Date: Tue, 18 Jun 2019 16:55:35 -0700 From: Gordon Tetlow <gordon@tetlows.org> To: grarpamp <grarpamp@gmail.com> Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org, security-report@netflix.com Subject: Re: CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack) Message-ID: <20190618235535.GY32970@gmail.com> In-Reply-To: <CAD2Ti29xZ2Qty8fqgjf_OLvvjODOGyLtWSCzo6xgFB51e-T0ig@mail.gmail.com> References: <CAD2Ti29xZ2Qty8fqgjf_OLvvjODOGyLtWSCzo6xgFB51e-T0ig@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jun 18, 2019 at 05:34:32PM -0400, grarpamp wrote: > https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5599 > NFLX-2019-001 > > Date Entry Created: 20190107 > Preallocated to nothing? > Or witheld under irresponsible disclosure thus keeping > users vulnerable to leaks, parallel discovery, and exploit > for at least five months more than necessary, and > unaware thus unable to consider potential local mitigations? Other than the inappropriate tone, there is a reasonable question here. MITRE allocates blocks of CVEs to FreeBSD as a CNA. We can then decide when to assign and disclose them. The 2019-01-07 date is when MITRE allocated a block of CVEs to FreeBSD, not when they are assigned to an issue. We generally get a block in the beginning of each year. If you would like to have an actual discussion around disclosure policies, I'm happy to have one, but by your tone above, I don't think there is any reason to do so. It seems unlikely you are open to debate in a fashion that would be productive. Thanks, Gordon Hat: Security Officer
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190618235535.GY32970>