lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <c00f22d2-6566-8911-b56b-142f6fe42b8c@metztli.com>
Date:   Mon, 25 Oct 2021 11:08:16 -0700
From:   Metztli Information Technology <jose.r.r@...ztli.com>
To:     Slade Watkins <slade@...dewatkins.com>,
        Benjamin Poirier <benjamin.poirier@...il.com>
Cc:     Vladimir Oltean <olteanv@...il.com>,
        Lijun Pan <lijunp213@...il.com>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Networking <netdev@...r.kernel.org>,
        Alan Coopersmith <alan.coopersmith@...cle.com>
Subject: Re: Unsubscription Incident


On 10/25/21 10:04 AM, Slade Watkins wrote:
> On Mon, Oct 25, 2021 at 12:43 AM Benjamin Poirier
> <benjamin.poirier@...il.com> wrote:
>> On 2021-10-22 18:54 +0300, Vladimir Oltean wrote:
>>> On Fri, 22 Oct 2021 at 18:53, Lijun Pan <lijunp213@...il.com> wrote:
>>>> Hi,
>>>>
>>>>  From Oct 11, I did not receive any emails from both linux-kernel and
>>>> netdev mailing list. Did anyone encounter the same issue? I subscribed
>>>> again and I can receive incoming emails now. However, I figured out
>>>> that anyone can unsubscribe your email without authentication. Maybe
>>>> it is just a one-time issue that someone accidentally unsubscribed my
>>>> email. But I would recommend that our admin can add one more
>>>> authentication step before unsubscription to make the process more
>>>> secure.
>>>>
>>>> Thanks,
>>>> Lijun
>>> Yes, the exact same thing happened to me. I got unsubscribed from all
>>> vger mailing lists.
>> It happened to a bunch of people on gmail:
>> https://lore.kernel.org/netdev/1fd8d0ac-ba8a-4836-59ab-0ed3b0321775@mojatatu.com/t/#u
> I can at least confirm that this didn't happen to me on my hosted
> Gmail through Google Workspace. Could be wrong, but it seems isolated
> to normal @gmail.com accounts.
>
> Best,
>               -slade

Niltze [Hello], all-

Could it have something to do with the following?

---------- Forwarded message ---------

From: Alan Coopersmith <alan.coopersmith@...cle.com>
Date: Thu, Oct 21, 2021 at 12:06 PM
Subject: [oss-security] Mailman 2.1.35 security release
To: <oss-security@...ts.openwall.com>


Quoting from Mark Sapiro's emails at:
https://mail.python.org/archives/list/mailman-announce@python.org/thread/IKCO6JU755AP5G5TKMBJL6IEZQTTNPDQ/

 > A couple of vulnerabilities have recently been reported. Thanks to Andre
 > Protas, Richard Cloke and Andy Nuttall of Apple for reporting these and
 > helping with the development of a fix.
 >
 > CVE-2021-42096 could allow a list member to discover the list admin
 > password.
 >
 > CVE-2021-42097 could allow a list member to create a successful CSRF
 > attack against another list member enabling takeover of the members 
account.
 >
 > These attacks can't be carried out by non-members so may not be of
 > concern for sites with only trusted list members.


 > I am pleased to announce the release of Mailman 2.1.35.
 >
 > This is a security and minor bug fix release. See the attached
 > README.txt for details. For those who just want a patch for the security
 > issues, see
 > https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1873.
 > The patch is also attached to the bug reports at
 > https://bugs.launchpad.net/mailman/+bug/1947639 and
 > https://bugs.launchpad.net/mailman/+bug/1947640. The patch is the same
 > on both and fixes both issues.
 >
 > As noted Mailman 2.1.30 was the last feature release of the Mailman 2.1
 > branch from the GNU Mailman project. There has been some discussion as
 > to what this means. It means there will be no more releases from the GNU
 > Mailman project containing any new features. There may be future patch
 > releases to address the following:
 >
 > i18n updates.
 > security issues.
 > bugs affecting operation for which no satisfactory workaround exists.
 >
 > Mailman 2.1.35 is the fifth such patch release.
 >
 > Mailman is free software for managing email mailing lists and
 > e-newsletters. Mailman is used for all the python.org and
 > SourceForge.net mailing lists, as well as at hundreds of other sites.
 >
 > For more information, please see our web site at one of:
 >
 > http://www.list.org
 > https://www.gnu.org/software/mailman
 > http://mailman.sourceforge.net/
 >
 > Mailman 2.1.35 can be downloaded from
 >
 > https://launchpad.net/mailman/2.1/
 > https://ftp.gnu.org/gnu/mailman/
 > https://sourceforge.net/projects/mailman/

 > --
 >        -Alan Coopersmith- alan.coopersmith@...cle.com
 >         Oracle Solaris Engineering - https://blogs.oracle.com/alanc


Best Professional Regards.

-- 
Jose R R
http://metztli.it
---------------------------------------------------------------------------------------------
Download Metztli Reiser4: Debian Bullseye w/ Linux 5.13.14 AMD64
---------------------------------------------------------------------------------------------
feats ZSTD compression https://sf.net/projects/metztli-reiser4/
---------------------------------------------------------------------------------------------
or SFRN 5.1.3, Metztli Reiser5 https://sf.net/projects/debian-reiser4/
-------------------------------------------------------------------------------------------
Official current Reiser4 resources: https://reiser4.wiki.kernel.org/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ