Date: Wed, 19 Jun 2019 08:48:38 -0500 From: Valeri Galtsev <galtsev@kicp.uchicago.edu> To: freebsd-questions@freebsd.org Subject: Re: CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack) Message-ID: <0573e9a2-87db-bc14-c616-144c0213b536@kicp.uchicago.edu> In-Reply-To: <20190619000655.2gde4u5i5ter5exu@mutt-hbsd> References: <CAD2Ti29xZ2Qty8fqgjf_OLvvjODOGyLtWSCzo6xgFB51e-T0ig@mail.gmail.com> <20190618235535.GY32970@gmail.com> <20190619000655.2gde4u5i5ter5exu@mutt-hbsd>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2019-06-18 19:06, Shawn Webb wrote: > On Tue, Jun 18, 2019 at 04:55:35PM -0700, Gordon Tetlow wrote: >> On Tue, Jun 18, 2019 at 05:34:32PM -0400, grarpamp wrote: >>> https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md >>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5599 >>> NFLX-2019-001 >>> >>> Date Entry Created: 20190107 >>> Preallocated to nothing? >>> Or witheld under irresponsible disclosure thus keeping >>> users vulnerable to leaks, parallel discovery, and exploit >>> for at least five months more than necessary, and >>> unaware thus unable to consider potential local mitigations? >> >> Other than the inappropriate tone, there is a reasonable question here. >> MITRE allocates blocks of CVEs to FreeBSD as a CNA. We can then decide >> when to assign and disclose them. The 2019-01-07 date is when MITRE >> allocated a block of CVEs to FreeBSD, not when they are assigned to an >> issue. We generally get a block in the beginning of each year. >> >> If you would like to have an actual discussion around disclosure >> policies, I'm happy to have one, but by your tone above, I don't think >> there is any reason to do so. It seems unlikely you are open to >> debate in a fashion that would be productive. > > Hey Gordon, > > Thank you for your reply, and especially for the respectful tone. I > hope to drive a further positive discussion in the goal of enhanced > transparency. > > It appears that Netflix's advisory (as of this writing) does not > include a timeline of events. Would FreeBSD be able to provide its > event timeline with regards to CVE-2019-5599? I am not commenting on other details of this thread, and talking here for myself, not for FreeBSD project. This is "backwards" thinking. It is a responsibility of clone projects to follow all details of master project, not the responsibility of FreeBSD to notify any of clones, whom FreeBSD project didn't request to clone FreeBSD in the first place. Just my $0.02 Valeri > > Were any FreeBSD derivatives given advanced notice? If so, which ones? > > Thanks for your time, resources, and continued correspondence. > > Thanks again, > -- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0573e9a2-87db-bc14-c616-144c0213b536>