From owner-freebsd-security@freebsd.org  Fri Jul  5 14:52:59 2019
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 55B3315CC977;
 Fri,  5 Jul 2019 14:52:59 +0000 (UTC)
 (envelope-from dan@langille.org)
Received: from clavin1.langille.org (clavin1.langille.org [162.208.116.86])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "clavin.langille.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 39F2872B32;
 Fri,  5 Jul 2019 14:52:57 +0000 (UTC)
 (envelope-from dan@langille.org)
Received: from (clavin1.int.langille.org (clavin1.int.unixathome.org
 [10.4.7.7]) (Authenticated sender: hidden) with ESMTPSA id E1B821A1EC ; 
 Fri,  5 Jul 2019 14:52:42 +0000 (UTC)
Content-Type: text/plain;
	charset=utf-8
Mime-Version: 1.0 (1.0)
Subject: Re: CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack)
From: Dan Langille <dan@langille.org>
X-Mailer: iPhone Mail (16F203)
In-Reply-To: <20190705134001.bba2y4dxqirs6xe6@mutt-hbsd>
Date: Fri, 5 Jul 2019 07:52:32 -0700
Cc: Gordon Tetlow <gordon@tetlows.org>, freebsd-security@freebsd.org,
 grarpamp <grarpamp@gmail.com>, freebsd-questions@freebsd.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <AF630E79-3D76-4C9F-B8DF-C5A885DCA8AC@langille.org>
References: <CAD2Ti29xZ2Qty8fqgjf_OLvvjODOGyLtWSCzo6xgFB51e-T0ig@mail.gmail.com>
 <20190618235535.GY32970@gmail.com>
 <20190619000655.2gde4u5i5ter5exu@mutt-hbsd>
 <20190703171812.GM32970@gmail.com>
 <20190705134001.bba2y4dxqirs6xe6@mutt-hbsd>
To: Shawn Webb <shawn.webb@hardenedbsd.org>
X-Rspamd-Queue-Id: 39F2872B32
X-Spamd-Bar: ------
Authentication-Results: mx1.freebsd.org;
 dmarc=pass (policy=none) header.from=langille.org;
 spf=pass (mx1.freebsd.org: domain of dan@langille.org designates
 162.208.116.86 as permitted sender) smtp.mailfrom=dan@langille.org
X-Spamd-Result: default: False [-6.62 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[];
 TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:162.208.116.86];
 MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain];
 IP_SCORE(-3.50)[ip: (-9.49), ipnet: 162.208.116.0/22(-4.93), asn:
 11403(-3.02), country: US(-0.06)]; 
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCPT_COUNT_FIVE(0.00)[5];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 MX_GOOD(-0.01)[in2-smtp.messagingengine.com,in1-smtp.messagingengine.com,in2-smtp.messagingengine.com,in1-smtp.messagingengine.com,in2-smtp.messagingengine.com,in1-smtp.messagingengine.com,in2-smtp.messagingengine.com,in1-smtp.messagingengine.com,in2-smtp.messagingengine.com,in1-smtp.messagingengine.com];
 DMARC_POLICY_ALLOW(-0.50)[langille.org,none];
 NEURAL_HAM_SHORT(-0.82)[-0.816,0]; FROM_EQ_ENVFROM(0.00)[];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:11403, ipnet:162.208.116.0/22, country:US];
 MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[];
 RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jul 2019 14:52:59 -0000

> On Jul 5, 2019, at 6:40 AM, Shawn Webb <shawn.webb@hardenedbsd.org> wrote:=

>=20
>> On Wed, Jul 03, 2019 at 10:18:12AM -0700, Gordon Tetlow wrote:
>> Sorry for the late response, only so many hours in the day.
>=20
> Completely understood. Thanks for taking the time to respond!
>=20
>>=20
>>> On Tue, Jun 18, 2019 at 08:06:55PM -0400, Shawn Webb wrote:
>>> It appears that Netflix's advisory (as of this writing) does not
>>> include a timeline of events. Would FreeBSD be able to provide its
>>> event timeline with regards to CVE-2019-5599?
>>=20
>> I don't generally document a timeline of events from our side. This
>> particular disclosure was a bit unusual as it wasn't external but
>> instead was an internal FreeBSD developer the security team often works
>> with. As such, our process was a bit out of sync with normal (as much as
>> we have a normal with our current processes). All of that said, we got
>> notice in early June, about 10 days before public disclosure.
>=20
> Perhaps this might be a good time to start keeping records for future
> vulnerability reports, regardless of source of disclosure.
>=20
> Does FreeBSD publish its vulnerability response process documentation?
> If not, would FreeBSD be open to such transparency?

You=E2=80=99re asking volunteers, performing a very time-consuming task, to d=
o even more work.

The demands of security officer are pretty onerous as it is.


>=20
>>=20
>>> Were any FreeBSD derivatives given advanced notice? If so, which ones?
>>=20
>> They were not. I would like to get to a point where we feel we could
>> give some sort of heads up for downstream, but we aren't there yet.
>=20
> Sounds good. Let me know how I can help. I'm at your service.
>=20
> Thanks,
>=20
> --=20
> Shawn Webb
> Cofounder / Security Engineer
> HardenedBSD
>=20
> Tor-ified Signal:    +1 443-546-8752
> Tor+XMPP+OTR:        lattera@is.a.hacker.sx
> GPG Key ID:          0xFF2E67A277F8E1FA
> GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9  3633 C85B 0AF8 AB23 0FB2