CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack)

Gordon Tetlow gordon at
Tue Jun 18 23:55:40 UTC 2019

On Tue, Jun 18, 2019 at 05:34:32PM -0400, grarpamp wrote:
> NFLX-2019-001
> Date Entry Created: 20190107
> Preallocated to nothing?
> Or witheld under irresponsible disclosure thus keeping
> users vulnerable to leaks, parallel discovery, and exploit
> for at least five months more than necessary, and
> unaware thus unable to consider potential local mitigations?

Other than the inappropriate tone, there is a reasonable question here.
MITRE allocates blocks of CVEs to FreeBSD as a CNA. We can then decide
when to assign and disclose them. The 2019-01-07 date is when MITRE
allocated a block of CVEs to FreeBSD, not when they are assigned to an
issue. We generally get a block in the beginning of each year.

If you would like to have an actual discussion around disclosure
policies, I'm happy to have one, but by your tone above, I don't think
there is any reason to do so. It seems unlikely you are open to
debate in a fashion that would be productive.

Hat: Security Officer

More information about the freebsd-questions mailing list