Re: [SECURITY] [DSA 3438-1] xscreensaver security update

[Cindy-Sue Causey]

On 1/11/16, Noah Meyerhans  wrote:
> On Mon, Jan 11, 2016 at 11:14:52AM -0500, Cindy-Sue Causey wrote:
>>
>> ** Not sure proper protocol but reinserted my original thought process
>> And now me.. I didn't notice that (about the Announce list)
>> originally. I've seen it happen a few times across the Net. It doesn't
>> seem like that should be able to occur. It seems like Announce lists
>> are regularly intended as a one-way admin only message source..
>>
>> Just thinking out loud... that maybe the Announce list settings might
>> need a quick once-over review depending on admin's intentions for it.
>
> The ability to send mail to the debian-security-announce list is
> restricted, and the settings work as intended. Note that Debian security
> announcements include a Reply-To header redirecting replies to the
> debian-security@lists.debian.org discussion list, so it's possible to
> send a reply and think that it did go through, when in fact it went to a
> different mailing list. In fact, that's exactly what's happening here.
> This thread is taking place on debian-security@lists.debian.org, even
> though it was triggered by a reply to a security announcement on
> debian-security-announce.


Good deal. Crossed my mind that I didn't receive 2 copies but didn't
think about checking online archives before posting my response. It's
a great tip suggestion to now have in mind for those other unrelated
listservs where it *does* happen, most often on federal dotGov
government listservs of all things. *grin*

Cindy :)

-- 
Cindy-Sue Causey
Talking Rock, Pickens County, Georgia, USA

* #RIP, Ian. Thank you and to all who contribute to Debian. It's a
Life-affecting, Life-enhancing resource and tool in my usage case. *

Re: [SECURITY] [DSA 3438-1] xscreensaver security update

[Dominique Martinet]

cont...@baal.fr wrote on Mon, Jan 11, 2016:
> Le 11/01/2016 00:04, David ISIDORE a écrit :
> > I'm not on Debian anymore. How can I unsubscribe from mailing list?
>
> send unsuscribe to the mailing list

This is confusing and would likely lead to erroneous messages to the
actual list, so allowing myself to reply...

As per the mail headers:
List-Unsubscribe: 


You can send a mail to debian-security-requ...@lists.debian.org with
'unsubscribe' as Subject and any body.
Please note that this is not debian-security@lists.debian.org itself.

For what it's worth, RFC 2369 headers are fairly old and quite a few
clients should support these and have an option hidden somewhere
'unsubscribe to the list' that will do exactly that.


Sorry for the noise to all who don't care,
-- 
Dominique Martinet | Asmadeus,
Not that it's going to prevent more of these emails in the future, but,
hey, I tried.

Re: [SECURITY] [DSA 3438-1] xscreensaver security update

[Povl Ole Haarlev Olsen]

On Mon, 11 Jan 2016, Dominique Martinet wrote:

cont...@baal.fr wrote on Mon, Jan 11, 2016:

Le 11/01/2016 00:04, David ISIDORE a écrit :

I'm not on Debian anymore. How can I unsubscribe from mailing list?

send unsuscribe to the mailing list

This is confusing and would likely lead to erroneous messages to the
actual list, so allowing myself to reply...
As per the mail headers:
List-Unsubscribe: 

You can send a mail to debian-security-requ...@lists.debian.org with
'unsubscribe' as Subject and any body.
Please note that this is not debian-security@lists.debian.org itself.
For what it's worth, RFC 2369 headers are fairly old and quite a few
clients should support these and have an option hidden somewhere
'unsubscribe to the list' that will do exactly that.
Sorry for the noise to all who don't care,


Allow me to add some more noise.

The original mail was sent to the debian-security-announce mailinglist, 
not this list. The unsubscribe address for that list is:


List-Unsubscribe: 


--
Povl Ole

Re: [SECURITY] [DSA 3438-1] xscreensaver security update

[Cindy-Sue Causey]

On 1/11/16, Povl Ole Haarlev Olsen  wrote:
>
> Allow me to add some more noise.
>
> The original mail was sent to the debian-security-announce mailinglist,
> not this list. The unsubscribe address for that list is:
>
> List-Unsubscribe:
> 


And now me.. I didn't notice that (about the Announce list)
originally. I've seen it happen a few times across the Net. It doesn't
seem like that should be able to occur. It seems like Announce lists
are regularly intended as a one-way admin only message source..

Or not?

Just thinking out loud... that maybe the Announce list settings might
need a quick once-over review depending on admin's intentions for it.
:)

Or not. :)

Cindy :)

-- 
Cindy-Sue Causey
Talking Rock, Pickens County, Georgia, USA

* #RIP, Ian. Thank you and to all who contribute to Debian. It's a
Life-affecting, Life-enhancing resource and tool in my usage case. *

Re: [SECURITY] [DSA 3438-1] xscreensaver security update

[Noah Meyerhans]

On Mon, Jan 11, 2016 at 11:14:52AM -0500, Cindy-Sue Causey wrote:
> Just thinking out loud... that maybe the Announce list settings might
> need a quick once-over review depending on admin's intentions for it.

The ability to send mail to the debian-security-announce list is
restricted, and the settings work as intended. Note that Debian security
announcements include a Reply-To header redirecting replies to the
debian-security@lists.debian.org discussion list, so it's possible to
send a reply and think that it did go through, when in fact it went to a
different mailing list. In fact, that's exactly what's happening here.
This thread is taking place on debian-security@lists.debian.org, even
though it was triggered by a reply to a security announcement on
debian-security-announce.

noah



signature.asc
Description: Digital signature

Re: [SECURITY] [DSA 3438-1] xscreensaver security update

[David Cachau]

Hello,

You can follow instructions on this URL:
https://www.debian.org/MailingLists/#subunsub
Or use this form : https://www.debian.org/MailingLists/unsubscribe

Good bye

Le 11/01/2016 00:04, David ISIDORE a écrit :
> Hi, I'm not on Debian anymore. How can I unsubscribe from mailing list? > > 
> 2016-01-10 20:08 GMT+01:00 Michael Gilbert >: >
> -
> Debian Security Advisory DSA-3438-1  
> secur...@debian.org 
> https://www.debian.org/security/  Michael Gilbert
> January 09, 2016  https://www.debian.org/security/faq
> -
>
> Package: xscreensaver
> CVE ID : CVE-2015-8025
> Debian Bug : 802914
>
> It was discovered that unplugging one of the monitors in a multi-monitor
> setup can cause xscreensaver to crash.  Someone with physical access to
> a machine could use this problem to bypass a locked session.
>
> For the oldstable distribution (wheezy), this problem has been fixed
> in version 5.15-3+deb7u1.
>
> For the stable distribution (jessie), this problem has been fixed in
> version 5.30-1+deb8u1.
>
> For the testing (stretch) and unstable (sid) distributions, this problem
> has been fixed in version 5.34-1.
>
> We recommend that you upgrade your xscreensaver packages.
>
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://www.debian.org/security/
>
> Mailing list: debian-security-annou...@lists.debian.org
> 
> >

Re: [SECURITY] [DSA 3438-1] xscreensaver security update

[cont...@baal.fr]

send unsuscribe to the mailing list

Le 11/01/2016 00:04, David ISIDORE a écrit :

Hi, I'm not on Debian anymore. How can I unsubscribe from mailing list?

2016-01-10 20:08 GMT+01:00 Michael Gilbert >:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

-
-
Debian Security Advisory DSA-3438-1 secur...@debian.org

https://www.debian.org/security/ Michael Gilbert
January 09, 2016 https://www.debian.org/security/faq
-
-

Package: xscreensaver
CVE ID : CVE-2015-8025
Debian Bug : 802914

It was discovered that unplugging one of the monitors in a
multi-monitor
setup can cause xscreensaver to crash.  Someone with physical
access to
a machine could use this problem to bypass a locked session.

For the oldstable distribution (wheezy), this problem has been fixed
in version 5.15-3+deb7u1.

For the stable distribution (jessie), this problem has been fixed in
version 5.30-1+deb8u1.

For the testing (stretch) and unstable (sid) distributions, this
problem
has been fixed in version 5.34-1.

We recommend that you upgrade your xscreensaver packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQQcBAEBCgAGBQJWkdSSAAoJELjWss0C1vRz8f8gAKZVd93r5W9p1DzxjaKo0OCi
cIBnzsUrCi1m89yztrecnYORFAEc5KRMras50I5OcTNQzOqyY0nl9VzfDL4mRIfP
w3p1qyNDvh51+4Kjnrf3g+UxiwcvZg9Js+Y5wWGI5xMeGNyJO9nARi7E1gvHOxu5
mNoPaZTUiitxsYYR6qNliLWvqeK2DYL+cLHkzP9p14yLumlUpdML33xvgwnznUpH
UlgUCsXxvrPUYgmOACQN23WZ5ETsdj6ZKArGlpCvlx2769o+MziecICY0nYvV+St
KzWoFvf0CQ2JoyIKUcqWvCOl2ku14bSbIW5ySWHehvw+c9lSo/xbeYECUSXUf9d2
JoO0GPUwTCGGsXsDuTj+UxmzC+7qXOgutiMA6aXWGxWlvewy9+366GVgOqvkjOly
6/pNRVGX39xZAXdJR+jHuPldjF7iZx3v2R++Oc95nP94A3+RLksku0ZUIrG0mjli
tsfzyYzvjpxDEhS5ETn4V7aKqo0veYwuUCmFgzMjRpIKG3s+jMoO8BJmBb7FW6SR
EIyHvkhir7uVHG8ERJbAQxjWaBzqSOy45fDtasNSChhHZdH4NNzmFyY32Os7FjNF
lVIcXYaOKr+mhnDekYWGvGj+Fr08U+dJBPUztYuRS8MClIgED+y77867PovwyQdR
UM70qRYLpVDCkh46QZ/7dMEbCD5goeuJetshk90cyhl4WgRsyJMmcglIrGBi04aI
yK9JuuqPLesYrlgS+IlhNwhAGVlwrLFtj9vat/E5WckjiXN/fSuLyHxtt/lKLKsx
dxE889BHXrju7QzuCSH9KeGIpnm66CdWhIKn4SRZiaXjC6NbwHyNxalF/F9Xj6uy
q3hPzOXYddASQEH9Wyk1swlXk92uIGq8qo8fqOH9ANygcPEdFxCvSntweIrfqg6A
nJ6xBdW6aMKlLK1Tu/kq3pnIsUUz8tGIdzgYuOIucnbECIJl1SgG8O1XQXAvDx0G
kFVsuxnRJ/3f88+Y0PF1n50/90NCbXBYMQfky27R4xpQXDxppkfH2HYi1MEDXZiq
ZQQL5nm3ZbHprgVSQTrjiZ7E/lDv+g0iyd8EnUmTUi2BCOCPJqdW8+HvfKw74T7n
sDjAn+D6IDlk+qSZwVFMgzZVhOVK8dANQIOzH8Pb2VcTTVuA4SHsEyZ75lkvpXrt
76QnSPDEo+ItK6+4j2rrZ/Smsl6ujqr7ttPLKrb+/gH/0RlYfyY+NZ6auM27bTTY
eqgKvNM9apzppcX2piMf6OUKV/cMbl+XdWdq0xEgtRixBc/OzhSE+GTTySVriP7/
UeJinBxRZROJZMBzyavcd8hPX8iLpm9jp4PeyBoDaawUdbgxSc6hwjsVBDUQszY=
=k6lg
-END PGP SIGNATURE-

Re: [SECURITY] [DSA 3438-1] xscreensaver security update

[David ISIDORE]

Hi, I'm not on Debian anymore. How can I unsubscribe from mailing list?

2016-01-10 20:08 GMT+01:00 Michael Gilbert :

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> - -
> Debian Security Advisory DSA-3438-1   secur...@debian.org
> https://www.debian.org/security/  Michael Gilbert
> January 09, 2016  https://www.debian.org/security/faq
> - -
>
> Package: xscreensaver
> CVE ID : CVE-2015-8025
> Debian Bug : 802914
>
> It was discovered that unplugging one of the monitors in a multi-monitor
> setup can cause xscreensaver to crash.  Someone with physical access to
> a machine could use this problem to bypass a locked session.
>
> For the oldstable distribution (wheezy), this problem has been fixed
> in version 5.15-3+deb7u1.
>
> For the stable distribution (jessie), this problem has been fixed in
> version 5.30-1+deb8u1.
>
> For the testing (stretch) and unstable (sid) distributions, this problem
> has been fixed in version 5.34-1.
>
> We recommend that you upgrade your xscreensaver packages.
>
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://www.debian.org/security/
>
> Mailing list: debian-security-annou...@lists.debian.org
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
>
> iQQcBAEBCgAGBQJWkdSSAAoJELjWss0C1vRz8f8gAKZVd93r5W9p1DzxjaKo0OCi
> cIBnzsUrCi1m89yztrecnYORFAEc5KRMras50I5OcTNQzOqyY0nl9VzfDL4mRIfP
> w3p1qyNDvh51+4Kjnrf3g+UxiwcvZg9Js+Y5wWGI5xMeGNyJO9nARi7E1gvHOxu5
> mNoPaZTUiitxsYYR6qNliLWvqeK2DYL+cLHkzP9p14yLumlUpdML33xvgwnznUpH
> UlgUCsXxvrPUYgmOACQN23WZ5ETsdj6ZKArGlpCvlx2769o+MziecICY0nYvV+St
> KzWoFvf0CQ2JoyIKUcqWvCOl2ku14bSbIW5ySWHehvw+c9lSo/xbeYECUSXUf9d2
> JoO0GPUwTCGGsXsDuTj+UxmzC+7qXOgutiMA6aXWGxWlvewy9+366GVgOqvkjOly
> 6/pNRVGX39xZAXdJR+jHuPldjF7iZx3v2R++Oc95nP94A3+RLksku0ZUIrG0mjli
> tsfzyYzvjpxDEhS5ETn4V7aKqo0veYwuUCmFgzMjRpIKG3s+jMoO8BJmBb7FW6SR
> EIyHvkhir7uVHG8ERJbAQxjWaBzqSOy45fDtasNSChhHZdH4NNzmFyY32Os7FjNF
> lVIcXYaOKr+mhnDekYWGvGj+Fr08U+dJBPUztYuRS8MClIgED+y77867PovwyQdR
> UM70qRYLpVDCkh46QZ/7dMEbCD5goeuJetshk90cyhl4WgRsyJMmcglIrGBi04aI
> yK9JuuqPLesYrlgS+IlhNwhAGVlwrLFtj9vat/E5WckjiXN/fSuLyHxtt/lKLKsx
> dxE889BHXrju7QzuCSH9KeGIpnm66CdWhIKn4SRZiaXjC6NbwHyNxalF/F9Xj6uy
> q3hPzOXYddASQEH9Wyk1swlXk92uIGq8qo8fqOH9ANygcPEdFxCvSntweIrfqg6A
> nJ6xBdW6aMKlLK1Tu/kq3pnIsUUz8tGIdzgYuOIucnbECIJl1SgG8O1XQXAvDx0G
> kFVsuxnRJ/3f88+Y0PF1n50/90NCbXBYMQfky27R4xpQXDxppkfH2HYi1MEDXZiq
> ZQQL5nm3ZbHprgVSQTrjiZ7E/lDv+g0iyd8EnUmTUi2BCOCPJqdW8+HvfKw74T7n
> sDjAn+D6IDlk+qSZwVFMgzZVhOVK8dANQIOzH8Pb2VcTTVuA4SHsEyZ75lkvpXrt
> 76QnSPDEo+ItK6+4j2rrZ/Smsl6ujqr7ttPLKrb+/gH/0RlYfyY+NZ6auM27bTTY
> eqgKvNM9apzppcX2piMf6OUKV/cMbl+XdWdq0xEgtRixBc/OzhSE+GTTySVriP7/
> UeJinBxRZROJZMBzyavcd8hPX8iLpm9jp4PeyBoDaawUdbgxSc6hwjsVBDUQszY=
> =k6lg
> -END PGP SIGNATURE-
>
>