From owner-freebsd-security@freebsd.org Tue Jun 18 15:40:30 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A3B0A15C11DE for ; Tue, 18 Jun 2019 15:40:30 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from smtp-out-so.shaw.ca (smtp-out-so.shaw.ca [64.59.136.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7D0C982DEB for ; Tue, 18 Jun 2019 15:40:29 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from spqr.komquats.com ([70.67.125.17]) by shaw.ca with ESMTPA id dGDbhf0v7o7SQdGDdhE4lX; Tue, 18 Jun 2019 09:40:21 -0600 X-Authority-Analysis: v=2.3 cv=Go88BX9C c=1 sm=1 tr=0 a=VFtTW3WuZNDh6VkGe7fA3g==:117 a=VFtTW3WuZNDh6VkGe7fA3g==:17 a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=IkcTkHD0fZMA:10 a=dq6fvYVFJ5YA:10 a=6I5d2MoRAAAA:8 a=FWL59_a1AAAA:20 a=YxBL1-UpAAAA:8 a=cBypSRyhoeTm9c1DUb0A:9 a=QEXdDO2ut3YA:10 a=IjZwj45LgO3ly-622nXo:22 a=Ia-lj3WSrqcvXOmTRaiG:22 Received: from android-9b917f0ce39da6e6.esitwifi.local (S0106788a207e2972.gv.shawcable.net [70.66.154.233]) by spqr.komquats.com (Postfix) with ESMTPSA id C864F1650; Tue, 18 Jun 2019 08:40:18 -0700 (PDT) Date: Tue, 18 Jun 2019 08:39:55 -0700 User-Agent: K-9 Mail for Android In-Reply-To: <20190618145709.GI52008@strugglingcoder.info> References: <29d6e221-e88a-f828-0e5b-ac235691ed86@sentex.net> <20190618145709.GI52008@strugglingcoder.info> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: TCP SACK (CVE-2019-5599) To: hiren , hiren via freebsd-security , mike tancsa CC: "freebsd-security@freebsd.org" From: Cy Schubert Message-ID: <4FEA2C68-77D2-4DE7-BCD4-9D1F9343670B@cschubert.com> X-CMAE-Envelope: MS4wfDfZAS3uoIxxvhBk31ULrAg7UXrZ6FmwmpGtv7OgqiTkutFbAlvjCzGoZ8OPN1hwO2MNnAZje/IF5Fbl7ArTt7sxpFvRfG0Sx6harDyHdW49F3xphYme IGQML3qQGyjt8cJKa73u2ODaHJM/7OOiNhj7S0HSuhhBsPA/TdWhVTt0+vIs+wZDxDeKT1RpqSyqdBkI3xmniU+OQubpW6OEakR12cbA/fXRAt1BiN+vQITx VIUly9fMy64iDs6kDYk7VQ== X-Rspamd-Queue-Id: 7D0C982DEB X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-3.85 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; MX_GOOD(-0.01)[cached: spqr.komquats.com]; NEURAL_HAM_SHORT(-0.99)[-0.990,0]; SUBJ_ALL_CAPS(1.80)[24]; RCVD_IN_DNSWL_LOW(-0.10)[138.136.59.64.list.dnswl.org : 127.0.5.1]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:6327, ipnet:64.59.128.0/20, country:CA]; MID_RHS_MATCH_FROM(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[233.154.66.70.zen.spamhaus.org : 127.0.0.11,17.125.67.70.zen.spamhaus.org : 127.0.0.11]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; R_SPF_NA(0.00)[]; IP_SCORE(-2.45)[ip: (-6.38), ipnet: 64.59.128.0/20(-3.25), asn: 6327(-2.52), country: CA(-0.09)] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2019 15:40:30 -0000 On June 18, 2019 7:57:09 AM PDT, hiren via freebsd-security wrote: >On 06/18/19 at 10:33P, mike tancsa wrote: >> Hi all, >> With respect to the bugs describe in >> >https://github=2Ecom/Netflix/security-bulletins/blob/master/advisories/th= ird-party/2019-001=2Emd >> * >> SACK Slowness (FreeBSD 12 using the RACK TCP Stack) >[snip] >>=20 >> ** >>=20 >> *How does I know if this is enabled in my default kernel on RELENG_12 >? >> There is some vague mention in various forums this is not the default >on >> FreeBSD ? Can anyone shed more light as to how this does/does not >impact >> FreeBSD ? > >RACK is one of the tcp stacks ($src/sys/netinet/tcp_stacks) and not >enabled by default=2E > >So, by default, FreeBSD is not affected, afaict=2E This advisory is for >when you do use RACK=2E > >Cheers, >Hiren They post a workaround patch in their advisory=2E As RACK is their contrib= ution, I suppose one of their people who are committers might want to commi= t it=2E --=20 Pardon the typos and autocorrect, small keyboard in use=2E Cheers, Cy Schubert FreeBSD UNIX: Web: http://www=2EFreeBSD=2Eorg The need of the many outweighs the greed of the few=2E