Re: Unsubscription Incident

From: Slade Watkins
Date: Mon Oct 25 2021 - 16:15:47 EST


Hi there,

On Mon, Oct 25, 2021 at 2:08 PM Metztli Information Technology
<jose.r.r@xxxxxxxxxxx> wrote:
>
>
> On 10/25/21 10:04 AM, Slade Watkins wrote:
> > On Mon, Oct 25, 2021 at 12:43 AM Benjamin Poirier
> > <benjamin.poirier@xxxxxxxxx> wrote:
> >> On 2021-10-22 18:54 +0300, Vladimir Oltean wrote:
> >>> On Fri, 22 Oct 2021 at 18:53, Lijun Pan <lijunp213@xxxxxxxxx> wrote:
> >>>> Hi,
> >>>>
> >>>> From Oct 11, I did not receive any emails from both linux-kernel and
> >>>> netdev mailing list. Did anyone encounter the same issue? I subscribed
> >>>> again and I can receive incoming emails now. However, I figured out
> >>>> that anyone can unsubscribe your email without authentication. Maybe
> >>>> it is just a one-time issue that someone accidentally unsubscribed my
> >>>> email. But I would recommend that our admin can add one more
> >>>> authentication step before unsubscription to make the process more
> >>>> secure.
> >>>>
> >>>> Thanks,
> >>>> Lijun
> >>> Yes, the exact same thing happened to me. I got unsubscribed from all
> >>> vger mailing lists.
> >> It happened to a bunch of people on gmail:
> >> https://lore.kernel.org/netdev/1fd8d0ac-ba8a-4836-59ab-0ed3b0321775@xxxxxxxxxxxx/t/#u
> > I can at least confirm that this didn't happen to me on my hosted
> > Gmail through Google Workspace. Could be wrong, but it seems isolated
> > to normal @gmail.com accounts.
> >
> > Best,
> > -slade
>
> Niltze [Hello], all-
>
> Could it have something to do with the following?
>
> ---------- Forwarded message ---------
>
> From: Alan Coopersmith <alan.coopersmith@xxxxxxxxxx>
> Date: Thu, Oct 21, 2021 at 12:06 PM
> Subject: [oss-security] Mailman 2.1.35 security release
> To: <oss-security@xxxxxxxxxxxxxxxxxx>
>
>
> Quoting from Mark Sapiro's emails at:
> https://mail.python.org/archives/list/mailman-announce@xxxxxxxxxx/thread/IKCO6JU755AP5G5TKMBJL6IEZQTTNPDQ/
>
> > A couple of vulnerabilities have recently been reported. Thanks to Andre
> > Protas, Richard Cloke and Andy Nuttall of Apple for reporting these and
> > helping with the development of a fix.
> >
> > CVE-2021-42096 could allow a list member to discover the list admin
> > password.
> >
> > CVE-2021-42097 could allow a list member to create a successful CSRF
> > attack against another list member enabling takeover of the members
> account.
> >
> > These attacks can't be carried out by non-members so may not be of
> > concern for sites with only trusted list members.

Maybe? Are the kernel lists hosted through mailman or something based
on it that would be affected by these CVEs? It has been so long since
I last looked into it that I genuinely do not remember.

>
>
> > I am pleased to announce the release of Mailman 2.1.35.
> >
> > This is a security and minor bug fix release. See the attached
> > README.txt for details. For those who just want a patch for the security
> > issues, see
> > https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1873.
> > The patch is also attached to the bug reports at
> > https://bugs.launchpad.net/mailman/+bug/1947639 and
> > https://bugs.launchpad.net/mailman/+bug/1947640. The patch is the same
> > on both and fixes both issues.
> >
> > As noted Mailman 2.1.30 was the last feature release of the Mailman 2.1
> > branch from the GNU Mailman project. There has been some discussion as
> > to what this means. It means there will be no more releases from the GNU
> > Mailman project containing any new features. There may be future patch
> > releases to address the following:
> >
> > i18n updates.
> > security issues.
> > bugs affecting operation for which no satisfactory workaround exists.
> >
> > Mailman 2.1.35 is the fifth such patch release.
> >
> > Mailman is free software for managing email mailing lists and
> > e-newsletters. Mailman is used for all the python.org and
> > SourceForge.net mailing lists, as well as at hundreds of other sites.
> >
> > For more information, please see our web site at one of:
> >
> > http://www.list.org
> > https://www.gnu.org/software/mailman
> > http://mailman.sourceforge.net/
> >
> > Mailman 2.1.35 can be downloaded from
> >
> > https://launchpad.net/mailman/2.1/
> > https://ftp.gnu.org/gnu/mailman/
> > https://sourceforge.net/projects/mailman/
>
> > --
> > -Alan Coopersmith- alan.coopersmith@xxxxxxxxxx
> > Oracle Solaris Engineering - https://blogs.oracle.com/alanc
>
>
> Best Professional Regards.
>
> --
> Jose R R
> http://metztli.it
> ---------------------------------------------------------------------------------------------
> Download Metztli Reiser4: Debian Bullseye w/ Linux 5.13.14 AMD64
> ---------------------------------------------------------------------------------------------
> feats ZSTD compression https://sf.net/projects/metztli-reiser4/
> ---------------------------------------------------------------------------------------------
> or SFRN 5.1.3, Metztli Reiser5 https://sf.net/projects/debian-reiser4/
> -------------------------------------------------------------------------------------------
> Official current Reiser4 resources: https://reiser4.wiki.kernel.org/

Thanks,
-slade