From owner-freebsd-security Tue Feb 20 18: 2:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta6.snfc21.pbi.net (mta6.snfc21.pbi.net [206.13.28.240]) by hub.freebsd.org (Postfix) with ESMTP id 2EC6037B4EC for ; Tue, 20 Feb 2001 18:02:15 -0800 (PST) (envelope-from kris@obsecurity.org) Received: from xor.obsecurity.org ([63.207.60.67]) by mta6.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0G8I00F0RBQ6O4@mta6.snfc21.pbi.net> for security@FreeBSD.ORG; Fri, 9 Feb 2001 12:32:31 -0800 (PST) Received: by xor.obsecurity.org (Postfix, from userid 1000) id 504D76739C; Fri, 09 Feb 2001 12:35:16 -0800 (PST) Date: Fri, 09 Feb 2001 12:35:16 -0800 From: Kris Kennaway Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-01:INSERT_NUMBER_HERE In-reply-to: <20010209195847.F27987@petra.hos.u-szeged.hu>; from sziszi@petra.hos.u-szeged.hu on Fri, Feb 09, 2001 at 07:58:47PM +0100 To: Szilveszter Adam Cc: security@FreeBSD.ORG Message-id: <20010209123516.B64466@mollari.cthul.hu> MIME-version: 1.0 Content-type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="mojUlQ0s9EVzWg2t" Content-disposition: inline User-Agent: Mutt/1.2.5i References: <200102082014.PAA29877@vws3.interlog.com> <2488141552.981740685@[192.168.1.2]> <20010209195847.F27987@petra.hos.u-szeged.hu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --mojUlQ0s9EVzWg2t Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Feb 09, 2001 at 07:58:47PM +0100, Szilveszter Adam wrote: > On Fri, Feb 09, 2001 at 05:44:45PM +0100, Eric Cholet wrote: > > I received the following, what worries me is that the PGP signature > > verified, and it's not April 1st. WTF ?? >=20 > AFAIK it was not at all signed... unlike previous attempts by the same > "funny" person. But what got me worried (and what nobody apparently > understood from my post from yesterday) that this time the prankster > managed to post on both freebsd-announce and freebsd-security-announce, > which are supposed to be closed and moderated lists. >=20 > So does this effectively mean, that just by forging a From: header, I can > already post whatever I want on -announce? (An allegedly trusted resource) > If so, we (freebsd.org) have a security problem. (Hence the post on > -security, since we do not have any *public* mailing list for discussing > security matters wrt freebsd.org itself, before anyone asks again.) >=20 > If my allegation is not true, then what happened?=20 That was the case, but it's been fixed. Kris --mojUlQ0s9EVzWg2t Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6hFSDWry0BWjoQKURAsIYAKDZiqAUQ/USvUzgcmzYb3dBsw4amQCg8Kfd JPLmFtJlfqAW7sjvf+dBRnA= =a8AH -----END PGP SIGNATURE----- --mojUlQ0s9EVzWg2t-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message