From owner-freebsd-security@freebsd.org Wed Jul 3 17:18:18 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C261715DAB55 for ; Wed, 3 Jul 2019 17:18:17 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 254E48571B for ; Wed, 3 Jul 2019 17:18:16 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-qt1-x82b.google.com with SMTP id d17so3134696qtj.8 for ; Wed, 03 Jul 2019 10:18:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=OeKPhUuUhlmRom18KOklGCuqkOLvq/H2apfNDViaB+g=; b=Equ7eHJFjcN9Ugj8LW2lsewfEdRh6S8pI0K2lVcTBpqDThTAYCZzmP1EcJpbGM2JMV 4DICEltCDqQ5Ke1K6ChP0a8qcETGIJaSKv6qy0ERdz69NYvFj6JpsWcceDuR5h1SjeES uQgadSaUe695w9yRrXPefye9CTTAqVGPJTCAY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=OeKPhUuUhlmRom18KOklGCuqkOLvq/H2apfNDViaB+g=; b=LHZ8LSeTDG+C/4jTG65eusUv7aT6/+C8rovlnhhlANymB0e4XCn9tagXL4885eoxTV b4qo8rtjbj4uYP2cMmkUe8/yRAS3I2t3LhZwbx7N7o6BCH0yOuLi+1duyZ7ddgGD9kj7 OPHtcb0k9bIpyXdSYxrdF8D0nIXq7BN3vYuEKEGDxtMqwfTfN3pnK8RxI2ifuyZQuk7n pxKgHv4g0eUiEnyYqHMVs4YpXKhRKX+RNw/bEN1vHLu6nRKoTGp6c/d2b0nqkK8R0jU/ Bh2Mzrf02cZmLuVAoQN/CsyJRZuf+F9DU91MxqV87YifiGt7o/rIyPJ9fMPYWoVXaycJ bySw== X-Gm-Message-State: APjAAAXHeG+T+QrdzAkaIV/sXegLVSIrW/Ji3FR2q6wB7x48QHHKHeTD y2vXpMvPPCDHt4AvngtDXp2F X-Google-Smtp-Source: APXvYqyQtywX9tKkM9cKQWBc7XlYZdjO8zt0AkYmq6aWEWVDWRP2/J7tY3HZepUM1HiHTgteX09aTw== X-Received: by 2002:ac8:2f66:: with SMTP id k35mr31766291qta.174.1562174295368; Wed, 03 Jul 2019 10:18:15 -0700 (PDT) Received: from gmail.com ([2607:fc50:0:7900:0:dead:beef:cafe]) by smtp.gmail.com with ESMTPSA id y9sm872365qki.116.2019.07.03.10.18.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 03 Jul 2019 10:18:14 -0700 (PDT) Date: Wed, 3 Jul 2019 10:18:12 -0700 From: Gordon Tetlow To: Shawn Webb Cc: grarpamp , freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Re: CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack) Message-ID: <20190703171812.GM32970@gmail.com> References: <20190618235535.GY32970@gmail.com> <20190619000655.2gde4u5i5ter5exu@mutt-hbsd> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="TegBI+r9roYdcP94" Content-Disposition: inline In-Reply-To: <20190619000655.2gde4u5i5ter5exu@mutt-hbsd> User-Agent: Mutt/1.12.0 (2019-05-25) X-Rspamd-Queue-Id: 254E48571B X-Spamd-Bar: --------- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tetlows.org header.s=google header.b=Equ7eHJF; dmarc=pass (policy=none) header.from=tetlows.org; spf=pass (mx1.freebsd.org: domain of gordon@tetlows.org designates 2607:f8b0:4864:20::82b as permitted sender) smtp.mailfrom=gordon@tetlows.org X-Spamd-Result: default: False [-9.11 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[tetlows.org:+]; DMARC_POLICY_ALLOW(-0.50)[tetlows.org,none]; MX_GOOD(-0.01)[cached: alt1.aspmx.l.google.com]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_SHORT(-1.00)[-0.999,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; IP_SCORE(-3.00)[ip: (-9.42), ipnet: 2607:f8b0::/32(-3.16), asn: 15169(-2.38), country: US(-0.06)]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[tetlows.org:s=google]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[b.2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; FREEMAIL_CC(0.00)[gmail.com] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jul 2019 17:18:18 -0000 --TegBI+r9roYdcP94 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sorry for the late response, only so many hours in the day. On Tue, Jun 18, 2019 at 08:06:55PM -0400, Shawn Webb wrote: > It appears that Netflix's advisory (as of this writing) does not > include a timeline of events. Would FreeBSD be able to provide its > event timeline with regards to CVE-2019-5599? I don't generally document a timeline of events from our side. This particular disclosure was a bit unusual as it wasn't external but instead was an internal FreeBSD developer the security team often works with. As such, our process was a bit out of sync with normal (as much as we have a normal with our current processes). All of that said, we got notice in early June, about 10 days before public disclosure. > Were any FreeBSD derivatives given advanced notice? If so, which ones? They were not. I would like to get to a point where we feel we could give some sort of heads up for downstream, but we aren't there yet. Best, Gordon --TegBI+r9roYdcP94 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGTBAABCgB9FiEEuyjUCzYO7pNq7RVv5fe8y6O93fgFAl0c409fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEJC MjhENDBCMzYwRUVFOTM2QUVEMTU2RkU1RjdCQ0NCQTNCRERERjgACgkQ5fe8y6O9 3fgf3AgAmWoZy3EXl/ROMzh2xg8e+63ZqyA8Ugvk/sp/moH7YbAUo6IbrpdWeqMS ExyKeGJ1s5x2aizvUJCDlzSfh2xf/NIEDd6962U3r2leSC66LWR7rZrNkpxgxIfZ TST4rFb03aO1DhtQRMA4hZYo/VFW9w7sQOqJIxRjimq2rRrs2bB+d3QoE7EM2GGi /H9Y8QxGAEE9+kmSsDqlP5KHTTOWjkxEGHeQl1h+kLkm08AVS24z1k1MWvLNYoUK bXB3O4Kdq4iSneGhD43YKA1RXiw07mltib5VVKNHDDuyS+aUXMrq/Qo+6nMKnOtU 1GzNbaezukSHbf7DYoaH2BuQD9h8Tw== =V7Bz -----END PGP SIGNATURE----- --TegBI+r9roYdcP94--