Sie suchen Geschäftskontakte in Europa? Wir stellen diese Kontakte für Sie her!
Title: Sie suchen Geschäftskontakte in Europa? Wir stellen diese Kontakte für Sie her! Guten Tag, debian-security@lists.debian.org Donnerstag, 20. Januar 2005 Unsere Werbeagentur möchte Sie informieren das Sie jetzt die Möglichkeit haben. Kostenloses anmelden in Suchmaschinen, Anzeigenmärkten, Webkatalog, Branchenbuch, Hoteldatenbank usw Kostengünstige E-Mail Werbung in 20 Länder, es stehen Ihnen 53 Millionen E-Mail Adressen zur Verfügung. Sie können diese E-Mail Adressen kaufen. Sie können auch Ihren Werbenewsletter kostengünstig über uns versenden. Wir helfen Ihnen bei der Gewinnung von Neukunden, und einem reibungslosen E-Mail-Versand. Wir garantieren das unsere E-Mail Adressen immer aktuell und erreichbar sind. Treten Sie mit uns in Verbindung über unser Kontakt-Formular . Wir wünschen Ihnen viel Erfolg beim Erschließen neuer Märkte Ihre Werbeagentur España Ps. Sie suchen Geschäftskontakte in Europa? Wir stellen diese Kontakte für Sie her! Marketing Agentur EspañaN I F. X2462575BApartado 607510 Sineu/EspañaEmail: [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
On Wed, Jan 19, 2005 at 06:52:17AM -0500, David Mandelberg wrote: > I'm just suggesting that it should be harder for them to shoot > themselves in the foot i.e. by making .desktop's have the x bit before > they can be launched. I strongly agree. No, I STRONGLY agree! If they are to be marked executable, those .desktop files should have a #! so that they aren't fed to the shell. Unfortunately it would be a bit difficult to apply that change retrospectively, however an upgrade script could take care of it. It's no good saying "the stupid user shouldn't click on the file". It is very easy even for an experienced user to do something like this by mistake. We want to make Debian's desktop safe for inexperienced people (and children) to use. I think the X bit is unix's single most important security feature. No program should ever be executed without it! (jailed scripts excepted) I should be able to download anything off the web and double click on it without any possibility that it will run some arbitrary script. If it is supposed to be an executable program, I should have to chmod +x it before it will run. A gui could provide a more user-friendly way to do this - possibly a pop-up when you click such a file that warns about viruses, asks if you want to mark the program executable, and if yes, tells you to double-click again to run it. We should also make sure that executables within archives cannot easily be activated through a VFS, but only after unpacking the archive. It would be better if the GUI archiver programs did not set the X bit for unpacked files by default. This reminds me of the time a few years ago, when someone put a mailcap entry for .exe files to launch wine in Debian. I noticed this when I accidentally pressed enter at the wrong time in mutt, and it started to run an .exe. That was very very bogus. Now someone has added an wrapper that asks you if you want to run the .exe We must not allow Windoze's document / program dyslexia to infect Unix!! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [meta] Set reply-to to something else?
On Wed, 19 Jan 2005, Vassilii Khachaturov wrote: > I hope that I am not the only one who writes to the auto-ackers and > their postmasters that they're using stupid MUAs not honoring > Precedence: bulk > or > Precedence: junk > as well as the other list-control fields as a flags to not auto-respond. I reply and point out that Unix vacation(1) has been working correctly with lists for 20 or 30 years and ask why software written in the last 5 years for a certain other OS can't follow a few simple rules :) Rob -- Robert Brockway B.Sc. email: [EMAIL PROTECTED], [EMAIL PROTECTED] Linux counter project ID #16440 (http://counter.li.org) "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 643-1] New queue packages fix buffer overflows
Martin Schulze wrote: > For the unstable distribution (sid) these problems have been fixed in > version 1.30.1-5. A day later and unstable still has 1.30.1-4.2 and I see no 1.30.1-5 in incoming. Did the upload go missing? -- see shy jo signature.asc Description: Digital signature
Re: .desktop arbitrary program execution
Rick Moen wrote: > Quoting David Mandelberg ([EMAIL PROTECTED]): > > >>You also asked a question about something I didn't say (I said that >>the person had to open it). > > > Actually, no, you didn't. (Presumably you intended to, though.) > > Your question spoke of "opening" a particularly-named attachment: You > left unstated who or what was supposed to be doing the opening. Since > this was in the context of MUAs, I inferred that you meant the MUA doing > it -- that being a standard application-security problem. > > Specifically, you said: > > >>Do you mean to say that opening "message.txt\t\t\t.desktop" which >>happens to be a freedesktop.org compliant launcher for the program "rm >>-rf $HOME" is safe because it's designed for people running one of the >>F/OSS products GNOME or KDE on a F/OSS OS? > > > Since (it turns out) you meant people _manually_ shooting themselves in > the foot, that is indeed a different scenario from what I thought you > meant. > > So, I'm sorry for inadvertantly stepping on your scenario, but it was an > honest and straightforward interpretation of what you said. > > Ok, I guess I should be more clear with my use of language next time, sorry. -- -BEGIN GEEK CODE BLOCK- Version: 3.1 GAT/CM$/CS>$/CC/IT$/M/S/O/U dpu s+:++ !a C++$>C+++$ UB+++>$L$*-- P+>++$ L+++()$ E-(---) W+++>$ N(+) o? K- w--(---) O? M V? PS++@ PE-@ Y+@ PGP++(+++)>$ t? 5? X? R tv--(-) b++(+++)@ DI? D? G e-> h* r? z* --END GEEK CODE BLOCK-- David Mandelberg [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
unsubscribe
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Incoming from Florian Weimer: > * s. keeling: > > > People who don't use stupid Windows email clients have no trouble with > > attachments at all. Attachments are a very useful tool; for instance, > > for code listings, they arrive unmangled by line wrap. > > > > Get a better email client, running on a better OS. > > You mean the OS whose users invented shell archives and unshar? Yes, the one that was smart enough to learn from mistakes like that. The one he's using still thinks that kind of behaviour is a feature. -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: .desktop arbitrary program execution
Quoting David Mandelberg ([EMAIL PROTECTED]): > You also asked a question about something I didn't say (I said that > the person had to open it). Actually, no, you didn't. (Presumably you intended to, though.) Your question spoke of "opening" a particularly-named attachment: You left unstated who or what was supposed to be doing the opening. Since this was in the context of MUAs, I inferred that you meant the MUA doing it -- that being a standard application-security problem. Specifically, you said: > Do you mean to say that opening "message.txt\t\t\t.desktop" which > happens to be a freedesktop.org compliant launcher for the program "rm > -rf $HOME" is safe because it's designed for people running one of the > F/OSS products GNOME or KDE on a F/OSS OS? Since (it turns out) you meant people _manually_ shooting themselves in the foot, that is indeed a different scenario from what I thought you meant. So, I'm sorry for inadvertantly stepping on your scenario, but it was an honest and straightforward interpretation of what you said. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: .desktop arbitrary program execution
Quoting Florian Weimer ([EMAIL PROTECTED]): > mutt and Gnus are, in typical configurations. Most distributions > kindly add all these helpful mailcap entries. Perhaps you need assistance comprehending the word "specific" (used twice in my question)? I await with interest your achieving that rarefied state. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: .desktop arbitrary program execution
On Wed, Jan 19, 2005 at 04:29:46PM +0100, Florian Weimer wrote: For complex file formats, there is no clear distinction between "opening" a file and "executing" it. Sure there is. For some filetypes execution is an intended effect; that is, you expect arbitrary code to run. For other filetypes there's an unexpected side effect that allows arbitrary code to run. In the second case there's a bug that can be fixed. In the first case you just don't execute the file if it's from an untrusted source. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: .desktop arbitrary program execution
* Florent Rougon: > Florian Weimer <[EMAIL PROTECTED]> wrote: > >> mutt and Gnus are, in typical configurations. Most distributions >> kindly add all these helpful mailcap entries. > > Could you point out a mailcap entry that causes the file to be > *executed*? For complex file formats, there is no clear distinction between "opening" a file and "executing" it. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: .desktop arbitrary program execution
Florian Weimer <[EMAIL PROTECTED]> wrote: > mutt and Gnus are, in typical configurations. Most distributions > kindly add all these helpful mailcap entries. Could you point out a mailcap entry that causes the file to be *executed*? Because running "gqview $file.jpg" is very different from running "$file.jpg" and you would do it (with the viewer of your choice) just the same but by hand, with "less helpful" MUAs. Just curious. -- Florent -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 636-1] New libc6 packages fix insecure temporary files
Don Hayward at pomobuli.net On Wed, 12 Jan 2005, Martin Schulze wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 636-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 12th, 2005 http://www.debian.org/security/faq - -- Package: glibc Vulnerability : insecure temporary files Problem-Type : local Debian-specific: no CVE ID : CAN-2004-0968 BugTraq ID : 11286 Debian Bug : 279680 278278 205600 Several insecure uses of temporary files have been discovered in support scripts in the libc6 package which provices the c library for a GNU/Linux system. Trustix developers found that the catchsegv script uses temporary files insecurely. Openwall developers discovered insecure temporary files in the glibcbug script. These scripts are vulnerable to a symlink attack. For the stable distribution (woody) these problems have been fixed in version 2.2.5-11.8. For the unstable distribution (sid) these problems have been fixed in version 2.3.2.ds1-20. We recommend that you upgrade your libc6 package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/g/glibc/glibc_2.2.5-11.8.dsc Size/MD5 checksum: 1458 bc2b80a7f76bbf4243fa86f5245f5a50 http://security.debian.org/pool/updates/main/g/glibc/glibc_2.2.5-11.8.diff.gz Size/MD5 checksum: 399970 4e1576598f13f2a628b3eef2c9bcdc48 http://security.debian.org/pool/updates/main/g/glibc/glibc_2.2.5.orig.tar.gz Size/MD5 checksum: 11370961 bf5653fdff22ee350bd7d48047cffab9 Architecture independent components: http://security.debian.org/pool/updates/main/g/glibc/glibc-doc_2.2.5-11.8_all.deb Size/MD5 checksum: 2699182 c7a50fe321349d3593a8aa14a1a2c86a http://security.debian.org/pool/updates/main/g/glibc/locales_2.2.5-11.8_all.deb Size/MD5 checksum: 3387990 8aaa9b854416e5a6e9b1a65b1bf7ea62 Alpha architecture: http://security.debian.org/pool/updates/main/g/glibc/libc6.1_2.2.5-11.8_alpha.deb Size/MD5 checksum: 4557986 2a37871e21fdb5a514d09110814d43b5 http://security.debian.org/pool/updates/main/g/glibc/libc6.1-dbg_2.2.5-11.8_alpha.deb Size/MD5 checksum: 1351232 def6755e17e3bc9384f9fa2c0d568b55 http://security.debian.org/pool/updates/main/g/glibc/libc6.1-dev_2.2.5-11.8_alpha.deb Size/MD5 checksum: 2981066 41abb2fe30295e762110e4e065c9e188 http://security.debian.org/pool/updates/main/g/glibc/libc6.1-pic_2.2.5-11.8_alpha.deb Size/MD5 checksum: 1321546 f41b8bce8503579888203ac22c866344 http://security.debian.org/pool/updates/main/g/glibc/libc6.1-prof_2.2.5-11.8_alpha.deb Size/MD5 checksum: 1538778 526584f3262d17309a68b1c8fae6 http://security.debian.org/pool/updates/main/g/glibc/nscd_2.2.5-11.8_alpha.deb Size/MD5 checksum:69866 b7135768c785f453a3027e811d8b ARM architecture: http://security.debian.org/pool/updates/main/g/glibc/libc6_2.2.5-11.8_arm.deb Size/MD5 checksum: 3686218 05ab21bcfd365fd6e56f6745eb0005fd http://security.debian.org/pool/updates/main/g/glibc/libc6-dbg_2.2.5-11.8_arm.deb Size/MD5 checksum: 2767406 c5d453caa9030ebf82023e3ded3ff844 http://security.debian.org/pool/updates/main/g/glibc/libc6-dev_2.2.5-11.8_arm.deb Size/MD5 checksum: 2863418 4bf8522f010cc826fd494e8deac0a504 http://security.debian.org/pool/updates/main/g/glibc/libc6-pic_2.2.5-11.8_arm.deb Size/MD5 checksum: 1182298 6197804eeb01e05a195b4360115cb19d http://security.debian.org/pool/updates/main/g/glibc/libc6-prof_2.2.5-11.8_arm.deb Size/MD5 checksum: 1282776 557442af8531a7dccf5ed38865edfac1 http://security.debian.org/pool/updates/main/g/glibc/nscd_2.2.5-11.8_arm.deb Size/MD5 checksum:59674 c191744f43225bc100f127267dbbd38b Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/glibc/libc6_2.2.5-11.8_i386.deb Size/MD5 checksum: 3383144 143978addc25816d4da0e850549a17fb http://security.debian.org/pool/updates/main/g/glibc/libc6-dbg_2.2.5-11.8_i386.deb Size/MD5 checksum: 2433964 efb2d99d347c2bd1f7a0904c1df18201 http://security.debian.org/pool/updates/main/g/glibc/libc6-dev_2.2.5-11.8_i386.deb Size/MD5 checksum: 2390882 78374bee4d59301db2ef508c44517260 http://security.d
Re: .desktop arbitrary program execution
On Wed, Jan 19, 2005 at 12:49:57PM +0100, Florian Weimer wrote: > * Rick Moen: > > > Please advise this mailing list of which specific Linux or BSD MUA (or > > specific configuration thereof) is willing to execute a received > > binary or script attachment. > > mutt and Gnus are, in typical configurations. Most distributions > kindly add all these helpful mailcap entries. my mailcap file (made by Debian installation) doesn't have any of this capabilities. Cannot verify for others distributions but that's a Debian list here anyway ... -- Vincent Hanquez -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
unsuscribe
Le Tue, Jan 18, 2005 at 10:41:00AM +0100, Martin Schulze a écrit : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > - -- > Debian Security Advisory DSA 644-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Martin Schulze > January 18th, 2005 http://www.debian.org/security/faq > - -- > > Package: chbg > Vulnerability : buffer overflow > Problem-Type : local > Debian-specific: no > CVE ID : CAN-2004-1264 > Debian Bug : 285904 > > Danny Lungstrom discoverd a vulnerability in chbg, a tool to change > background pictures. A maliciously crafted configuration/scenario > file could overflow a buffer and lead to the execution of arbitrary > code on the victim's machine. > > For the stable distribution (woody) this problem has been fixed in > version 1.5-1woody1. > > For the unstable distribution (sid) this problem has been fixed in > version 1.5-4. > > We recommend that you upgrade your chbg package. > > > Upgrade Instructions > - > > wget url > will fetch the file for you > dpkg -i file.deb > will install the referenced file. > > If you are using the apt-get package manager, use the line for > sources.list as given below: > > apt-get update > will update the internal database > apt-get upgrade > will install corrected packages > > You may use an automated update by adding the resources from the > footer to the proper configuration. > > > Debian GNU/Linux 3.0 alias woody > - > > Source archives: > > http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1.dsc > Size/MD5 checksum: 600 3cb28b61fb97dca63f09a486dae5612f > > http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1.diff.gz > Size/MD5 checksum: 3612 08098cf0fec406380e968186766de027 > http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5.orig.tar.gz > Size/MD5 checksum: 322878 4a158c94c25b359c86da1de9ef3e986b > > Alpha architecture: > > > http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_alpha.deb > Size/MD5 checksum: 294456 afd6ce377d43c0df909d955e04c328cd > > ARM architecture: > > > http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_arm.deb > Size/MD5 checksum: 247338 878c528ab81decd999503ad47557fc4a > > Intel IA-32 architecture: > > > http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_i386.deb > Size/MD5 checksum: 244862 d3a09b86dfc44164c541cda2eb66ce66 > > Intel IA-64 architecture: > > > http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_ia64.deb > Size/MD5 checksum: 345228 e4b9ae6b9da9c34d5a930727bdfc1a44 > > HP Precision architecture: > > Cannot be updated due to compiler error. > > Motorola 680x0 architecture: > > > http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_m68k.deb > Size/MD5 checksum: 222916 7dce4c0b3ae27f624ee472bd153d5c66 > > Big endian MIPS architecture: > > > http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_mips.deb > Size/MD5 checksum: 249054 66402b53b158bfa0b2144b6b97b1d794 > > Little endian MIPS architecture: > > > http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_mipsel.deb > Size/MD5 checksum: 247536 769f5074ad1f4b148191d0e196d01778 > > PowerPC architecture: > > > http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_powerpc.deb > Size/MD5 checksum: 271272 f6b03b2a05de42ee203d7d9cbfe7c468 > > IBM S/390 architecture: > > > http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_s390.deb > Size/MD5 checksum: 239098 f20c7b0e36ecfc4540d3673f4ec477dd > > Sun Sparc architecture: > > > http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_sparc.deb > Size/MD5 checksum: 263302 28df5318e314bbaf79493b485aa6cffa > > > These files will probably be moved into the stable distribution on > its next update. > > - > - > For apt-get: deb http://security.debian.org/ stable/updates main > For dpkg-ftp: ftp://security.debian.org/debian-security > dists/stable/updates/main > Mailing list: debian-security-announce@lists.debian.org > Package info: `apt-cache show ' and http://packages.debian.org/ > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.2.5 (GNU/Linux) > > iD8DBQFB7NmrW5ql+IAeqTIRAmUEAKCLSpd0/8eiiFhfymdRCV70pS6p9QCfUIfW > JmmWy3Pi87ZjfreLomQQIls= > =WpPd > -END PGP SIGNATURE- > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [
Re: .desktop arbitrary program execution
* Rick Moen: > Please advise this mailing list of which specific Linux or BSD MUA (or > specific configuration thereof) is willing to execute a received > binary or script attachment. mutt and Gnus are, in typical configurations. Most distributions kindly add all these helpful mailcap entries. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
* s. keeling: > People who don't use stupid Windows email clients have no trouble with > attachments at all. Attachments are a very useful tool; for instance, > for code listings, they arrive unmangled by line wrap. > > Get a better email client, running on a better OS. You mean the OS whose users invented shell archives and unshar? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
s. keeling wrote: > No, I assume people have half a brain in their heads, look at the > attachment type, maybe save it to a file and inspect it, then maybe > look at it or delete it. Too much work? Whether it's too much work or not, most non-geeks I know don't bother. > Okay, slap a lot of autoload > crap in your .mailcap and watch your system disappear. You don't > _have_ to look at an attachment if you don't trust it. I know, but if it looks like a text document to a newbie, they probably would open it anyway. I'm just suggesting that it should be harder for them to shoot themselves in the foot i.e. by making .desktop's have the x bit before they can be launched. -- -BEGIN GEEK CODE BLOCK- Version: 3.1 GAT/CM$/CS>$/CC/IT$/M/S/O/U dpu s+:++ !a C++$>C+++$ UB+++>$L$*-- P+>++$ L+++()$ E-(---) W+++>$ N(+) o? K- w--(---) O? M V? PS++@ PE-@ Y+@ PGP++(+++)>$ t? 5? X? R tv--(-) b++(+++)@ DI? D? G e-> h* r? z* --END GEEK CODE BLOCK-- David Mandelberg [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: .desktop arbitrary program execution
Rick Moen wrote: > Quoting David Mandelberg ([EMAIL PROTECTED]): > > >>Attached. >> >>Save to your GNOME/KDE desktop (like many newbies do) and double click >>the new icon. .desktop files (currently) don't need the x bit set to >>work, so no chmod'ing is necessary. > > > I'm sorry, but the question was: > > Please advise this mailing list of which specific Linux or BSD MUA (or > specific configuration thereof) is willing to execute a received > binary or script attachment. I'll very interested to read your specific > report that details an actual, reproducible test. > > You appear to have answered some question I didn't ask. You also asked a question about something I didn't say (I said that the person had to open it). -- -BEGIN GEEK CODE BLOCK- Version: 3.1 GAT/CM$/CS>$/CC/IT$/M/S/O/U dpu s+:++ !a C++$>C+++$ UB+++>$L$*-- P+>++$ L+++()$ E-(---) W+++>$ N(+) o? K- w--(---) O? M V? PS++@ PE-@ Y+@ PGP++(+++)>$ t? 5? X? R tv--(-) b++(+++)@ DI? D? G e-> h* r? z* --END GEEK CODE BLOCK-- David Mandelberg [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [meta] Set reply-to to something else?
On Wednesday 19 January 2005 10.15, Adam Lydick wrote: > Better to bounce or moderate entries from non-subscribers, IMOHO. That > would cut down on the spam quite a lot better than probabilistic filters > as well. Problem: moderating needs manpower. Problem: closing the list to non-subscribers would IMNSHO hurt Debian a lot - especially this list. (As discussed to death every other month, so let's not discuss that here.) Changing the Reply-To header of d-s-a is a cheap solution to avoid ticketing system autoacks, and IMHO doesn't impose any big cost on regular use of the lists. Obviously this is only my â0.02. Filtering for typical ticketing system headers and Subject prefixes would be another possibility, but I'd think there are too many different systems out there that this would ever be effective. cheers -- vbi -- Beware of the FUD - know your enemies. This week * Patent Law, and how it is currently abused. * http://fortytwo.ch/opinion pgpbYaZ8y1N0Q.pgp Description: PGP signature
Re: [meta] Set reply-to to something else?
On Tue, 2005-01-18 at 12:40 +0100, Adrian von Bidder wrote: > Hi, > > With web-board passwords and two or three auto-acks being posted to this > list every week: could we think about setting the Reply-To of I hope that I am not the only one who writes to the auto-ackers and their postmasters that they're using stupid MUAs not honoring Precedence: bulk or Precedence: junk as well as the other list-control fields as a flags to not auto-respond. V. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [meta] Set reply-to to something else?
Better to bounce or moderate entries from non-subscribers, IMOHO. That would cut down on the spam quite a lot better than probabilistic filters as well. There are probably reasons why this hasn't been done, although most non-debian mailing lists seem to take this approach (and see none of the noise). Allowing spam through has the nasty side effect of harming link-weighted web search -- once messages hit the archives all of the backlinks add to the ranking of the target (evil) pages. - Adam On Tue, 2005-01-18 at 12:40 +0100, Adrian von Bidder wrote: > Hi, > > With web-board passwords and two or three auto-acks being posted to this > list every week: could we think about setting the Reply-To of > debian-security-announce to something else? Perhaps something in ALL CAPS > that is not an email address, like > > Reply-To: EDIT HERE - REPLY TO > > cheers > -- vbi > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Quoting s. keeling ([EMAIL PROTECTED]): > The problem here is the nitwit factor. Yes, well, a bunch of us have been keeping an eye on Linux MUAs and default mailcap behaviour for 10+ years, to make sure zeal for simplicity doesn't lead coders or distro assemblers to do something dumb. Thus my question of the other poster. I wasn't going to hold my breath waiting for a qualifying, valid response of the "Why certainly; please have a look at this" variety, but much can happen in a wide universe. At that point, appropriate cluebats get deployed, etc. > I say again to the original poster, get a better MUA, running on a > better OS. Quite. -- Cheers, Hardware: The part you kick. Rick MoenSoftware: The part you boot. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]