From owner-freebsd-questions@freebsd.org Wed Jul 3 18:56:42 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E9A1B15DD4C4 for ; Wed, 3 Jul 2019 18:56:41 +0000 (UTC) (envelope-from pathiaki2@yahoo.com) Received: from sonic311-24.consmr.mail.ne1.yahoo.com (sonic311-24.consmr.mail.ne1.yahoo.com [66.163.188.205]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1FD588A897 for ; Wed, 3 Jul 2019 18:56:40 +0000 (UTC) (envelope-from pathiaki2@yahoo.com) X-YMail-OSG: yHw0WDAVM1mfM0toZTfCd57tO.HWekh2LToaUER6alqm9XgoznTdV0idhogN2K5 FaN_Gg3nMXIjKrLM_VDw5yINHU3sjw4lMplVZYVWpgaUD4EHVvApQoMb.BSaJVWOB0p9unnBNomB msrnrmD_9w5tDgjpYqEYhQyjft7h1lhCjnCdIFvGJBgUYZ1yO1Ejf23pBv1tI7WktbSY5OSpd5Xk br4IVLLAfOxUsJPnNn8njXzMofSG3DJXFWWz4vsSRF4LEd.EqKIofKfyLqWZ2b9M4uvJ7aVbhpq5 bWuVWs0QiuAa1yCu23Uaa5u10uCVtq50c_wSQwEwsn9lrXUL3XMYVsyAdEVI_4NdXQa_M7rBhQ31 Usb7d1tWkj_qJSVYVPA_RFYxGU3NSUSXKQBxVSEBiTZ2yd_Z9iKEosE5lbMic69Suab3FuYyLwp1 _bxdiLUBfNbpq5iVye3IgfHVKTaJTQhqfsg8dsQG82lRnHNgf0d7z2ivfhnCUsL6E8_XOpAtkwJA RQwUyArZWa6MtxrTwh9TbJqQ_HbxW1vdaMxYUC1mLZ0pirU1krnrmZr2ILFQWse3qWtRR2UBbmXo hQN03H6ygUmgC6yGOhDM5w1KnScaMIS6O2n8Nxn1XefDAlbG0zTCT.5Z.AZd8N5H348jiZCE1Kid dV24IQ4lVjchevTybTmwJODnBgT0R2Uzi9RcnfREA.Gc79uB9tGIBlmoXhxvXtgs6VA.eSySg0bL EijDCGp7Cd25vIY3kKYClWnKT_IIaf9sQ_pvvfd1bGD.okmusa.7Y6zEObqK9qy2o7AkNiDGrfw6 D0VkAGHsifH_Kpn2RJyWxQj_vdtJeW95_ORHmrE1nU.z5kT8MyrPURJ1tI6D3T.f2jcq5NV9KabR TZQ.lqHDgAfYRB1fimZDKJ7Xg98UDxh4kM_CEtkxkeBY1S9u.ULaQhjySmd303vXFxHvlIVdN_mF VO7bAeoit72bzXfFnm23nISpP4Qh1ttxGXSwH9MMsaqmLK0p7QMuC6cVS6ZPOGJEvWlaVsSMUHAd KU6Pury.d3EWBx33KpWjkxcJNbBxHXJzCSxDGd2Mbh4VE.dYg9zyeVU4T.YX7TKLPqiJooQM0ai5 DKIGN7ikmaZlYFMJprjyVkOynrylotAwdMUx.r9oWv2wwhoE0wYEOO1RDkHNNVMc_LUFcmbjzeYF pSisb6znZU.vYY4oD2P6_0.XIvr0wN0zM6HARsDRgjPmtgAnXeD2mqoIAZEXoaZvBhAQqG5CyYwX 9xPiTmYdQ8M7DwQ-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic311.consmr.mail.ne1.yahoo.com with HTTP; Wed, 3 Jul 2019 18:56:34 +0000 Date: Wed, 3 Jul 2019 18:46:22 +0000 (UTC) From: Paul Pathiakis To: FreeBSD Message-ID: <1214115587.2584521.1562179582687@mail.yahoo.com> In-Reply-To: References: <20190630092535.7913d305.freebsd@edvax.de> <957EE871-6906-4424-8895-826B517AF581@kreme.com> Subject: Re: sendmail MIME-Version: 1.0 X-Mailer: WebService/1.1.13913 YMailNorrin Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0 X-Rspamd-Queue-Id: 1FD588A897 X-Spamd-Bar: +++ X-Spamd-Result: default: False [3.80 / 15.00]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[yahoo.com:s=s2048]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ptr:yahoo.com]; FREEMAIL_FROM(0.00)[yahoo.com]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_SPAM_SHORT(0.97)[0.974,0]; NEURAL_SPAM_MEDIUM(0.98)[0.977,0]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[yahoo.com:+]; MX_GOOD(-0.01)[cached: mta6.am0.yahoodns.net]; RCVD_IN_DNSWL_NONE(0.00)[205.188.163.66.list.dnswl.org : 127.0.5.0]; DMARC_POLICY_ALLOW(-0.50)[yahoo.com,reject]; IP_SCORE(1.86)[ip: (7.07), ipnet: 66.163.184.0/21(1.28), asn: 36646(1.02), country: US(-0.06)]; NEURAL_SPAM_LONG(0.99)[0.993,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; FREEMAIL_ENVFROM(0.00)[yahoo.com]; ASN(0.00)[asn:36646, ipnet:66.163.184.0/21, country:US]; RCVD_COUNT_TWO(0.00)[2]; DWL_DNSWL_NONE(0.00)[yahoo.com.dwl.dnswl.org : 127.0.5.0] Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jul 2019 18:56:42 -0000 I disagree. I *hated* sendmail, and most especially trying to parse the doc= umentation and configurations. Maybe the docs have gotten better, but the c= onfiguration itself is still opaque to the point of making perl look human-= readable and kid-friendly. /etc/mail/freebsd.cf > R<$+> <$*> <$- $-> <$*>=C2=A0 =C2=A0 =C2=A0 =C2=A0 $: <$(access $4:$1 $: = ? $)> <$1> <$2> <$3 $4> <$5> > R <$+> <$*> <+ $-> <$*>=C2=A0 =C2=A0 =C2=A0 $: <$(access $1 $: ? $)> <= $1> <$2> <+ $3> <$4> > R <$+ + $* @> <$*> <$- $-> <$*> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 $: <$(access $5:$1+*@ $: ? $)> <$1+$2@> <$3> <$4 $5> <$6> God!!! NO!!!! Not the .cf file's context free grammar!!! *Has visions of di= screte math classes in comp sci*=C2=A0 *convulses, falls to the ground, the= sendmail configuration emergency team quickly dresses him in his 'happy ja= cket with the long sleeves' and carts him off to the sendmail hospital.=C2= =A0 Months of therapy ensues - visions of sub-domaining and header re-writi= ng rules dance through his tormented mind... *=C2=A0 NOO!!!! Make it STOOOO= OPPPPPP!!!!! Great... thanks... I was in recovery for over 15 years and now, I've fallen= off the wagon.... Come on, people.=C2=A0 Show some consideration for the sendmail-scarred.=C2= =A0 I suffer from S(endmail)PTSD.=C2=A0 Give some warning before you throw = something like that into a mail..... or at least put it further down with l= ots of white space and a "*SPOILERS*" alert... or something.... :D P =20 From owner-freebsd-questions@freebsd.org Thu Jul 4 02:51:12 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AD52115E7143; Thu, 4 Jul 2019 02:51:12 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-io1-xd41.google.com (mail-io1-xd41.google.com [IPv6:2607:f8b0:4864:20::d41]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D2356755BA; Thu, 4 Jul 2019 02:51:10 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-io1-xd41.google.com with SMTP id w25so9693117ioc.8; Wed, 03 Jul 2019 19:51:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=NnpNhlEKq6ndRRjmzdo/B5FJGFEE/3jNzOG9z+U73YE=; b=G3H85mzcZvwKrEcFMvZ5IBqx66SupcCudO2nKdtrpLx+2m/+Tr0CLcy26ULHnTuEn5 kFhtpTaLBj2WCPA0CioqwS2Eq+hpbkdHuZBm5i0AXlmdZdlGOtbHHx+dICZk4SbHQEvu jrxkFPIF30pBnvFR351X66MZEV4O8MiFuBV/SySfHqUKV00kAa2TMji8mMsC2iRoCszZ UIybRlJRUYZ1ciK7EQBLz+Is4dnPUfuaF0MaNNT8c7FazRFPfk/Ih1NBpHN6PzvczTz3 h2/7aaKD03vaanvYO3YgYAS0Ie902BeP/50bo4xfST/QFuobIPq2hDvhr37UsqA1yv3I WWEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=NnpNhlEKq6ndRRjmzdo/B5FJGFEE/3jNzOG9z+U73YE=; b=pfko83srgOnUZ6Yt6ncKrDJonA2joDxW8E8LMpGNwbhpjODwHlrMzbM4N09nsPUlz5 g2hdjFS34Q9V2JFMgD2C+Z5K28mdwNZjzhbVuvcqep0xmvQ2078gFRmb45l7oTKaYwVN 8TFJupZeqGnv5sYL+cmuM+6Qwpi0ATMQd43tvafYL7xEMu3E9fLmRfxScfEXAOKZbR1B AQbzw6NVyEhs5ucNF3y+7T3EBYV9BAc5JbxjO9nWLLtVekgMeb4OrXVN50s2K17HLaMx S+0f49Q6QIC90LGMOIUWoHzxYS4QCxcD3ylqImxptNhJ9eD5TXAo/u1OWwj+zxptGweu RMqw== X-Gm-Message-State: APjAAAW2ZfTRCdbXsdhUr2oLEwioMx6DV271WYioY+vYojWAgMs7b68q VC3hDuuSGAfeipRhW5t+bsKzPNhz4jiQvugmoZp3i72r X-Google-Smtp-Source: APXvYqx6z8+Yg7P4ysKYRQHiHm+TPva78VEs1ptLcZMaMwsk4KdrJebXFi49Wxr9FWWQPg6K6bmikyngCWfCDe4yDYY= X-Received: by 2002:a5d:8404:: with SMTP id i4mr2492944ion.146.1562208669702; Wed, 03 Jul 2019 19:51:09 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a02:81c6:0:0:0:0:0 with HTTP; Wed, 3 Jul 2019 19:51:09 -0700 (PDT) In-Reply-To: References: <20190618235535.GY32970@gmail.com> From: grarpamp Date: Wed, 3 Jul 2019 22:51:09 -0400 Message-ID: Subject: Re: CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack) To: freebsd-security@freebsd.org Cc: freebsd-questions@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: D2356755BA X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=G3H85mzc; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::d41 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-4.30 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; IP_SCORE(-0.80)[ip: (1.59), ipnet: 2607:f8b0::/32(-3.16), asn: 15169(-2.39), country: US(-0.06)]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; RCVD_IN_DNSWL_NONE(0.00)[1.4.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; NEURAL_HAM_SHORT(-0.49)[-0.487,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_TLS_LAST(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jul 2019 02:51:12 -0000 >>> https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md >> discussion around disclosure policies > In today's world of parallel discovery, leaks, sec org infiltration by > adversary, surveillance, no crypto, rapid automated exploit, etc... > to wait for patch, polish, and press release advert, to not disclose, > afford users local action up to immediate offlining for safety and wait, > to draw upon entire community pool that has time*ability factor to fix... is > thought by many [users] as irresponsible to users. There is no tone. And > of course this one isn't currently a remote or local root. But what if it > was... > For those interested or new, there's lots of historical discussion with > and without tone that can be found on any seclist, yet is no universal.. https://www.zdnet.com/article/firefox-zero-day-was-used-in-attack-against-coinbase-employees-not-its-users/ https://tech.slashdot.org/story/15/09/04/206228/bugzilla-breached-private-vulnerability-data-stolen A recent Firefox zero-day that has made headlines across the tech news world this week was actually used in attacks against Coinbase employees, and not the company's users. Furthermore, the attacks used not one, but two Firefox zero-days, according to Philip Martin, a member of the Coinbase security team, which reported the attacks to Mozilla. One was an RCE reported by a Google Project Zero security researcher to Mozilla in April, and the second was a sandbox escape that was spotted in the wild by the Coinbase team together with the RCE, on Monday. The question here is how an attacker managed to get hold of the details for the RCE vulnerability and use it for his attacks after the vulnerability was privately reported to Mozilla by Google. The attacker could have found the Firefox RCE on his own, he could have bribed a Mozilla/Google insider, hacked a Mozilla/Google employee and viewed details about the RCE, or hacked Mozilla's bug tracker, like another attacker did in 2015. > https://www.freebsd.org/security/ > https://www.freebsd.org/security/charter.html > https://svnweb.freebsd.org/doc/head/en_US.ISO8859-1/htdocs/security/ > > The charter last marked current 2002... is there any actual and > posted mandatory timeliness disclosure trigger component? > One that gets overall reviewed for user input say every N-years? > Perhaps something more security focused than the general... > > https://www.research.net/r/freebsd2019