Re: [SECURITY] [DSA 3438-1] xscreensaver security update

2016-01-11 Thread Dominique Martinet 
cont...@baal.fr wrote on Mon, Jan 11, 2016:
> Le 11/01/2016 00:04, David ISIDORE a écrit :
> > I'm not on Debian anymore. How can I unsubscribe from mailing list?
>
> send unsuscribe to the mailing list

This is confusing and would likely lead to erroneous messages to the
actual list, so allowing myself to reply...

As per the mail headers:
List-Unsubscribe: 


You can send a mail to debian-security-requ...@lists.debian.org with
'unsubscribe' as Subject and any body.
Please note that this is not debian-security@lists.debian.org itself.

For what it's worth, RFC 2369 headers are fairly old and quite a few
clients should support these and have an option hidden somewhere
'unsubscribe to the list' that will do exactly that.


Sorry for the noise to all who don't care,
-- 
Dominique Martinet | Asmadeus,
Not that it's going to prevent more of these emails in the future, but,
hey, I tried.

Re: [SECURITY] [DSA 3438-1] xscreensaver security update

2016-01-11 Thread Povl Ole Haarlev Olsen 

On Mon, 11 Jan 2016, Dominique Martinet wrote:

cont...@baal.fr wrote on Mon, Jan 11, 2016:

Le 11/01/2016 00:04, David ISIDORE a écrit :

I'm not on Debian anymore. How can I unsubscribe from mailing list?

send unsuscribe to the mailing list

This is confusing and would likely lead to erroneous messages to the
actual list, so allowing myself to reply...
As per the mail headers:
List-Unsubscribe: 

You can send a mail to debian-security-requ...@lists.debian.org with
'unsubscribe' as Subject and any body.
Please note that this is not debian-security@lists.debian.org itself.
For what it's worth, RFC 2369 headers are fairly old and quite a few
clients should support these and have an option hidden somewhere
'unsubscribe to the list' that will do exactly that.
Sorry for the noise to all who don't care,


Allow me to add some more noise.

The original mail was sent to the debian-security-announce mailinglist, 
not this list. The unsubscribe address for that list is:


List-Unsubscribe: 


--
Povl Ole

Missing bug references for embedded-code-copies data

2016-01-11 Thread Security Tracker 
https://bugs.debian.org/810123
--
The output might be a bit terse, but the above bugs are known to be
missing from the embedded-code-copies data.

Re: [SECURITY] [DSA 3441-1] perl security update

2016-01-11 Thread Edvins 
Unsunscribe

On Monday, 11 January 2016, Salvatore Bonaccorso  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> - -
> Debian Security Advisory DSA-3441-1   secur...@debian.org
> 
> https://www.debian.org/security/ Salvatore Bonaccorso
> January 11, 2016  https://www.debian.org/security/faq
> - -
>
> Package: perl
> CVE ID : CVE-2015-8607
> Debian Bug : 810719
>
> David Golden of MongoDB discovered that File::Spec::canonpath() in Perl
> returned untainted strings even if passed tainted input. This defect
> undermines taint propagation, which is sometimes used to ensure that
> unvalidated user input does not reach sensitive code.
>
> The oldstable distribution (wheezy) is not affected by this problem.
>
> For the stable distribution (jessie), this problem has been fixed in
> version 5.20.2-3+deb8u2.
>
> For the unstable distribution (sid), this problem will be fixed soon.
>
> We recommend that you upgrade your perl packages.
>
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://www.debian.org/security/
>
> Mailing list: debian-security-annou...@lists.debian.org 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
>
> iQIcBAEBCgAGBQJWk8zeAAoJEAVMuPMTQ89Ebo0P/Ak7kASx5X+T9MUYsRFFLiRO
> lrQb26F5kfIRB/Uqy/LJDphCvNIo+IzBiEshZXXMCAphFc8xOKetrzWqVDXyvY4L
> IE2Q9Lna/u4s88MmnZsG6WoS/MnMAL9bJNASLGrTNJRz+/ROXSx9/GkCMQaj3LHU
> 6tjiMi5xDIFVwqvRRnvXVs+xDzw556QpakMixAuX18eADbTMFOeq1uybArN1iaoW
> CU+b28vT6vqYYJnfWENAKPFK7eEBB5dWskSSdcQXQvFmN9LKSSQ+THTvnga/JERs
> vUKkO+C6GnbPy0M/XD6pH4mppClcIeIpXdfHZq+ecvZCS1SGeX+qZ9FATn1rYwFI
> qZMCs0EYW72VUmSDyqQTI2DDZMZbI8TnQDcImcjjCwv/KURdQzPydPgG6MHZXt5o
> dJw6M/X2kwfWkWN0bzrH0jLfjqKG4fd5Bjq6pHPjL64QVsEyuimZRZrntS72hq45
> yroSke0zPExEprZoVDH6BXgftB2W9ucf4B/6UoMzl9dAODF/ZZiK2BCxv+IZPK3C
> /i9pSiBQVAVJZlKyCDdr0A85P1uNY2skSNDJYFoZ5Ny/I6QiOMulmo+nk3kcNXzi
> kihiB2647SwTJTYfpuGpjiapqWhXxUu2bXvVOHcEoyVt9qiQmgIg6v1KiBcwzk+9
> r8T3o1hI97FrZvrHOjlH
> =XctV
> -END PGP SIGNATURE-
>
>

Re: [SECURITY] [DSA 3438-1] xscreensaver security update

2016-01-11 Thread Cindy-Sue Causey 
On 1/11/16, Povl Ole Haarlev Olsen  wrote:
>
> Allow me to add some more noise.
>
> The original mail was sent to the debian-security-announce mailinglist,
> not this list. The unsubscribe address for that list is:
>
> List-Unsubscribe:
> 


And now me.. I didn't notice that (about the Announce list)
originally. I've seen it happen a few times across the Net. It doesn't
seem like that should be able to occur. It seems like Announce lists
are regularly intended as a one-way admin only message source..

Or not?

Just thinking out loud... that maybe the Announce list settings might
need a quick once-over review depending on admin's intentions for it.
:)

Or not. :)

Cindy :)

-- 
Cindy-Sue Causey
Talking Rock, Pickens County, Georgia, USA

* #RIP, Ian. Thank you and to all who contribute to Debian. It's a
Life-affecting, Life-enhancing resource and tool in my usage case. *

Re: [SECURITY] [DSA 3438-1] xscreensaver security update

2016-01-11 Thread Noah Meyerhans 
On Mon, Jan 11, 2016 at 11:14:52AM -0500, Cindy-Sue Causey wrote:
> Just thinking out loud... that maybe the Announce list settings might
> need a quick once-over review depending on admin's intentions for it.

The ability to send mail to the debian-security-announce list is
restricted, and the settings work as intended. Note that Debian security
announcements include a Reply-To header redirecting replies to the
debian-security@lists.debian.org discussion list, so it's possible to
send a reply and think that it did go through, when in fact it went to a
different mailing list. In fact, that's exactly what's happening here.
This thread is taking place on debian-security@lists.debian.org, even
though it was triggered by a reply to a security announcement on
debian-security-announce.

noah



signature.asc
Description: Digital signature