All of that said, we got
notice in early June, about 10 days before public disclosure.

> Were any FreeBSD derivatives given advanced notice? If so, which ones?

They were not. I would like to get to a point where we feel we could
give some sort of heads up for downstream, but we aren't there yet.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 618 bytes
Desc: not available
URL: <>

More information about the freebsd-questions mailing list