From owner-freebsd-security@freebsd.org Thu Jul 4 02:51:12 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AD52115E7143; Thu, 4 Jul 2019 02:51:12 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-io1-xd41.google.com (mail-io1-xd41.google.com [IPv6:2607:f8b0:4864:20::d41]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D2356755BA; Thu, 4 Jul 2019 02:51:10 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-io1-xd41.google.com with SMTP id w25so9693117ioc.8; Wed, 03 Jul 2019 19:51:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=NnpNhlEKq6ndRRjmzdo/B5FJGFEE/3jNzOG9z+U73YE=; b=G3H85mzcZvwKrEcFMvZ5IBqx66SupcCudO2nKdtrpLx+2m/+Tr0CLcy26ULHnTuEn5 kFhtpTaLBj2WCPA0CioqwS2Eq+hpbkdHuZBm5i0AXlmdZdlGOtbHHx+dICZk4SbHQEvu jrxkFPIF30pBnvFR351X66MZEV4O8MiFuBV/SySfHqUKV00kAa2TMji8mMsC2iRoCszZ UIybRlJRUYZ1ciK7EQBLz+Is4dnPUfuaF0MaNNT8c7FazRFPfk/Ih1NBpHN6PzvczTz3 h2/7aaKD03vaanvYO3YgYAS0Ie902BeP/50bo4xfST/QFuobIPq2hDvhr37UsqA1yv3I WWEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=NnpNhlEKq6ndRRjmzdo/B5FJGFEE/3jNzOG9z+U73YE=; b=pfko83srgOnUZ6Yt6ncKrDJonA2joDxW8E8LMpGNwbhpjODwHlrMzbM4N09nsPUlz5 g2hdjFS34Q9V2JFMgD2C+Z5K28mdwNZjzhbVuvcqep0xmvQ2078gFRmb45l7oTKaYwVN 8TFJupZeqGnv5sYL+cmuM+6Qwpi0ATMQd43tvafYL7xEMu3E9fLmRfxScfEXAOKZbR1B AQbzw6NVyEhs5ucNF3y+7T3EBYV9BAc5JbxjO9nWLLtVekgMeb4OrXVN50s2K17HLaMx S+0f49Q6QIC90LGMOIUWoHzxYS4QCxcD3ylqImxptNhJ9eD5TXAo/u1OWwj+zxptGweu RMqw== X-Gm-Message-State: APjAAAW2ZfTRCdbXsdhUr2oLEwioMx6DV271WYioY+vYojWAgMs7b68q VC3hDuuSGAfeipRhW5t+bsKzPNhz4jiQvugmoZp3i72r X-Google-Smtp-Source: APXvYqx6z8+Yg7P4ysKYRQHiHm+TPva78VEs1ptLcZMaMwsk4KdrJebXFi49Wxr9FWWQPg6K6bmikyngCWfCDe4yDYY= X-Received: by 2002:a5d:8404:: with SMTP id i4mr2492944ion.146.1562208669702; Wed, 03 Jul 2019 19:51:09 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a02:81c6:0:0:0:0:0 with HTTP; Wed, 3 Jul 2019 19:51:09 -0700 (PDT) In-Reply-To: References: <20190618235535.GY32970@gmail.com> From: grarpamp Date: Wed, 3 Jul 2019 22:51:09 -0400 Message-ID: Subject: Re: CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack) To: freebsd-security@freebsd.org Cc: freebsd-questions@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: D2356755BA X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=G3H85mzc; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::d41 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-4.30 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; IP_SCORE(-0.80)[ip: (1.59), ipnet: 2607:f8b0::/32(-3.16), asn: 15169(-2.39), country: US(-0.06)]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; RCVD_IN_DNSWL_NONE(0.00)[1.4.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; NEURAL_HAM_SHORT(-0.49)[-0.487,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_TLS_LAST(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] X-Mailman-Approved-At: Thu, 04 Jul 2019 04:05:44 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jul 2019 02:51:12 -0000 >>> https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md >> discussion around disclosure policies > In today's world of parallel discovery, leaks, sec org infiltration by > adversary, surveillance, no crypto, rapid automated exploit, etc... > to wait for patch, polish, and press release advert, to not disclose, > afford users local action up to immediate offlining for safety and wait, > to draw upon entire community pool that has time*ability factor to fix... is > thought by many [users] as irresponsible to users. There is no tone. And > of course this one isn't currently a remote or local root. But what if it > was... > For those interested or new, there's lots of historical discussion with > and without tone that can be found on any seclist, yet is no universal.. https://www.zdnet.com/article/firefox-zero-day-was-used-in-attack-against-coinbase-employees-not-its-users/ https://tech.slashdot.org/story/15/09/04/206228/bugzilla-breached-private-vulnerability-data-stolen A recent Firefox zero-day that has made headlines across the tech news world this week was actually used in attacks against Coinbase employees, and not the company's users. Furthermore, the attacks used not one, but two Firefox zero-days, according to Philip Martin, a member of the Coinbase security team, which reported the attacks to Mozilla. One was an RCE reported by a Google Project Zero security researcher to Mozilla in April, and the second was a sandbox escape that was spotted in the wild by the Coinbase team together with the RCE, on Monday. The question here is how an attacker managed to get hold of the details for the RCE vulnerability and use it for his attacks after the vulnerability was privately reported to Mozilla by Google. The attacker could have found the Firefox RCE on his own, he could have bribed a Mozilla/Google insider, hacked a Mozilla/Google employee and viewed details about the RCE, or hacked Mozilla's bug tracker, like another attacker did in 2015. > https://www.freebsd.org/security/ > https://www.freebsd.org/security/charter.html > https://svnweb.freebsd.org/doc/head/en_US.ISO8859-1/htdocs/security/ > > The charter last marked current 2002... is there any actual and > posted mandatory timeliness disclosure trigger component? > One that gets overall reviewed for user input say every N-years? > Perhaps something more security focused than the general... > > https://www.research.net/r/freebsd2019