From owner-freebsd-questions@freebsd.org Wed Jun 19 00:06:59 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7900315CCC88 for ; Wed, 19 Jun 2019 00:06:59 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qk1-x72f.google.com (mail-qk1-x72f.google.com [IPv6:2607:f8b0:4864:20::72f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F08B76CC91 for ; Wed, 19 Jun 2019 00:06:57 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qk1-x72f.google.com with SMTP id c70so9786110qkg.7 for ; Tue, 18 Jun 2019 17:06:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=ZjWGQ2+ijpBfioHVFDQ8INdyQyE53uZwPApgm2atEP0=; b=FWXc3jR0Ei+TqPT+Rdu6FN+nqlqR8JnBbrpi+kpOBJ9L17n93F6uU5NuFX4uOK2VI6 E6+LZTu7qocG9Frx6+Jzq8yQMcWZ6cfR4WdDgZ0gMNAZXDJEE/nB83HHnfc55kI00X1f kSEnV5MoVjplgkKClGnO6qKnRiJiJ2Gp9ysJI3/KFsvkqWSFhwyNMNp7+q85/Jb2aH/8 Kb+EKN7QpciIvMHrWuYktso9pc6POVp+Jxopw/3nMXt//upm6+sa3bg95BgZpz8MuXvM C7vR5enonKHtqS4kzQfssX9suNMlWwfNUS8LgKVE3elkbozmvF3yukatnxddghVKA6dV tDAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=ZjWGQ2+ijpBfioHVFDQ8INdyQyE53uZwPApgm2atEP0=; b=EDwT8KgQ5GgPAAAP+N1VwSfEVVO38Ufl2OgnyHW3FOYY/OeLEiwonHQ7Kxpp9Aqs0D pGLbaFM0kuvMbaeJtPZgnJCjZARwquMNgHapuFK0RcZA3eKzWjKau9PCOJzXEvYRFQSw /wAUgyhCoGfq2+CXv4+BA3xsLuQj6gve21BvJgpnn/dwFolFaszc/q4qYGH3wKUp1D/l Kc6D4Qy3A1QoGivUD2A1x6v7N1JeDQzdsnyhD74+TQjMKu6Loff48dNvST3ztKWhpLeQ Pq6Yoa2ShdBXgJ0YfS2KMaW+WfIwJel6JZjFzi8XlzU+dkgt5pvszyeellAwPzEi9m37 X03g== X-Gm-Message-State: APjAAAXcqSFgHL1Mv2tRAevJKPJMxglHtDG0en0tvavHuP7pOLapsPGV pCS04ks0kWyLGjXoxtX+QIeUrQkFq0o= X-Google-Smtp-Source: APXvYqwS6Lt7Xtx7JLWCdvUoby8IdPIK+26vpb5ur3TA3HXG4C5NcXQm5dkr9+okwQLbTtoAItUFIw== X-Received: by 2002:a37:ac14:: with SMTP id e20mr95009884qkm.243.1560902817092; Tue, 18 Jun 2019 17:06:57 -0700 (PDT) Received: from mutt-hbsd ([151.196.118.239]) by smtp.gmail.com with ESMTPSA id k58sm10784251qtc.38.2019.06.18.17.06.56 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Tue, 18 Jun 2019 17:06:56 -0700 (PDT) Date: Tue, 18 Jun 2019 20:06:55 -0400 From: Shawn Webb To: Gordon Tetlow Cc: grarpamp , freebsd-security@freebsd.org, freebsd-questions@freebsd.org, security-report@netflix.com Subject: Re: CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack) Message-ID: <20190619000655.2gde4u5i5ter5exu@mutt-hbsd> References: <20190618235535.GY32970@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="pvj2jtyuppcsn75u" Content-Disposition: inline In-Reply-To: <20190618235535.GY32970@gmail.com> X-Operating-System: FreeBSD mutt-hbsd 13.0-CURRENT-HBSD FreeBSD 13.0-CURRENT-HBSD HARDENEDBSD-13-CURRENT amd64 X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0xFF2E67A277F8E1FA User-Agent: NeoMutt/20180716 X-Rspamd-Queue-Id: F08B76CC91 X-Spamd-Bar: -------- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=hardenedbsd.org header.s=google header.b=FWXc3jR0; spf=pass (mx1.freebsd.org: domain of shawn.webb@hardenedbsd.org designates 2607:f8b0:4864:20::72f as permitted sender) smtp.mailfrom=shawn.webb@hardenedbsd.org X-Spamd-Result: default: False [-8.12 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; RCPT_COUNT_FIVE(0.00)[5]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[hardenedbsd.org:+]; MX_GOOD(-0.01)[alt1.aspmx.l.google.com,aspmx.l.google.com,aspmx2.googlemail.com,alt2.aspmx.l.google.com,aspmx3.googlemail.com]; NEURAL_HAM_SHORT(-1.00)[-0.996,0]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(-3.02)[ip: (-9.54), ipnet: 2607:f8b0::/32(-3.16), asn: 15169(-2.32), country: US(-0.06)]; MIME_TRACE(0.00)[0:+,1:+]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_TLS_LAST(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[239.118.196.151.zen.spamhaus.org : 127.0.0.10]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[hardenedbsd.org:s=google]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; DMARC_NA(0.00)[hardenedbsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[f.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; MID_RHS_NOT_FQDN(0.50)[]; FREEMAIL_CC(0.00)[gmail.com] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jun 2019 00:06:59 -0000 --pvj2jtyuppcsn75u Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jun 18, 2019 at 04:55:35PM -0700, Gordon Tetlow wrote: > On Tue, Jun 18, 2019 at 05:34:32PM -0400, grarpamp wrote: > > https://github.com/Netflix/security-bulletins/blob/master/advisories/th= ird-party/2019-001.md > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2019-5599 > > NFLX-2019-001 > >=20 > > Date Entry Created: 20190107 > > Preallocated to nothing? > > Or witheld under irresponsible disclosure thus keeping > > users vulnerable to leaks, parallel discovery, and exploit > > for at least five months more than necessary, and > > unaware thus unable to consider potential local mitigations? >=20 > Other than the inappropriate tone, there is a reasonable question here. > MITRE allocates blocks of CVEs to FreeBSD as a CNA. We can then decide > when to assign and disclose them. The 2019-01-07 date is when MITRE > allocated a block of CVEs to FreeBSD, not when they are assigned to an > issue. We generally get a block in the beginning of each year. >=20 > If you would like to have an actual discussion around disclosure > policies, I'm happy to have one, but by your tone above, I don't think > there is any reason to do so. It seems unlikely you are open to > debate in a fashion that would be productive. Hey Gordon, Thank you for your reply, and especially for the respectful tone. I hope to drive a further positive discussion in the goal of enhanced transparency. It appears that Netflix's advisory (as of this writing) does not include a timeline of events. Would FreeBSD be able to provide its event timeline with regards to CVE-2019-5599? Were any FreeBSD derivatives given advanced notice? If so, which ones? Thanks for your time, resources, and continued correspondence. Thanks again, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: lattera@is.a.hacker.sx GPG Key ID: 0xFF2E67A277F8E1FA GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2 --pvj2jtyuppcsn75u Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAl0JfJoACgkQ/y5nonf4 4foWbBAAib8Ky5ZDh0GM/50NpFn3ws0/uHsi4F8iUmDxKJVfFdgx4dx8tlH1ZCT8 t1Aqu8sxBDFIO/cHWvGQu5BuEZbf/eDt8w8iBqpKKDdSYka2n8a2dgixUZgm2WPf MydSOlUXI1+kME59JjJ16gCk+Yuteap+bVaIqDC8d1+ERzHJ+CqHKF1NU2Qf8+2P 5Z4AdO7BznNRKCBiymGJCrmsSIXqgaNY0wqSri+OiBl6PsllcsYmFguaTpud1tcu hxhOutIFg1IRtqvyAZjAMz4eq6UOTM3OnrtFZVWGPGjE69C/T/UFvL79fu8ZR+a7 oVH7Bf7g14d1bHNOrcnUfyaAzC398fJ1SSSO6lCArB4GGBJRKPodQVMPY54esM7e 4GNyfhKP72eXqvTLXPMloC5wzRdD2hgkmkF0XqQCrW06XNjrLraOib0jhXK/lKUf MnyXJbnoV9J30Ey8OQ83S2DHyKcogL2O8wavvqxfdPpXmBJkzwn4kkPuBfDyjzU/ dshfQ4nq9XlHJxX89LRzBUpgOa9yruGklrM1c9wySkM3rD72dui/cTzQN3THA228 LWhExQgNbrnAQCwztvuSKnP8oB8oZk2JISYd0aqYcu5NVo4yxa5qUh5wveu/k9Pr scgfZ/HKlBTqp7EgL9rSdGAyNzqAutLg7LynCU8Nnw0FWHdl10g= =PwY8 -----END PGP SIGNATURE----- --pvj2jtyuppcsn75u--