From owner-freebsd-questions@freebsd.org Fri Jul 5 13:40:05 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0D03F15CAFDE for ; Fri, 5 Jul 2019 13:40:05 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qk1-x72a.google.com (mail-qk1-x72a.google.com [IPv6:2607:f8b0:4864:20::72a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DF1C96FE5A for ; Fri, 5 Jul 2019 13:40:03 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qk1-x72a.google.com with SMTP id d79so3602294qke.11 for ; Fri, 05 Jul 2019 06:40:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=n57ItuspKavykNHI2zSNhC7AsDqJ1lNtuUspNySBywQ=; b=GLwIwarlhnwBNDB1GICXP8ZSWEyN0XBpq/Kt/vxZCAaqdjPtP9bd3aP5jvRzmgMKYj TWO8GLn/DF8TiBA5BYvFvtMxCgv6FPz0l/MX5/ITgHTlkBJ1w27PMx+M/fKSiVLfIsLE XAVrXtIl+fHzEfeops426TisDzrHEEfytW1zZ6dkqb+4p+fdCpZ711yLgKj0qY/KVuyr my0+He2hCQa7x0agXJdkt4SDc/ccMA1xgDjvX/E+acXIb6BSMx4jMg4laNP8SRrueth9 wgFBV1hxDynN2lPNu0xma8DotB508pmddcFEaa5g3DhAIWATpEjX3AgHQ5HuLaGuyd1S SR9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=n57ItuspKavykNHI2zSNhC7AsDqJ1lNtuUspNySBywQ=; b=Z/+3IcwFv/q8BP9TZ90egyJ17bKLtNDxsMRlb+DOhbV+TP8XSPrEtkdtLZDZpYMlE8 oM0XaYlE+yFdDTf11R+hGg0V67c9OFTfOo1nV1pvxWsG2AhY8rNcjpOqTo7o5ZStTiAV BQrM8UKmGuuOHB7ve2DVTqgyy7+lIrd7TY8QU6Ff4lLvicMpjO9HbBPWVNwXUS7hQ5Xw D6KrBFlIb7ia8q4PyqL0tkFAkGpEq+WvU1mKPEKlgvw2elC9DSIidmLzrdjiMH3T8lEg qKjpabLAXJfjM1v2mG1GQreZMTaB/AlD6RRjgxgFUxFnWAVZ4lOh1+3rsDHSC3DYmNdO yqsA== X-Gm-Message-State: APjAAAVE1PlJaJCik2+umgwFLVdrt4vku+TfLS2gr6BwNI4Kwzsc4Gmh gSNq/hwIHV8KIQo7Lv4zwZRN0mV3iEajAw== X-Google-Smtp-Source: APXvYqwQpcn8qMYDXgihemwCLzJS6/GLBfFxuqIe0udLABOfoHqgGbFD2d65WK7jPdHxvLkrD2nGsA== X-Received: by 2002:a05:620a:5a4:: with SMTP id q4mr3255312qkq.64.1562334003128; Fri, 05 Jul 2019 06:40:03 -0700 (PDT) Received: from mutt-hbsd ([151.196.118.239]) by smtp.gmail.com with ESMTPSA id c192sm3708649qkg.33.2019.07.05.06.40.01 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Fri, 05 Jul 2019 06:40:02 -0700 (PDT) Date: Fri, 5 Jul 2019 09:40:01 -0400 From: Shawn Webb To: Gordon Tetlow Cc: grarpamp , freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Re: CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack) Message-ID: <20190705134001.bba2y4dxqirs6xe6@mutt-hbsd> References: <20190618235535.GY32970@gmail.com> <20190619000655.2gde4u5i5ter5exu@mutt-hbsd> <20190703171812.GM32970@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="tuidbrfgys2o5z5i" Content-Disposition: inline In-Reply-To: <20190703171812.GM32970@gmail.com> X-Operating-System: FreeBSD mutt-hbsd 13.0-CURRENT-HBSD FreeBSD 13.0-CURRENT-HBSD X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0xFF2E67A277F8E1FA User-Agent: NeoMutt/20180716 X-Rspamd-Queue-Id: DF1C96FE5A X-Spamd-Bar: -------- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=hardenedbsd.org header.s=google header.b=GLwIwarl; spf=pass (mx1.freebsd.org: domain of shawn.webb@hardenedbsd.org designates 2607:f8b0:4864:20::72a as permitted sender) smtp.mailfrom=shawn.webb@hardenedbsd.org X-Spamd-Result: default: False [-8.11 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[hardenedbsd.org:+]; MX_GOOD(-0.01)[cached: alt1.aspmx.l.google.com]; NEURAL_HAM_SHORT(-0.99)[-0.988,0]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(-3.01)[ip: (-9.43), ipnet: 2607:f8b0::/32(-3.16), asn: 15169(-2.39), country: US(-0.06)]; MIME_TRACE(0.00)[0:+,1:+]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_TLS_LAST(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[239.118.196.151.zen.spamhaus.org : 127.0.0.10]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[hardenedbsd.org:s=google]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; DMARC_NA(0.00)[hardenedbsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[a.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; MID_RHS_NOT_FQDN(0.50)[]; FREEMAIL_CC(0.00)[gmail.com] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jul 2019 13:40:05 -0000 --tuidbrfgys2o5z5i Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jul 03, 2019 at 10:18:12AM -0700, Gordon Tetlow wrote: > Sorry for the late response, only so many hours in the day. Completely understood. Thanks for taking the time to respond! >=20 > On Tue, Jun 18, 2019 at 08:06:55PM -0400, Shawn Webb wrote: > > It appears that Netflix's advisory (as of this writing) does not > > include a timeline of events. Would FreeBSD be able to provide its > > event timeline with regards to CVE-2019-5599? >=20 > I don't generally document a timeline of events from our side. This > particular disclosure was a bit unusual as it wasn't external but > instead was an internal FreeBSD developer the security team often works > with. As such, our process was a bit out of sync with normal (as much as > we have a normal with our current processes). All of that said, we got > notice in early June, about 10 days before public disclosure. Perhaps this might be a good time to start keeping records for future vulnerability reports, regardless of source of disclosure. Does FreeBSD publish its vulnerability response process documentation? If not, would FreeBSD be open to such transparency? >=20 > > Were any FreeBSD derivatives given advanced notice? If so, which ones? >=20 > They were not. I would like to get to a point where we feel we could > give some sort of heads up for downstream, but we aren't there yet. Sounds good. Let me know how I can help. I'm at your service. Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: lattera@is.a.hacker.sx GPG Key ID: 0xFF2E67A277F8E1FA GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2 --tuidbrfgys2o5z5i Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAl0fUysACgkQ/y5nonf4 4fqdtw//QSywCw8aWbQBTlMD4f3xQ9YuTMCmx7hYmR60UEI70NcOKuu/2zEZW6Id 4jAX4TErpHnGQ3Fe1e8dquZHE53KLz4mbE1LF2NwWmbWdcyTi7siaXKSYxDALQo4 1cH4A523oxOlbwTCfWmvwoEQMSxZ0riWIyXzubVW1joOUel8OE11ev1g9DtLj8J8 2TWJIN1dnqlbmRIH7bq5UFqDAo2awhIYd3tq9TVqTLpfiq5AjCy7GRrhEo+l7unO lIl5CeZP+47yUZlBUsegMKiA59JoMACZBBVHV4fhv4Yc790pN1RSc5l2ja34dwEC 4BSRkH5ZDN+tkP1NChNaiMNLw8Xqa4fcOIJy4TiZlFbGzwZKx65u3fKwVinBIq4T kn2o368ALXGPFCOJCvjYlKRgjV0msEZ81aKMLyNRycaSJN7cK+BqOsagASnjiJ3w EtRxnjslXGSkwxrvde95CTpsTvdtdXaH62gZrhWgjwD0tfOyHR6pAkEmFXvX+tao qIey3nH4fPF/BvIsbIYMlBNOyyZ6liuTN/pANmGkIg8CjJcKBAbLbpfWqz2+sqa9 GDKPBrLEyf7pi4EbJfB+saU89kbz3nBWS8tseOWRBxKXwtVWoDmeY+fDJHVAUpXs nYPt+sPskLQ0bbuIWj1sZsTBHUVqrPIrYMZgmf3YWCV36R+L9a0= =8P8a -----END PGP SIGNATURE----- --tuidbrfgys2o5z5i--