Sébastien,
The impact is indeed very significant! And you are right, we took Round 18 results from before the patch. That was mostly coincidental, but it was also convenient since we were not prepared to offer analysis into the impact of the CVE patch for the "
TCP SACK PANIC" vulnerability.
I agree that it would be great for this to be written-up as a blog post, and especially interesting if multiple framework maintainers collaborated on writing up thoughts and findings. Who else in the community is interested in participating? Is there anything we (TechEmpower) can provide to the community to help beyond just providing the data?
I wonder how this CVE patch plays in a virtualized environment. Would a comparison test in Azure be possible? Could we set up two otherwise-identical environments that vary only by the presence of the TCP SACK PANIC patches? It may be nice to be able to iterate on a small suite of test implementations in such a side-by-side configuration.