From owner-freebsd-questions@freebsd.org Wed Jun 19 13:48:45 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A131915B9495 for ; Wed, 19 Jun 2019 13:48:45 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from kicp.uchicago.edu (kicp.uchicago.edu [128.135.20.70]) by mx1.freebsd.org (Postfix) with ESMTP id B79568DC4E for ; Wed, 19 Jun 2019 13:48:44 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from point.uchicago.edu (point.uchicago.edu [128.135.52.6]) by kicp.uchicago.edu (Postfix) with ESMTP id 4473C718047 for ; Wed, 19 Jun 2019 08:48:38 -0500 (CDT) Subject: Re: CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack) To: freebsd-questions@freebsd.org References: <20190618235535.GY32970@gmail.com> <20190619000655.2gde4u5i5ter5exu@mutt-hbsd> From: Valeri Galtsev Message-ID: <0573e9a2-87db-bc14-c616-144c0213b536@kicp.uchicago.edu> Date: Wed, 19 Jun 2019 08:48:38 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0 MIME-Version: 1.0 In-Reply-To: <20190619000655.2gde4u5i5ter5exu@mutt-hbsd> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: B79568DC4E X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dmarc=fail reason="" header.from=uchicago.edu (policy=none) X-Spamd-Result: default: False [-1.19 / 15.00]; TO_DN_NONE(0.00)[]; MX_GOOD(-0.01)[kicp.uchicago.edu]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:160, ipnet:128.135.0.0/16, country:US]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.91)[-0.915,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-0.66)[-0.662,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; IP_SCORE(-0.01)[country: US(-0.06)]; NEURAL_SPAM_SHORT(0.31)[0.313,0]; RCVD_IN_DNSWL_NONE(0.00)[70.20.135.128.list.dnswl.org : 127.0.10.0]; R_SPF_NA(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DMARC_POLICY_SOFTFAIL(0.10)[uchicago.edu : No valid SPF, No valid DKIM,none] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jun 2019 13:48:45 -0000 On 2019-06-18 19:06, Shawn Webb wrote: > On Tue, Jun 18, 2019 at 04:55:35PM -0700, Gordon Tetlow wrote: >> On Tue, Jun 18, 2019 at 05:34:32PM -0400, grarpamp wrote: >>> https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md >>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5599 >>> NFLX-2019-001 >>> >>> Date Entry Created: 20190107 >>> Preallocated to nothing? >>> Or witheld under irresponsible disclosure thus keeping >>> users vulnerable to leaks, parallel discovery, and exploit >>> for at least five months more than necessary, and >>> unaware thus unable to consider potential local mitigations? >> >> Other than the inappropriate tone, there is a reasonable question here. >> MITRE allocates blocks of CVEs to FreeBSD as a CNA. We can then decide >> when to assign and disclose them. The 2019-01-07 date is when MITRE >> allocated a block of CVEs to FreeBSD, not when they are assigned to an >> issue. We generally get a block in the beginning of each year. >> >> If you would like to have an actual discussion around disclosure >> policies, I'm happy to have one, but by your tone above, I don't think >> there is any reason to do so. It seems unlikely you are open to >> debate in a fashion that would be productive. > > Hey Gordon, > > Thank you for your reply, and especially for the respectful tone. I > hope to drive a further positive discussion in the goal of enhanced > transparency. > > It appears that Netflix's advisory (as of this writing) does not > include a timeline of events. Would FreeBSD be able to provide its > event timeline with regards to CVE-2019-5599? I am not commenting on other details of this thread, and talking here for myself, not for FreeBSD project. This is "backwards" thinking. It is a responsibility of clone projects to follow all details of master project, not the responsibility of FreeBSD to notify any of clones, whom FreeBSD project didn't request to clone FreeBSD in the first place. Just my $0.02 Valeri > > Were any FreeBSD derivatives given advanced notice? If so, which ones? > > Thanks for your time, resources, and continued correspondence. > > Thanks again, > -- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++