CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack)

Shawn Webb shawn.webb at hardenedbsd.org
Wed Jun 19 00:06:59 UTC 2019 

On Tue, Jun 18, 2019 at 04:55:35PM -0700, Gordon Tetlow wrote:
> On Tue, Jun 18, 2019 at 05:34:32PM -0400, grarpamp wrote:
> > https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5599
> > NFLX-2019-001
> > 
> > Date Entry Created: 20190107
> > Preallocated to nothing?
> > Or witheld under irresponsible disclosure thus keeping
> > users vulnerable to leaks, parallel discovery, and exploit
> > for at least five months more than necessary, and
> > unaware thus unable to consider potential local mitigations?
> 
> Other than the inappropriate tone, there is a reasonable question here.
> MITRE allocates blocks of CVEs to FreeBSD as a CNA. We can then decide
> when to assign and disclose them. The 2019-01-07 date is when MITRE
> allocated a block of CVEs to FreeBSD, not when they are assigned to an
> issue. We generally get a block in the beginning of each year.
> 
> If you would like to have an actual discussion around disclosure
> policies, I'm happy to have one, but by your tone above, I don't think
> there is any reason to do so. It seems unlikely you are open to
> debate in a fashion that would be productive.

Hey Gordon,

Thank you for your reply, and especially for the respectful tone. I
hope to drive a further positive discussion in the goal of enhanced
transparency.

It appears that Netflix's advisory (as of this writing) does not
include a timeline of events. Would FreeBSD be able to provide its
event timeline with regards to CVE-2019-5599?

Were any FreeBSD derivatives given advanced notice? If so, which ones?

Thanks for your time, resources, and continued correspondence.

Thanks again,

-- 
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

Tor-ified Signal:    +1 443-546-8752
Tor+XMPP+OTR:        lattera at is.a.hacker.sx
GPG Key ID:          0xFF2E67A277F8E1FA
GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9  3633 C85B 0AF8 AB23 0FB2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20190618/2fa5f46b/attachment.sig>

More information about the freebsd-questions mailing list