From owner-freebsd-security@freebsd.org Fri Jul 5 15:02:58 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 47A7315CCFFD for ; Fri, 5 Jul 2019 15:02:58 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5893A731E2 for ; Fri, 5 Jul 2019 15:02:57 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qt1-x82d.google.com with SMTP id d17so10019011qtj.8 for ; Fri, 05 Jul 2019 08:02:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=//NzIcfmrRger7v8XgJV5imhhYpSDpajqKUyP0w3wzQ=; b=Fuf3m4RYTtM04zeafU+Ov/QkPD+DKsqOUHq4ZvNHsG+w54JIDdtk0sTMnw9aPlGsJt wkbnsHfF+2rjgIOvIvvaJneRg8Dhwo2Ue2q/1ZVBwXb3s42+mCa/4nnRFrP4FpLDfAKA YkNEOGTRAhgL95vNG9OVtfIc/PQLW/t5J4aii7bSmJqvfU2bSuysTDkXYYHo4Y9Ldkhl JT58MXTIHxz1qVU2AiO5eSAuQ+RtQGke+sHbeMxXv2FFyRU4IuO0idTR7CZY+UO20jW6 cGcgLpfa7TxEy8+lLtU93nBb23FYYMZU+01P8vdjg/VIJWd1CiYo8T//8Xe2MlwcDX2R cAzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=//NzIcfmrRger7v8XgJV5imhhYpSDpajqKUyP0w3wzQ=; b=ag0uvl2irsf60BgKwv5BLLrXtAsBMJfelz73A4Wy/J2XWU6RxeGeQW6aamu2YOLnbX i/zov1qdaVlTbjbfKqX2Hzs0FT8z9ao7wF4838BhAvmnD7DFkA7b3hPHS5HUbwVii48R zVNyhZx/lq5CIr3MhsZ4e90GhLteCovTKkD14xaP94rcFd7vTsW6vl+3jqzP+EsEWoOd NxFYGVbbIlN4+8j4vI8TWpaXPthmnx3UJYZW/IeQMKWTAtcSmQ4Sfqif6QjQfeyfUQ+e DeXIqsRiPGUFacoz7f2FVVssyaBjeNf6OlR5BNCzCCLviybbRiTdNCaiVYIGRZB1AeZt V8Cw== X-Gm-Message-State: APjAAAVlpjxefPJkkpak2HAqbMlO6h5jY/sdewpOzlQBFxiM48mza7Ka LnGLKdPkShHTamWALWyPmv7NIg== X-Google-Smtp-Source: APXvYqyJfuOrtYROJE2hOt528lu33rqJDQkLEnV7tmOTzjcgMoV1hQTloeJao2PKtXkM88At521Rtw== X-Received: by 2002:a0c:f20e:: with SMTP id h14mr77056qvk.246.1562338976258; Fri, 05 Jul 2019 08:02:56 -0700 (PDT) Received: from mutt-hbsd ([151.196.118.239]) by smtp.gmail.com with ESMTPSA id t76sm1064119qke.79.2019.07.05.08.02.55 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Fri, 05 Jul 2019 08:02:55 -0700 (PDT) Date: Fri, 5 Jul 2019 11:02:55 -0400 From: Shawn Webb To: Dan Langille Cc: Gordon Tetlow , freebsd-security@freebsd.org, grarpamp , freebsd-questions@freebsd.org Subject: Re: CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack) Message-ID: <20190705150255.ozwxy63tuuwckhvi@mutt-hbsd> References: <20190618235535.GY32970@gmail.com> <20190619000655.2gde4u5i5ter5exu@mutt-hbsd> <20190703171812.GM32970@gmail.com> <20190705134001.bba2y4dxqirs6xe6@mutt-hbsd> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="drukitpqpgrpce7b" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD mutt-hbsd 13.0-CURRENT-HBSD FreeBSD 13.0-CURRENT-HBSD X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0xFF2E67A277F8E1FA User-Agent: NeoMutt/20180716 X-Rspamd-Queue-Id: 5893A731E2 X-Spamd-Bar: -------- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=hardenedbsd.org header.s=google header.b=Fuf3m4RY; spf=pass (mx1.freebsd.org: domain of shawn.webb@hardenedbsd.org designates 2607:f8b0:4864:20::82d as permitted sender) smtp.mailfrom=shawn.webb@hardenedbsd.org X-Spamd-Result: default: False [-8.09 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; RCPT_COUNT_FIVE(0.00)[5]; RCVD_COUNT_THREE(0.00)[3]; MX_GOOD(-0.01)[cached: alt1.aspmx.l.google.com]; DKIM_TRACE(0.00)[hardenedbsd.org:+]; NEURAL_HAM_SHORT(-0.97)[-0.974,0]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; IP_SCORE(-3.00)[ip: (-9.41), ipnet: 2607:f8b0::/32(-3.16), asn: 15169(-2.40), country: US(-0.06)]; RECEIVED_SPAMHAUS_PBL(0.00)[239.118.196.151.zen.spamhaus.org : 127.0.0.10]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[hardenedbsd.org:s=google]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[hardenedbsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[d.2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; MID_RHS_NOT_FQDN(0.50)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jul 2019 15:02:58 -0000 --drukitpqpgrpce7b Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jul 05, 2019 at 07:52:32AM -0700, Dan Langille wrote: > > On Jul 5, 2019, at 6:40 AM, Shawn Webb wro= te: > >=20 > >> On Wed, Jul 03, 2019 at 10:18:12AM -0700, Gordon Tetlow wrote: > >> Sorry for the late response, only so many hours in the day. > >=20 > > Completely understood. Thanks for taking the time to respond! > >=20 > >>=20 > >>> On Tue, Jun 18, 2019 at 08:06:55PM -0400, Shawn Webb wrote: > >>> It appears that Netflix's advisory (as of this writing) does not > >>> include a timeline of events. Would FreeBSD be able to provide its > >>> event timeline with regards to CVE-2019-5599? > >>=20 > >> I don't generally document a timeline of events from our side. This > >> particular disclosure was a bit unusual as it wasn't external but > >> instead was an internal FreeBSD developer the security team often works > >> with. As such, our process was a bit out of sync with normal (as much = as > >> we have a normal with our current processes). All of that said, we got > >> notice in early June, about 10 days before public disclosure. > >=20 > > Perhaps this might be a good time to start keeping records for future > > vulnerability reports, regardless of source of disclosure. > >=20 > > Does FreeBSD publish its vulnerability response process documentation? > > If not, would FreeBSD be open to such transparency? >=20 > You???re asking volunteers, performing a very time-consuming task, to do = even more work. >=20 > The demands of security officer are pretty onerous as it is. Hey Dan, My intent was not to task anyone or add to their burden. I apologize if that is how my questions were perceived upon receipt. My goal was to perhaps start a dialogue, brainstorming ways to improve processes along the way. As a downstream derivative of FreeBSD, one who will indeed be in the same place as FreeBSD with regards to security announcements, disclosures, timelines, etc, we at HardenedBSD would like to learn =66rom the experiences of others. The only way to learn from others is to collaborate with them--the true intent of my questions. However, if FreeBSD would not like help with regards to security, or would not like to impart of their wisdom to others, perhaps this would be a good place to end the discussion. Even if you mean well and have the best of intentions, they eat you alive. Thanks and may you have a wonderful weekend, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: lattera@is.a.hacker.sx GPG Key ID: 0xFF2E67A277F8E1FA GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2 --drukitpqpgrpce7b Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAl0fZpkACgkQ/y5nonf4 4fo+3BAAmKRZbDi0azyq3LTsta6OkQpSaYjYJvc1JYjZgVnS89dGdEF8iwxPC2bv zgWDW0o1KkrXqj02IuNKracSJdNy/Oem8av/ju1U1O1+rJe3eLkv4JN/afVDl3h2 IZf6ZWPSEG5GgLkwkZ1E3AZtwAZSEsE2VREGc1bcfWR/OHpayQ5bU5qJ4YX2Y4lE 86sB4Y4Q8o/yQ4VIS77ikFX8ayRYJg40kwgRT2/w8EfFYcRRB937NRIJRH4By+8K NVluHVeUW2zPxY+lEGMA3FcdfRudLUMDVX9nODDoDalorVrEWasK+VJAIXnJCzOF YtlcO5xkOgUVv9O7dXNXySbNK+OD0VmBU4BOYouLpAc5ZH3s+gc/XJw6qO2u9eFm vhb27n5Xh7jO0yDbZQWEpnLQCdcYd3Sb/mdUtU7s0eS81QOhH1jtRXB/FDuzWQ02 b9WK1X24Odzv+KidvLpEQDRvPQlKq2UKD2Xxnpx4nuDXewk+9F/Ipvpx1Rwsi5+o 9OhXpjh6Yuvs7TYyG+0A/KZsI05Q4Je8kIDYW0J3oEetywf7CRID9fN7g0k35dN5 QcIf2deET0IqrlopIp24ofiA7JTgbGcbZa3+lrJI28jBHDXQrzPIdkDqRXq8KGkh D/UVK1F6IJdC8PtIdOcPiW3jonW1+FBImBHbInXXWYSWcFJpilc= =H4bX -----END PGP SIGNATURE----- --drukitpqpgrpce7b--