From owner-freebsd-security  Fri Feb  9 10:59:12 2001
Delivered-To: freebsd-security@freebsd.org
Received: from sol.cc.u-szeged.hu (sol.cc.u-szeged.hu [160.114.8.24])
	by hub.freebsd.org (Postfix) with ESMTP id 250F537B65D
	for <security@freebsd.org>; Fri,  9 Feb 2001 10:58:49 -0800 (PST)
Received: from petra.hos.u-szeged.hu by sol.cc.u-szeged.hu (8.9.3+Sun/SMI-SVR4)
	id TAA26764; Fri, 9 Feb 2001 19:58:47 +0100 (MET)
Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian))
	id 14RIkp-0007y4-00
	for <security@FreeBSD.ORG>; Fri, 09 Feb 2001 19:58:47 +0100
Date: Fri, 9 Feb 2001 19:58:47 +0100
From: Szilveszter Adam <sziszi@petra.hos.u-szeged.hu>
To: security@FreeBSD.ORG
Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-01:INSERT_NUMBER_HERE
Message-ID: <20010209195847.F27987@petra.hos.u-szeged.hu>
Mail-Followup-To: Szilveszter Adam <sziszi@petra.hos.u-szeged.hu>,
	security@FreeBSD.ORG
References: <200102082014.PAA29877@vws3.interlog.com> <2488141552.981740685@[192.168.1.2]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <2488141552.981740685@[192.168.1.2]>; from cholet@logilune.com on Fri, Feb 09, 2001 at 05:44:45PM +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, Feb 09, 2001 at 05:44:45PM +0100, Eric Cholet wrote:
> I received the following, what worries me is that the PGP signature
> verified, and it's not April 1st. WTF ??

AFAIK it was not at all signed... unlike previous attempts by the same
"funny" person. But what got me worried (and what nobody apparently
understood from my post from yesterday) that this time the prankster
managed to post on both freebsd-announce and freebsd-security-announce,
which are supposed to be closed and moderated lists.

So does this effectively mean, that just by forging a From: header, I can
already post whatever I want on -announce? (An allegedly trusted resource)
If so, we (freebsd.org) have a security problem. (Hence the post on
-security, since we do not have any *public* mailing list for discussing
security matters wrt freebsd.org itself, before anyone asks again.)

If my allegation is not true, then what happened? 

-- 
Regards:

Szilveszter ADAM
Szeged University
Szeged Hungary


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message