From owner-freebsd-security@freebsd.org Tue Jun 18 23:55:40 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 598C515CC47A for ; Tue, 18 Jun 2019 23:55:40 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-yb1-xb41.google.com (mail-yb1-xb41.google.com [IPv6:2607:f8b0:4864:20::b41]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5195D6C68B for ; Tue, 18 Jun 2019 23:55:39 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-yb1-xb41.google.com with SMTP id c7so6810413ybs.9 for ; Tue, 18 Jun 2019 16:55:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=Ek7lRwSkyoa41qSMepvJLpdyYq1iW0/qYdyt0MlSsLI=; b=GqEzbwkKyuVQd7xSSiSusXzyXd2P0ziP6pe0mZib9H6/jdsZTDgu8/9ZIOW5aaARUE Ykn6V6kuqzvEGwlTUFHZlZCqX4C5yWuoz8uL3l0rEPcL2dCjFbq9tmy5uLtQGafnyo81 lrJ5vRtkSBxgYbRUYLxKlSSbTK5iikVsJh39Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=Ek7lRwSkyoa41qSMepvJLpdyYq1iW0/qYdyt0MlSsLI=; b=ixFa+hc88rit7ayxc05VN9dM05Rgpe4nG23MnPtoaXXFPCJx3fKzR+OzW+UBUdNY+9 wiwGkX3D89LriZa/WsA6Fo1/TPygY2+dU4l+OkHfVp0UBTxXAQbiiM5GYUH5NDWzoV8N U+PhBilG6NWWXnFS1YsCzlP4veTJGWKDiA9/tc1ZEng2hGKOeQcXRwO19dA/NfNiJh87 TaAeX6ZKdbJ3w1o28UfaP1HlEwazIBPNOEl5iftSlofqzA0cUEQPnXsVOshSkRcU/Tb4 Y5iF+uAzZyDO9Of/oIWZ8tcHN3Sk1HKTqwGDMPiIeShzIZQn6mRxlSYVRGdVSP+5/aQB dz4g== X-Gm-Message-State: APjAAAWPth/LUb29mbHxCtsw+7h8HF3DpvX8vB9KnaethsGtnFbe1y3N tJA2hYDFCMNlbkwtY/xS2AQF X-Google-Smtp-Source: APXvYqyk3gFlB5zeDY6+4AhsAu3KNeX0b60yduzEiy6u2pfxPkPiUG0LQjyPlD9eCWsQEHVCpM57xQ== X-Received: by 2002:a5b:64f:: with SMTP id o15mr51046473ybq.430.1560902138182; Tue, 18 Jun 2019 16:55:38 -0700 (PDT) Received: from gmail.com ([2607:fc50:0:7900:0:dead:beef:cafe]) by smtp.gmail.com with ESMTPSA id h129sm4178887ywe.97.2019.06.18.16.55.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 18 Jun 2019 16:55:37 -0700 (PDT) Date: Tue, 18 Jun 2019 16:55:35 -0700 From: Gordon Tetlow To: grarpamp Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org, security-report@netflix.com Subject: Re: CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack) Message-ID: <20190618235535.GY32970@gmail.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.12.0 (2019-05-25) X-Rspamd-Queue-Id: 5195D6C68B X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tetlows.org header.s=google header.b=GqEzbwkK; dmarc=pass (policy=none) header.from=tetlows.org; spf=pass (mx1.freebsd.org: domain of gordon@tetlows.org designates 2607:f8b0:4864:20::b41 as permitted sender) smtp.mailfrom=gordon@tetlows.org X-Spamd-Result: default: False [-3.49 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[tetlows.org:s=google]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_SOME(0.00)[]; MX_GOOD(-0.01)[cached: alt1.aspmx.l.google.com]; MID_RHS_MATCH_TO(1.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[tetlows.org:+]; DMARC_POLICY_ALLOW(-0.50)[tetlows.org,none]; RCVD_IN_DNSWL_NONE(0.00)[1.4.b.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; RCVD_COUNT_THREE(0.00)[3]; NEURAL_HAM_SHORT(-0.97)[-0.972,0]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; IP_SCORE(-0.51)[ip: (3.01), ipnet: 2607:f8b0::/32(-3.16), asn: 15169(-2.32), country: US(-0.06)] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2019 23:55:40 -0000 On Tue, Jun 18, 2019 at 05:34:32PM -0400, grarpamp wrote: > https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5599 > NFLX-2019-001 > > Date Entry Created: 20190107 > Preallocated to nothing? > Or witheld under irresponsible disclosure thus keeping > users vulnerable to leaks, parallel discovery, and exploit > for at least five months more than necessary, and > unaware thus unable to consider potential local mitigations? Other than the inappropriate tone, there is a reasonable question here. MITRE allocates blocks of CVEs to FreeBSD as a CNA. We can then decide when to assign and disclose them. The 2019-01-07 date is when MITRE allocated a block of CVEs to FreeBSD, not when they are assigned to an issue. We generally get a block in the beginning of each year. If you would like to have an actual discussion around disclosure policies, I'm happy to have one, but by your tone above, I don't think there is any reason to do so. It seems unlikely you are open to debate in a fashion that would be productive. Thanks, Gordon Hat: Security Officer