Date: Fri, 5 Jul 2019 07:52:32 -0700 From: Dan Langille <dan@langille.org> To: Shawn Webb <shawn.webb@hardenedbsd.org> Cc: Gordon Tetlow <gordon@tetlows.org>, freebsd-security@freebsd.org, grarpamp <grarpamp@gmail.com>, freebsd-questions@freebsd.org Subject: Re: CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack) Message-ID: <AF630E79-3D76-4C9F-B8DF-C5A885DCA8AC@langille.org> In-Reply-To: <20190705134001.bba2y4dxqirs6xe6@mutt-hbsd> References: <CAD2Ti29xZ2Qty8fqgjf_OLvvjODOGyLtWSCzo6xgFB51e-T0ig@mail.gmail.com> <20190618235535.GY32970@gmail.com> <20190619000655.2gde4u5i5ter5exu@mutt-hbsd> <20190703171812.GM32970@gmail.com> <20190705134001.bba2y4dxqirs6xe6@mutt-hbsd>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Jul 5, 2019, at 6:40 AM, Shawn Webb <shawn.webb@hardenedbsd.org> wrote:= >=20 >> On Wed, Jul 03, 2019 at 10:18:12AM -0700, Gordon Tetlow wrote: >> Sorry for the late response, only so many hours in the day. >=20 > Completely understood. Thanks for taking the time to respond! >=20 >>=20 >>> On Tue, Jun 18, 2019 at 08:06:55PM -0400, Shawn Webb wrote: >>> It appears that Netflix's advisory (as of this writing) does not >>> include a timeline of events. Would FreeBSD be able to provide its >>> event timeline with regards to CVE-2019-5599? >>=20 >> I don't generally document a timeline of events from our side. This >> particular disclosure was a bit unusual as it wasn't external but >> instead was an internal FreeBSD developer the security team often works >> with. As such, our process was a bit out of sync with normal (as much as >> we have a normal with our current processes). All of that said, we got >> notice in early June, about 10 days before public disclosure. >=20 > Perhaps this might be a good time to start keeping records for future > vulnerability reports, regardless of source of disclosure. >=20 > Does FreeBSD publish its vulnerability response process documentation? > If not, would FreeBSD be open to such transparency? You=E2=80=99re asking volunteers, performing a very time-consuming task, to d= o even more work. The demands of security officer are pretty onerous as it is. >=20 >>=20 >>> Were any FreeBSD derivatives given advanced notice? If so, which ones? >>=20 >> They were not. I would like to get to a point where we feel we could >> give some sort of heads up for downstream, but we aren't there yet. >=20 > Sounds good. Let me know how I can help. I'm at your service. >=20 > Thanks, >=20 > --=20 > Shawn Webb > Cofounder / Security Engineer > HardenedBSD >=20 > Tor-ified Signal: +1 443-546-8752 > Tor+XMPP+OTR: lattera@is.a.hacker.sx > GPG Key ID: 0xFF2E67A277F8E1FA > GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AF630E79-3D76-4C9F-B8DF-C5A885DCA8AC>