Date: Tue, 18 Jun 2019 20:06:55 -0400 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Gordon Tetlow <gordon@tetlows.org> Cc: grarpamp <grarpamp@gmail.com>, freebsd-security@freebsd.org, freebsd-questions@freebsd.org, security-report@netflix.com Subject: Re: CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack) Message-ID: <20190619000655.2gde4u5i5ter5exu@mutt-hbsd> In-Reply-To: <20190618235535.GY32970@gmail.com> References: <CAD2Ti29xZ2Qty8fqgjf_OLvvjODOGyLtWSCzo6xgFB51e-T0ig@mail.gmail.com> <20190618235535.GY32970@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--pvj2jtyuppcsn75u Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jun 18, 2019 at 04:55:35PM -0700, Gordon Tetlow wrote: > On Tue, Jun 18, 2019 at 05:34:32PM -0400, grarpamp wrote: > > https://github.com/Netflix/security-bulletins/blob/master/advisories/th= ird-party/2019-001.md > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2019-5599 > > NFLX-2019-001 > >=20 > > Date Entry Created: 20190107 > > Preallocated to nothing? > > Or witheld under irresponsible disclosure thus keeping > > users vulnerable to leaks, parallel discovery, and exploit > > for at least five months more than necessary, and > > unaware thus unable to consider potential local mitigations? >=20 > Other than the inappropriate tone, there is a reasonable question here. > MITRE allocates blocks of CVEs to FreeBSD as a CNA. We can then decide > when to assign and disclose them. The 2019-01-07 date is when MITRE > allocated a block of CVEs to FreeBSD, not when they are assigned to an > issue. We generally get a block in the beginning of each year. >=20 > If you would like to have an actual discussion around disclosure > policies, I'm happy to have one, but by your tone above, I don't think > there is any reason to do so. It seems unlikely you are open to > debate in a fashion that would be productive. Hey Gordon, Thank you for your reply, and especially for the respectful tone. I hope to drive a further positive discussion in the goal of enhanced transparency. It appears that Netflix's advisory (as of this writing) does not include a timeline of events. Would FreeBSD be able to provide its event timeline with regards to CVE-2019-5599? Were any FreeBSD derivatives given advanced notice? If so, which ones? Thanks for your time, resources, and continued correspondence. Thanks again, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: lattera@is.a.hacker.sx GPG Key ID: 0xFF2E67A277F8E1FA GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2 --pvj2jtyuppcsn75u Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAl0JfJoACgkQ/y5nonf4 4foWbBAAib8Ky5ZDh0GM/50NpFn3ws0/uHsi4F8iUmDxKJVfFdgx4dx8tlH1ZCT8 t1Aqu8sxBDFIO/cHWvGQu5BuEZbf/eDt8w8iBqpKKDdSYka2n8a2dgixUZgm2WPf MydSOlUXI1+kME59JjJ16gCk+Yuteap+bVaIqDC8d1+ERzHJ+CqHKF1NU2Qf8+2P 5Z4AdO7BznNRKCBiymGJCrmsSIXqgaNY0wqSri+OiBl6PsllcsYmFguaTpud1tcu hxhOutIFg1IRtqvyAZjAMz4eq6UOTM3OnrtFZVWGPGjE69C/T/UFvL79fu8ZR+a7 oVH7Bf7g14d1bHNOrcnUfyaAzC398fJ1SSSO6lCArB4GGBJRKPodQVMPY54esM7e 4GNyfhKP72eXqvTLXPMloC5wzRdD2hgkmkF0XqQCrW06XNjrLraOib0jhXK/lKUf MnyXJbnoV9J30Ey8OQ83S2DHyKcogL2O8wavvqxfdPpXmBJkzwn4kkPuBfDyjzU/ dshfQ4nq9XlHJxX89LRzBUpgOa9yruGklrM1c9wySkM3rD72dui/cTzQN3THA228 LWhExQgNbrnAQCwztvuSKnP8oB8oZk2JISYd0aqYcu5NVo4yxa5qUh5wveu/k9Pr scgfZ/HKlBTqp7EgL9rSdGAyNzqAutLg7LynCU8Nnw0FWHdl10g= =PwY8 -----END PGP SIGNATURE----- --pvj2jtyuppcsn75u--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190619000655.2gde4u5i5ter5exu>