From owner-freebsd-security@freebsd.org Wed Jun 19 01:16:55 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BEF3115CE2CB; Wed, 19 Jun 2019 01:16:55 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-io1-xd43.google.com (mail-io1-xd43.google.com [IPv6:2607:f8b0:4864:20::d43]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7992B6EB7A; Wed, 19 Jun 2019 01:16:54 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-io1-xd43.google.com with SMTP id w25so34243153ioc.8; Tue, 18 Jun 2019 18:16:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=U/joiMjUX8/olWboWvynPJ1JX31vwkgEn3HlsIhucOQ=; b=SwRZrGMALIOLN8l9AUBjeLYfWJ50a2Ybb3RP0+EXgroUwoVygdPX2lvPCBo3po0lRs WlZPbz3JoGgw8GtvgKdP0VieouvzzdU/Z3z4vGFxPV3UO/CsMEeKUJ9H8PVkOkBS8E6W xt4DKQiXZ4RmBVZetGs2UDZMrLOZxQBNEvvQh8xiViBUJNQIrRW1PooIQB7stm5qOc2f cI2KO82t3ji2PYkQ+PZ+CsAqnW/udqEyLn0t5/qz3p8A4riBS7tghLct136A74Z8dPtr rad+WNY/xqH5TpleBV4imbTy85QQA8IjRvPikZVcqaP2ReBROTu5Q/UV9grWOicHfGMS fIXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=U/joiMjUX8/olWboWvynPJ1JX31vwkgEn3HlsIhucOQ=; b=OEl9t2/KX7IOR/L7STtalMEkduhQq5GF9mGc2bUJt2gcAWV2hXttnHd0Vroe3bqTRC jj5JjX3cdjQSvVaS7qYjQClOOPvMzGQkhmrTMDWCwMlwM9RVNZ3jcIlpM3ySZG5w42v1 OGNrtFzQCJhJsIBH4sbZvlIzm9AHkX+/AyCTdtPLI7yS7a7p/0MqJCmPSY3SMkVFWk7Z t+UW0UOnGpEtXS6EQjE+KDmE+KjmwNBIFOw6IUIacyKl6cWcWQyuzXboS84A5hkxk5us xbsYA24ZyH0Qt54agrsYhVIqhu+HJL79mJhEItOFTorvaT9krmUn99ylhwX3meNxDJNV nuhw== X-Gm-Message-State: APjAAAWSn0HrcEjnXxQ3DlKyD2ocwixGY4vmhYUXWpx92P7M4QfTlAFs 6hLeOGNimprws1imalMBTq8yF6GOj1XgeIGBlsRFPBwQ X-Google-Smtp-Source: APXvYqyIBQWdLXjtrzKorXVuM37W3XzJ2EBzc76bYUPFtsR5Gg7MHVzVk0ou9BewvhuTlc7FhuoRktzAVYfiI5M57H4= X-Received: by 2002:a5d:8404:: with SMTP id i4mr22533255ion.146.1560907013503; Tue, 18 Jun 2019 18:16:53 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a02:212a:0:0:0:0:0 with HTTP; Tue, 18 Jun 2019 18:16:52 -0700 (PDT) In-Reply-To: <20190618235535.GY32970@gmail.com> References: <20190618235535.GY32970@gmail.com> From: grarpamp Date: Tue, 18 Jun 2019 21:16:52 -0400 Message-ID: Subject: Re: CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack) To: freebsd-security@freebsd.org Cc: freebsd-questions@freebsd.org, security-report@netflix.com Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 7992B6EB7A X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=SwRZrGMA; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::d43 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-4.76 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; RCVD_IN_DNSWL_NONE(0.00)[3.4.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; NEURAL_HAM_SHORT(-0.97)[-0.966,0]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; IP_SCORE(-0.78)[ip: (1.63), ipnet: 2607:f8b0::/32(-3.16), asn: 15169(-2.32), country: US(-0.06)]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_TLS_LAST(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] X-Mailman-Approved-At: Wed, 19 Jun 2019 03:41:46 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jun 2019 01:16:56 -0000 On 6/18/19, Gordon Tetlow wrote: > On Tue, Jun 18, 2019 at 05:34:32PM -0400, grarpamp wrote: >> https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5599 >> NFLX-2019-001 >> >> Date Entry Created: 20190107 >> Preallocated to nothing? >> Or witheld...? > MITRE allocates blocks of CVEs to FreeBSD as a CNA. We can then decide > when to assign and disclose them. The 2019-01-07 date is when MITRE > allocated a block of CVEs to FreeBSD, not when they are assigned to an > issue. We generally get a block in the beginning of each year. So preallocated to nothing, ok very well, no problem, priors amended herein as such, thx. As it is not in the current .md, when was the issue discovered by Netflix / Looney? > discussion around disclosure policies In today's world of parallel discovery, leaks, sec org infiltration by adversary, surveillance, no crypto, rapid automated exploit, etc... to wait for patch, polish, and press release advert, to not disclose, afford users local action up to immediate offlining for safety and wait, to draw upon entire community pool that has time*ability to fix... is thought by many [users] as irresponsible to users. There is no tone. And of course this one isn't currently a remote or local root. But what if it was... For those interested or new, there's lots of historical discussion with and without tone that can be found on any seclist, yet is no universal.. Having just noted these... https://www.freebsd.org/security/ https://www.freebsd.org/security/charter.html https://svnweb.freebsd.org/doc/head/en_US.ISO8859-1/htdocs/security/ The charter last marked current 2002... is there any actual and posted mandatory timeliness disclosure trigger component? One that gets overall reviewed for user input say every N-years? Perhaps something more security focused than the general... https://www.research.net/r/freebsd2019 Hack happily :) Netflix dedication to FreeBSD much appreciated by many too.