Date: Sun, 11 Feb 2001 09:07:13 -0800 From: Kris Kennaway <kris@obsecurity.org> To: Drew Derbyshire <software@kew.com> Cc: chat@freebsd.org Subject: Re: FreeBSD Postfix and Majordomo security (was FreeBSD Ports Security Advisory: FreeBSD-SA-01:INSERT_NUMBER_HERE) Message-ID: <20010211090713.B50667@mollari.cthul.hu> In-Reply-To: <009c01c093e5$d1cd7230$94cba8c0@hh.kew.com>; from software@kew.com on Sat, Feb 10, 2001 at 11:48:04PM -0500 References: <200102082014.PAA29877@vws3.interlog.com> <009c01c093e5$d1cd7230$94cba8c0@hh.kew.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--UHN/qo2QbUvPLonB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sat, Feb 10, 2001 at 11:48:04PM -0500, Drew Derbyshire wrote: > Since the FreeBSD site runs postfix, the fix to block external postings to > the announce list is a Postfix FAQ, using a regular expression filter. This > would require direct trusted posters to go through a local (or otherwise > trusted IP), and cannot be beaten by forged headers. (Hint, hint!) It was a broken filter rule which allowed the mail in - this has been fixed. > In general, I'm amazed that after all the SPAM on the FreeBSD mailing lists > that they haven't gone to post-only-by subscribers in general -- clearly, > the maintainers don't seem to care about the lists's quality as much as some > of the subscribers do. Yes, yes, I've heard the "but we need to let any one > post ..." argument, and refuse to believe it given hackish nature of the > FreeBSD mailing lists, and general disdain for end-users. This is a blatant troll, IMO, so I'll ignore it. > (Linux will rule the world, because organizations like RedHat support > relatively clean binary patches using up2date between releases -- it makes > me sad when I compare this to FreeBSD securty advisories which offer choices > of source patches or "upgrade to Release 4.x-STABLE after the specified" > date, given that such configurations have a prereq of reading the -stable > mailing list and generally breathing FreeBSD.) Making binary patches is something we'd very much like to do, but it requires significant support and testing infrastructure, which no-one has come forward to provide so far. How sad does it make you? Sad enough to do something about it, or only a little bit sad so that you'll just complain about it but won't bother? Kris --UHN/qo2QbUvPLonB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6hsbAWry0BWjoQKURAoQiAKCaXxtwzSZPTWle/55GVuEkC1vqEgCg+IUB NOREy6BTG7ZXExUUp95UEDs= =G77v -----END PGP SIGNATURE----- --UHN/qo2QbUvPLonB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010211090713.B50667>