Date: Fri, 5 Jul 2019 09:40:01 -0400 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Gordon Tetlow <gordon@tetlows.org> Cc: grarpamp <grarpamp@gmail.com>, freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Re: CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack) Message-ID: <20190705134001.bba2y4dxqirs6xe6@mutt-hbsd> In-Reply-To: <20190703171812.GM32970@gmail.com> References: <CAD2Ti29xZ2Qty8fqgjf_OLvvjODOGyLtWSCzo6xgFB51e-T0ig@mail.gmail.com> <20190618235535.GY32970@gmail.com> <20190619000655.2gde4u5i5ter5exu@mutt-hbsd> <20190703171812.GM32970@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--tuidbrfgys2o5z5i Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jul 03, 2019 at 10:18:12AM -0700, Gordon Tetlow wrote: > Sorry for the late response, only so many hours in the day. Completely understood. Thanks for taking the time to respond! >=20 > On Tue, Jun 18, 2019 at 08:06:55PM -0400, Shawn Webb wrote: > > It appears that Netflix's advisory (as of this writing) does not > > include a timeline of events. Would FreeBSD be able to provide its > > event timeline with regards to CVE-2019-5599? >=20 > I don't generally document a timeline of events from our side. This > particular disclosure was a bit unusual as it wasn't external but > instead was an internal FreeBSD developer the security team often works > with. As such, our process was a bit out of sync with normal (as much as > we have a normal with our current processes). All of that said, we got > notice in early June, about 10 days before public disclosure. Perhaps this might be a good time to start keeping records for future vulnerability reports, regardless of source of disclosure. Does FreeBSD publish its vulnerability response process documentation? If not, would FreeBSD be open to such transparency? >=20 > > Were any FreeBSD derivatives given advanced notice? If so, which ones? >=20 > They were not. I would like to get to a point where we feel we could > give some sort of heads up for downstream, but we aren't there yet. Sounds good. Let me know how I can help. I'm at your service. Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: lattera@is.a.hacker.sx GPG Key ID: 0xFF2E67A277F8E1FA GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2 --tuidbrfgys2o5z5i Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAl0fUysACgkQ/y5nonf4 4fqdtw//QSywCw8aWbQBTlMD4f3xQ9YuTMCmx7hYmR60UEI70NcOKuu/2zEZW6Id 4jAX4TErpHnGQ3Fe1e8dquZHE53KLz4mbE1LF2NwWmbWdcyTi7siaXKSYxDALQo4 1cH4A523oxOlbwTCfWmvwoEQMSxZ0riWIyXzubVW1joOUel8OE11ev1g9DtLj8J8 2TWJIN1dnqlbmRIH7bq5UFqDAo2awhIYd3tq9TVqTLpfiq5AjCy7GRrhEo+l7unO lIl5CeZP+47yUZlBUsegMKiA59JoMACZBBVHV4fhv4Yc790pN1RSc5l2ja34dwEC 4BSRkH5ZDN+tkP1NChNaiMNLw8Xqa4fcOIJy4TiZlFbGzwZKx65u3fKwVinBIq4T kn2o368ALXGPFCOJCvjYlKRgjV0msEZ81aKMLyNRycaSJN7cK+BqOsagASnjiJ3w EtRxnjslXGSkwxrvde95CTpsTvdtdXaH62gZrhWgjwD0tfOyHR6pAkEmFXvX+tao qIey3nH4fPF/BvIsbIYMlBNOyyZ6liuTN/pANmGkIg8CjJcKBAbLbpfWqz2+sqa9 GDKPBrLEyf7pi4EbJfB+saU89kbz3nBWS8tseOWRBxKXwtVWoDmeY+fDJHVAUpXs nYPt+sPskLQ0bbuIWj1sZsTBHUVqrPIrYMZgmf3YWCV36R+L9a0= =8P8a -----END PGP SIGNATURE----- --tuidbrfgys2o5z5i--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190705134001.bba2y4dxqirs6xe6>