CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack)

Dan Langille dan at
Fri Jul 5 14:52:59 UTC 2019

> On Jul 5, 2019, at 6:40 AM, Shawn Webb <shawn.webb at> wrote:
>> On Wed, Jul 03, 2019 at 10:18:12AM -0700, Gordon Tetlow wrote:
>> Sorry for the late response, only so many hours in the day.
> Completely understood. Thanks for taking the time to respond!
>>> On Tue, Jun 18, 2019 at 08:06:55PM -0400, Shawn Webb wrote:
>>> It appears that Netflix's advisory (as of this writing) does not
>>> include a timeline of events. Would FreeBSD be able to provide its
>>> event timeline with regards to CVE-2019-5599?
>> I don't generally document a timeline of events from our side. This
>> particular disclosure was a bit unusual as it wasn't external but
>> instead was an internal FreeBSD developer the security team often works
>> with. As such, our process was a bit out of sync with normal (as much as
>> we have a normal with our current processes). All of that said, we got
>> notice in early June, about 10 days before public disclosure.
> Perhaps this might be a good time to start keeping records for future
> vulnerability reports, regardless of source of disclosure.
> Does FreeBSD publish its vulnerability response process documentation?
> If not, would FreeBSD be open to such transparency?

You’re asking volunteers, performing a very time-consuming task, to do even more work.

The demands of security officer are pretty onerous as it is.

>>> Were any FreeBSD derivatives given advanced notice? If so, which ones?
>> They were not. I would like to get to a point where we feel we could
>> give some sort of heads up for downstream, but we aren't there yet.
> Sounds good. Let me know how I can help. I'm at your service.
> Thanks,
> -- 
> Shawn Webb
> Cofounder / Security Engineer
> HardenedBSD
> Tor-ified Signal:    +1 443-546-8752
> Tor+XMPP+OTR:        lattera at
> GPG Key ID:          0xFF2E67A277F8E1FA
> GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9  3633 C85B 0AF8 AB23 0FB2

More information about the freebsd-security mailing list