CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack)

Valeri Galtsev galtsev at kicp.uchicago.edu
Wed Jun 19 13:48:45 UTC 2019 


On 2019-06-18 19:06, Shawn Webb wrote:
> On Tue, Jun 18, 2019 at 04:55:35PM -0700, Gordon Tetlow wrote:
>> On Tue, Jun 18, 2019 at 05:34:32PM -0400, grarpamp wrote:
>>> https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
>>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5599
>>> NFLX-2019-001
>>>
>>> Date Entry Created: 20190107
>>> Preallocated to nothing?
>>> Or witheld under irresponsible disclosure thus keeping
>>> users vulnerable to leaks, parallel discovery, and exploit
>>> for at least five months more than necessary, and
>>> unaware thus unable to consider potential local mitigations?
>>
>> Other than the inappropriate tone, there is a reasonable question here.
>> MITRE allocates blocks of CVEs to FreeBSD as a CNA. We can then decide
>> when to assign and disclose them. The 2019-01-07 date is when MITRE
>> allocated a block of CVEs to FreeBSD, not when they are assigned to an
>> issue. We generally get a block in the beginning of each year.
>>
>> If you would like to have an actual discussion around disclosure
>> policies, I'm happy to have one, but by your tone above, I don't think
>> there is any reason to do so. It seems unlikely you are open to
>> debate in a fashion that would be productive.
> 
> Hey Gordon,
> 
> Thank you for your reply, and especially for the respectful tone. I
> hope to drive a further positive discussion in the goal of enhanced
> transparency.
> 
> It appears that Netflix's advisory (as of this writing) does not
> include a timeline of events. Would FreeBSD be able to provide its
> event timeline with regards to CVE-2019-5599?

I am not commenting on other details of this thread, and talking here 
for myself, not for FreeBSD project.

This is "backwards" thinking. It is a responsibility of clone projects 
to follow all details of master project, not the responsibility of 
FreeBSD to notify any of clones, whom FreeBSD project didn't request to 
clone FreeBSD in the first place.

Just my $0.02

Valeri

> 
> Were any FreeBSD derivatives given advanced notice? If so, which ones?
> 
> Thanks for your time, resources, and continued correspondence.
> 
> Thanks again,
> 

-- 
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

More information about the freebsd-questions mailing list