CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack)
grarpamp
grarpamp at gmail.com
Wed Jun 19 01:16:56 UTC 2019
On 6/18/19, Gordon Tetlow <gordon at tetlows.org> wrote:
> On Tue, Jun 18, 2019 at 05:34:32PM -0400, grarpamp wrote:
>> https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5599
>> NFLX-2019-001
>>
>> Date Entry Created: 20190107
>> Preallocated to nothing?
>> Or witheld...?
> MITRE allocates blocks of CVEs to FreeBSD as a CNA. We can then decide
> when to assign and disclose them. The 2019-01-07 date is when MITRE
> allocated a block of CVEs to FreeBSD, not when they are assigned to an
> issue. We generally get a block in the beginning of each year.
So preallocated to nothing, ok very well, no problem,
priors amended herein as such, thx.
As it is not in the current .md, when was the issue
discovered by Netflix / Looney?
> discussion around disclosure policies
In today's world of parallel discovery, leaks, sec org infiltration by
adversary, surveillance, no crypto, rapid automated exploit, etc...
to wait for patch, polish, and press release advert, to not disclose,
afford users local action up to immediate offlining for safety and wait,
to draw upon entire community pool that has time*ability to fix... is
thought by many [users] as irresponsible to users. There is no tone. And
of course this one isn't currently a remote or local root. But what if it was...
For those interested or new, there's lots of historical discussion with
and without tone that can be found on any seclist, yet is no universal..
Having just noted these...
https://www.freebsd.org/security/
https://www.freebsd.org/security/charter.html
https://svnweb.freebsd.org/doc/head/en_US.ISO8859-1/htdocs/security/
The charter last marked current 2002... is there any actual and
posted mandatory timeliness disclosure trigger component?
One that gets overall reviewed for user input say every N-years?
Perhaps something more security focused than the general...
https://www.research.net/r/freebsd2019
Hack happily :)
Netflix dedication to FreeBSD much appreciated by many too.
More information about the freebsd-questions
mailing list