CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack)

Shawn Webb shawn.webb at
Fri Jul 5 15:02:58 UTC 2019

On Fri, Jul 05, 2019 at 07:52:32AM -0700, Dan Langille wrote:
> > On Jul 5, 2019, at 6:40 AM, Shawn Webb <shawn.webb at> wrote:
> > 
> >> On Wed, Jul 03, 2019 at 10:18:12AM -0700, Gordon Tetlow wrote:
> >> Sorry for the late response, only so many hours in the day.
> > 
> > Completely understood. Thanks for taking the time to respond!
> > 
> >> 
> >>> On Tue, Jun 18, 2019 at 08:06:55PM -0400, Shawn Webb wrote:
> >>> It appears that Netflix's advisory (as of this writing) does not
> >>> include a timeline of events. Would FreeBSD be able to provide its
> >>> event timeline with regards to CVE-2019-5599?
> >> 
> >> I don't generally document a timeline of events from our side. This
> >> particular disclosure was a bit unusual as it wasn't external but
> >> instead was an internal FreeBSD developer the security team often works
> >> with. As such, our process was a bit out of sync with normal (as much as
> >> we have a normal with our current processes). All of that said, we got
> >> notice in early June, about 10 days before public disclosure.
> > 
> > Perhaps this might be a good time to start keeping records for future
> > vulnerability reports, regardless of source of disclosure.
> > 
> > Does FreeBSD publish its vulnerability response process documentation?
> > If not, would FreeBSD be open to such transparency?
> You???re asking volunteers, performing a very time-consuming task, to do even more work.
> The demands of security officer are pretty onerous as it is.

Hey Dan,

My intent was not to task anyone or add to their burden. I apologize
if that is how my questions were perceived upon receipt.

My goal was to perhaps start a dialogue, brainstorming ways to improve
processes along the way.

As a downstream derivative of FreeBSD, one who will indeed be in the
same place as FreeBSD with regards to security announcements,
disclosures, timelines, etc, we at HardenedBSD would like to learn
from the experiences of others. The only way to learn from others is
to collaborate with them--the true intent of my questions.

However, if FreeBSD would not like help with regards to security, or
would not like to impart of their wisdom to others, perhaps this would
be a good place to end the discussion.

Even if you mean well and have the best of intentions, they eat you

Thanks and may you have a wonderful weekend,

Shawn Webb
Cofounder / Security Engineer

Tor-ified Signal:    +1 443-546-8752
Tor+XMPP+OTR:        lattera at
GPG Key ID:          0xFF2E67A277F8E1FA
GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9  3633 C85B 0AF8 AB23 0FB2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the freebsd-security mailing list