From nobody Mon Apr 18 20:19:19 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4E8765D5782 for ; Mon, 18 Apr 2022 20:19:22 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mr85p00im-ztdg06011901.me.com (mr85p00im-ztdg06011901.me.com [17.58.23.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4KhyvY3lSDz4qPG for ; Mon, 18 Apr 2022 20:19:21 +0000 (UTC) (envelope-from gordon@tetlows.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=sig1; t=1650313160; bh=XadbuWK+EBwNEjkD514khnXjcgEAs0/SX1FZhThc6fg=; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:To; b=AiktFmX+V1PpXB7Z71xz8ZSD0NNog5ab7+HQGvcKvYxtWzzvs+i9/RSvX217SjVEr OE5TvAAbMco2RrZGGsPSNQvy0mUGa+3JQZe02Amrrn1sCfiezpFLklPa8Ylb7YX2N8 oc3ZI/d/tyWT+6yusvG9Lo6fKWijGCRkHm7wdB9oXnw+ghcOWfr9aivKkY46l/3EDB T3vqrW84czViiicN1tZKfshLdYddilji2Uc0t5uzeuqJiRjlQsB92cmw0L5gbJZUCj FX7G0VpbklVBfg2vU74nM3xyDXHf52msnjt3bwriWyEiAFqJpsxaktALvOnzihhp9D yzMImjBXg1DVw== Received: from smtpclient.apple (mr38p00im-dlb-asmtp-mailmevip.me.com [17.57.152.18]) by mr85p00im-ztdg06011901.me.com (Postfix) with ESMTPSA id EC85990014B; Mon, 18 Apr 2022 20:19:19 +0000 (UTC) From: Gordon Tetlow Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_B697FF60-E4DF-4BE7-AE9F-E4F04450C2FD" List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\)) Subject: Re: Lack of notification of security notices Date: Mon, 18 Apr 2022 13:19:19 -0700 In-Reply-To: Cc: freebsd-security@freebsd.org To: Kevin Oberman , postmaster@freebsd.org References: X-Mailer: Apple Mail (2.3696.80.82.1.1) X-Proofpoint-Virus-Version: =?UTF-8?Q?vendor=3Dfsecure_engine=3D1.1.170-22c6f66c430a71ce266a39bfe25bc?= =?UTF-8?Q?2903e8d5c8f:6.0.425,18.0.572,17.11.62.513.0000000_definitions?= =?UTF-8?Q?=3D2022-01-14=5F01:2022-01-14=5F01,2020-02-14=5F11,2021-12-02?= =?UTF-8?Q?=5F01_signatures=3D0?= X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 mlxscore=0 clxscore=1030 phishscore=0 adultscore=0 bulkscore=0 malwarescore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2204180118 X-Rspamd-Queue-Id: 4KhyvY3lSDz4qPG X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tetlows.org header.s=sig1 header.b=AiktFmX+; dmarc=pass (policy=quarantine) header.from=tetlows.org; spf=pass (mx1.freebsd.org: domain of gordon@tetlows.org designates 17.58.23.198 as permitted sender) smtp.mailfrom=gordon@tetlows.org X-Spamd-Result: default: False [-3.60 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip4:17.58.0.0/16]; DKIM_TRACE(0.00)[tetlows.org:+]; DMARC_POLICY_ALLOW(-0.50)[tetlows.org,quarantine]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FREEMAIL_TO(0.00)[gmail.com,freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:714, ipnet:17.58.16.0/20, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[17.58.23.198:from]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[tetlows.org:s=sig1]; FREEFALL_USER(0.00)[gordon]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security]; RWL_MAILSPIKE_VERYGOOD(0.00)[17.58.23.198:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N --Apple-Mail=_B697FF60-E4DF-4BE7-AE9F-E4F04450C2FD Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii =46rom the secteam point of view, we haven't changed anything in the way = we send messages to the mailing lists. I have double checked and all SAs = are sent to the three addresses listed. I suspect this is likely fallout = of the mailing list change over. I can say for my part, I have gotten a copy of the messages from both = the freebsd-announce and freebsd-security mailing lists for the SAs I = have sent out (I'm not subscribed to the freebsd-security-notifications = list). I just confirmed the headers for the 2 copies of SA-22:08.zlib = that I received that it is routing through the lists.=20 It does appear as though the messages are not properly archiving into = the mailing list archives. Adding postmaster to the thread for them to = dig into why that might be. Gordon Hat: security-officer > On Apr 18, 2022, at 12:57 PM, Kevin Oberman = wrote: >=20 > As per the FreeBSD Security Information web page = , security notifications are sent to: > FreeBSD-security-notifications@FreeBSD.org = > FreeBSD-security@FreeBSD.org > FreeBSD-announce@FreeBSD.org > This policy has lately been ignored. No postings show up in the = archives of FreeBSD-security-notifications@FreeBSD.org = since January. = Likewise for freebsd-announce. The only list showing the April 6 = announcements is this one, freebsd-security@freebad.org = . >=20 > In the past, Security Announcements and Errata Notes have also been = copied to the stable and current lists as appropriate, although this is = not mentioned. This delayed the update of my systems by several days. = Fortunately, only one of these vulnerabilities was relevant to my = systems. >=20 > Even though the announcements are almost 2 weeks old, it is still = likely that some people are unaware of them, so I would strongly urge = that they be posted to, at least, FreeBSD-Announce and FreeBSD-Stable = lists. >=20 > In passing, I will note that the same issue appears to be occurring = with posts of Errata Notices. > --=20 > Kevin Oberman, Part time kid herder and retired Network Engineer > E-mail: rkoberman@gmail.com > PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 --Apple-Mail=_B697FF60-E4DF-4BE7-AE9F-E4F04450C2FD Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii =46ro= m the secteam point of view, we haven't changed anything in the way we = send messages to the mailing lists. I have double checked and all SAs = are sent to the three addresses listed. I suspect this is likely fallout = of the mailing list change over.

I can say for my part, I have gotten a copy of the messages = from both the freebsd-announce and freebsd-security mailing lists for = the SAs I have sent out (I'm not subscribed to the = freebsd-security-notifications list). I just confirmed the headers for = the 2 copies of SA-22:08.zlib that I received that it is routing through = the lists. 

It does appear as though the messages are not properly = archiving into the mailing list archives. Adding postmaster to the = thread for them to dig into why that might be.

Gordon
Hat: = security-officer

On Apr 18, 2022, at 12:57 PM, = Kevin Oberman <rkoberman@gmail.com> wrote:

As per the FreeBSD Security Information web page, security = notifications are sent to:
This policy has lately been ignored. No postings = show up in the archives of FreeBSD-security-notifications@FreeBSD.org since January. = Likewise for freebsd-announce. The only list showing the April 6 = announcements is this one, freebsd-security@freebad.org.

In the past, Security Announcements and Errata Notes have also been copied to the stable and current lists as appropriate, although this is not = mentioned.  This=20 delayed the update of my systems by several days. Fortunately, only one=20= of these vulnerabilities was relevant to my systems.

Even though the announcements are almost 2 weeks old, it is still likely=20 that some people are unaware of them, so I would strongly urge that they be posted to, at least, FreeBSD-Announce and  FreeBSD-Stable=20= lists.

In passing, I will note  that the same = issue appears to be occurring with posts of Errata Notices.
--
Kevin Oberman, = Part time kid herder and retired Network Engineer
E-mail: = rkoberman@gmail.com
PGP= Fingerprint: = D03FB98AFA78E3B78C1694B318AB39EF1B055683

= --Apple-Mail=_B697FF60-E4DF-4BE7-AE9F-E4F04450C2FD--