Re: Unsubscription Incident

From: Metztli Information Technology
Date: Mon Oct 25 2021 - 14:08:24 EST

Next message: Alexei Starovoitov: "Re: [PATCH v6 00/12] extend task comm from 16 to 24"
Previous message: Linus Torvalds: "Re: Linux 5.15-rc6"
In reply to: Slade Watkins: "Re: Unsubscription Incident"
Next in thread: Slade Watkins: "Re: Unsubscription Incident"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 10/25/21 10:04 AM, Slade Watkins wrote:

On Mon, Oct 25, 2021 at 12:43 AM Benjamin Poirier
<benjamin.poirier@xxxxxxxxx> wrote:

On 2021-10-22 18:54 +0300, Vladimir Oltean wrote:

On Fri, 22 Oct 2021 at 18:53, Lijun Pan <lijunp213@xxxxxxxxx> wrote:

Hi,

From Oct 11, I did not receive any emails from both linux-kernel and
netdev mailing list. Did anyone encounter the same issue? I subscribed
again and I can receive incoming emails now. However, I figured out
that anyone can unsubscribe your email without authentication. Maybe
it is just a one-time issue that someone accidentally unsubscribed my
email. But I would recommend that our admin can add one more
authentication step before unsubscription to make the process more
secure.

Thanks,
Lijun

Yes, the exact same thing happened to me. I got unsubscribed from all
vger mailing lists.

It happened to a bunch of people on gmail:
https://lore.kernel.org/netdev/1fd8d0ac-ba8a-4836-59ab-0ed3b0321775@xxxxxxxxxxxx/t/#u

I can at least confirm that this didn't happen to me on my hosted
Gmail through Google Workspace. Could be wrong, but it seems isolated
to normal @gmail.com accounts.

Best,
-slade

Niltze [Hello], all-

Could it have something to do with the following?

---------- Forwarded message ---------

From: Alan Coopersmith <alan.coopersmith@xxxxxxxxxx>
Date: Thu, Oct 21, 2021 at 12:06 PM
Subject: [oss-security] Mailman 2.1.35 security release
To: <oss-security@xxxxxxxxxxxxxxxxxx>

Quoting from Mark Sapiro's emails at:
https://mail.python.org/archives/list/mailman-announce@xxxxxxxxxx/thread/IKCO6JU755AP5G5TKMBJL6IEZQTTNPDQ/

> A couple of vulnerabilities have recently been reported. Thanks to Andre
> Protas, Richard Cloke and Andy Nuttall of Apple for reporting these and
> helping with the development of a fix.
>
> CVE-2021-42096 could allow a list member to discover the list admin
> password.
>
> CVE-2021-42097 could allow a list member to create a successful CSRF
> attack against another list member enabling takeover of the members account.
>
> These attacks can't be carried out by non-members so may not be of
> concern for sites with only trusted list members.

> I am pleased to announce the release of Mailman 2.1.35.
>
> This is a security and minor bug fix release. See the attached
> README.txt for details. For those who just want a patch for the security
> issues, see
> https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1873.
> The patch is also attached to the bug reports at
> https://bugs.launchpad.net/mailman/+bug/1947639 and
> https://bugs.launchpad.net/mailman/+bug/1947640. The patch is the same
> on both and fixes both issues.
>
> As noted Mailman 2.1.30 was the last feature release of the Mailman 2.1
> branch from the GNU Mailman project. There has been some discussion as
> to what this means. It means there will be no more releases from the GNU
> Mailman project containing any new features. There may be future patch
> releases to address the following:
>
> i18n updates.
> security issues.
> bugs affecting operation for which no satisfactory workaround exists.
>
> Mailman 2.1.35 is the fifth such patch release.
>
> Mailman is free software for managing email mailing lists and
> e-newsletters. Mailman is used for all the python.org and
> SourceForge.net mailing lists, as well as at hundreds of other sites.
>
> For more information, please see our web site at one of:
>
> http://www.list.org
> https://www.gnu.org/software/mailman
> http://mailman.sourceforge.net/
>
> Mailman 2.1.35 can be downloaded from
>
> https://launchpad.net/mailman/2.1/
> https://ftp.gnu.org/gnu/mailman/
> https://sourceforge.net/projects/mailman/

> --
> -Alan Coopersmith- alan.coopersmith@xxxxxxxxxx
> Oracle Solaris Engineering - https://blogs.oracle.com/alanc

Best Professional Regards.

--
Jose R R
http://metztli.it
---------------------------------------------------------------------------------------------
Download Metztli Reiser4: Debian Bullseye w/ Linux 5.13.14 AMD64
---------------------------------------------------------------------------------------------
feats ZSTD compression https://sf.net/projects/metztli-reiser4/
---------------------------------------------------------------------------------------------
or SFRN 5.1.3, Metztli Reiser5 https://sf.net/projects/debian-reiser4/
-------------------------------------------------------------------------------------------
Official current Reiser4 resources: https://reiser4.wiki.kernel.org/

Next message: Alexei Starovoitov: "Re: [PATCH v6 00/12] extend task comm from 16 to 24"
Previous message: Linus Torvalds: "Re: Linux 5.15-rc6"
In reply to: Slade Watkins: "Re: Unsubscription Incident"
Next in thread: Slade Watkins: "Re: Unsubscription Incident"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]