From owner-freebsd-security@freebsd.org  Wed Jun 19 01:16:55 2019
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id BEF3115CE2CB;
 Wed, 19 Jun 2019 01:16:55 +0000 (UTC)
 (envelope-from grarpamp@gmail.com)
Received: from mail-io1-xd43.google.com (mail-io1-xd43.google.com
 [IPv6:2607:f8b0:4864:20::d43])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 7992B6EB7A;
 Wed, 19 Jun 2019 01:16:54 +0000 (UTC)
 (envelope-from grarpamp@gmail.com)
Received: by mail-io1-xd43.google.com with SMTP id w25so34243153ioc.8;
 Tue, 18 Jun 2019 18:16:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=U/joiMjUX8/olWboWvynPJ1JX31vwkgEn3HlsIhucOQ=;
 b=SwRZrGMALIOLN8l9AUBjeLYfWJ50a2Ybb3RP0+EXgroUwoVygdPX2lvPCBo3po0lRs
 WlZPbz3JoGgw8GtvgKdP0VieouvzzdU/Z3z4vGFxPV3UO/CsMEeKUJ9H8PVkOkBS8E6W
 xt4DKQiXZ4RmBVZetGs2UDZMrLOZxQBNEvvQh8xiViBUJNQIrRW1PooIQB7stm5qOc2f
 cI2KO82t3ji2PYkQ+PZ+CsAqnW/udqEyLn0t5/qz3p8A4riBS7tghLct136A74Z8dPtr
 rad+WNY/xqH5TpleBV4imbTy85QQA8IjRvPikZVcqaP2ReBROTu5Q/UV9grWOicHfGMS
 fIXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=U/joiMjUX8/olWboWvynPJ1JX31vwkgEn3HlsIhucOQ=;
 b=OEl9t2/KX7IOR/L7STtalMEkduhQq5GF9mGc2bUJt2gcAWV2hXttnHd0Vroe3bqTRC
 jj5JjX3cdjQSvVaS7qYjQClOOPvMzGQkhmrTMDWCwMlwM9RVNZ3jcIlpM3ySZG5w42v1
 OGNrtFzQCJhJsIBH4sbZvlIzm9AHkX+/AyCTdtPLI7yS7a7p/0MqJCmPSY3SMkVFWk7Z
 t+UW0UOnGpEtXS6EQjE+KDmE+KjmwNBIFOw6IUIacyKl6cWcWQyuzXboS84A5hkxk5us
 xbsYA24ZyH0Qt54agrsYhVIqhu+HJL79mJhEItOFTorvaT9krmUn99ylhwX3meNxDJNV
 nuhw==
X-Gm-Message-State: APjAAAWSn0HrcEjnXxQ3DlKyD2ocwixGY4vmhYUXWpx92P7M4QfTlAFs
 6hLeOGNimprws1imalMBTq8yF6GOj1XgeIGBlsRFPBwQ
X-Google-Smtp-Source: APXvYqyIBQWdLXjtrzKorXVuM37W3XzJ2EBzc76bYUPFtsR5Gg7MHVzVk0ou9BewvhuTlc7FhuoRktzAVYfiI5M57H4=
X-Received: by 2002:a5d:8404:: with SMTP id i4mr22533255ion.146.1560907013503; 
 Tue, 18 Jun 2019 18:16:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a02:212a:0:0:0:0:0 with HTTP; Tue, 18 Jun 2019 18:16:52
 -0700 (PDT)
In-Reply-To: <20190618235535.GY32970@gmail.com>
References: <CAD2Ti29xZ2Qty8fqgjf_OLvvjODOGyLtWSCzo6xgFB51e-T0ig@mail.gmail.com>
 <20190618235535.GY32970@gmail.com>
From: grarpamp <grarpamp@gmail.com>
Date: Tue, 18 Jun 2019 21:16:52 -0400
Message-ID: <CAD2Ti29PiuPy1DYZFPmAfiVXUFPG9WAa85+LeS5N5bE9UzbeQQ@mail.gmail.com>
Subject: Re: CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack)
To: freebsd-security@freebsd.org
Cc: freebsd-questions@freebsd.org, security-report@netflix.com
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Queue-Id: 7992B6EB7A
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=gmail.com header.s=20161025 header.b=SwRZrGMA;
 dmarc=pass (policy=none) header.from=gmail.com;
 spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates
 2607:f8b0:4864:20::d43 as permitted sender) smtp.mailfrom=grarpamp@gmail.com
X-Spamd-Result: default: False [-4.76 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[];
 RCPT_COUNT_THREE(0.00)[3];
 R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36];
 FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain];
 TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0];
 RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 DKIM_TRACE(0.00)[gmail.com:+];
 MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com];
 RCVD_IN_DNSWL_NONE(0.00)[3.4.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org
 : 127.0.5.0]; NEURAL_HAM_SHORT(-0.97)[-0.966,0];
 DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
 IP_SCORE(-0.78)[ip: (1.63), ipnet: 2607:f8b0::/32(-3.16), asn: 15169(-2.32),
 country: US(-0.06)]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com];
 ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
 RCVD_TLS_LAST(0.00)[];
 DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]
X-Mailman-Approved-At: Wed, 19 Jun 2019 03:41:46 +0000
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jun 2019 01:16:56 -0000

On 6/18/19, Gordon Tetlow <gordon@tetlows.org> wrote:
> On Tue, Jun 18, 2019 at 05:34:32PM -0400, grarpamp wrote:
>> https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5599
>> NFLX-2019-001
>>
>> Date Entry Created: 20190107
>> Preallocated to nothing?
>> Or witheld...?

> MITRE allocates blocks of CVEs to FreeBSD as a CNA. We can then decide
> when to assign and disclose them. The 2019-01-07 date is when MITRE
> allocated a block of CVEs to FreeBSD, not when they are assigned to an
> issue. We generally get a block in the beginning of each year.

So preallocated to nothing, ok very well, no problem,
priors amended herein as such, thx.

As it is not in the current .md, when was the issue
discovered by Netflix / Looney?

> discussion around disclosure policies

In today's world of parallel discovery, leaks, sec org infiltration by
adversary, surveillance, no crypto, rapid automated exploit, etc...
to wait for patch, polish, and press release advert, to not disclose,
afford users local action up to immediate offlining for safety and wait,
to draw upon entire community pool that has time*ability to fix... is
thought by many [users] as irresponsible to users. There is no tone. And
of course this one isn't currently a remote or local root. But what if it was...
For those interested or new, there's lots of historical discussion with
and without tone that can be found on any seclist, yet is no universal..

Having just noted these...

https://www.freebsd.org/security/
https://www.freebsd.org/security/charter.html
https://svnweb.freebsd.org/doc/head/en_US.ISO8859-1/htdocs/security/

The charter last marked current 2002... is there any actual and
posted mandatory timeliness disclosure trigger component?
One that gets overall reviewed for user input say every N-years?
Perhaps something more security focused than the general...

https://www.research.net/r/freebsd2019


Hack happily :)


Netflix dedication to FreeBSD much appreciated by many too.