From owner-freebsd-security@freebsd.org Tue Jun 18 21:34:35 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2FFD115C9498; Tue, 18 Jun 2019 21:34:35 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-io1-xd42.google.com (mail-io1-xd42.google.com [IPv6:2607:f8b0:4864:20::d42]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F04DD8F014; Tue, 18 Jun 2019 21:34:33 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-io1-xd42.google.com with SMTP id e5so33397490iok.4; Tue, 18 Jun 2019 14:34:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=rqxBbzNIi8oXMvlT+yCrGcttlT1MewHhJcWKBIpIQK0=; b=P9EcMoqOE8ECeLmLt/XEOAxGK7TqAPKfskUjPsSg+GHImuL48MSKhIM/AknwqNqSK0 LKmFHd+BlEcPgLfKWEHbqomN84vefvq3KQSt5tQM6X7Aezy8u+ISCpOkn6C0+cMTowSo ojuqG/RiX5+rrwjmN+LwKVoTJlWBUKqGeYEH8stAPQNv6z2VyTWv/lWhhOvTGuQQlxtu VRJkf3SzaChmNKwe+oxIRFu/8Q2aWATGIKAxJFfQAMYgdUfR6o71Har8LTMDYD5ljv+F gOWQbajsVC2c4v6rxQCzY7NZti+2os6D9866aqKtbxlU+C/sJobw//tds+aLbHYYM7RT 2thQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=rqxBbzNIi8oXMvlT+yCrGcttlT1MewHhJcWKBIpIQK0=; b=YpNt355YQyUBScj6Jg9Jqgms5mGqaClm59YWLtABCIh9MSnW93NLCVtZKLagn5qJ/V 0C7DCGj1NmS9oCEPCsxUSx1whx0q8wlJQskfLYOAsVX9k0Q3dS8o+2UQWG8jrE5AqHdU aHR5ZJFjKLkwS+sjI9/PxDiAqmcV1pPoNlaV261b/NA7FMKdqIPAAuh9z0PAzc/sLuYv xf+SSR9iJJhyEZGqo0DMQTLpMuxgGjY2qaqV6m2gE4IOUyveaYoXFv0Hq8rgft/kPct/ bkGuAp8cIS3djzeUBDsny0J+y4gjMwOmD/IzcPv9UyyLZcNXJPRtBaS6w239pOFdSlY3 b8gw== X-Gm-Message-State: APjAAAUAzYvBabT1i7wi9+/eXesMXX2+vEFc0Z3+cbcQ+XtES9m3YjOg +6IZHbOnl0Jpzg++2Itl0+0UBdWdCtYxVdAgpmAX9qY/ X-Google-Smtp-Source: APXvYqxzXBJN3g5w2zgktjEXEfj7zojqNqcbT3dEkK9rReDa5INhW8axUvHCqV3SPiw7Or5o5ovaRj17qV/GKUnoE+A= X-Received: by 2002:a02:7121:: with SMTP id n33mr7299908jac.19.1560893673080; Tue, 18 Jun 2019 14:34:33 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a02:212a:0:0:0:0:0 with HTTP; Tue, 18 Jun 2019 14:34:32 -0700 (PDT) From: grarpamp Date: Tue, 18 Jun 2019 17:34:32 -0400 Message-ID: Subject: CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack) To: freebsd-security@freebsd.org Cc: freebsd-questions@freebsd.org, security-report@netflix.com Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: F04DD8F014 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=P9EcMoqO; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::d42 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-4.68 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2.4.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; IP_SCORE(-0.78)[ip: (1.62), ipnet: 2607:f8b0::/32(-3.16), asn: 15169(-2.32), country: US(-0.06)]; NEURAL_HAM_SHORT(-0.89)[-0.888,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_TLS_LAST(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] X-Mailman-Approved-At: Tue, 18 Jun 2019 21:46:45 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2019 21:34:35 -0000 https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5599 NFLX-2019-001 Date Entry Created: 20190107 Preallocated to nothing? Or witheld under irresponsible disclosure thus keeping users vulnerable to leaks, parallel discovery, and exploit for at least five months more than necessary, and unaware thus unable to consider potential local mitigations? Older references... https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=freebsd https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=freebsd&search_type=all