From nobody Mon Apr 18 21:06:48 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 00B0B11D22C3 for ; Mon, 18 Apr 2022 21:07:57 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mail-ot1-x32f.google.com (mail-ot1-x32f.google.com [IPv6:2607:f8b0:4864:20::32f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Khzzc5cRVz3FF0; Mon, 18 Apr 2022 21:07:56 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: by mail-ot1-x32f.google.com with SMTP id c11-20020a9d684b000000b00603307cef05so7110381oto.3; Mon, 18 Apr 2022 14:07:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=tGjuzG/sdVjAX2SGBZXdJ6RLQ4Xv+OswlH5naixrpto=; b=FbXDTWkpXm7ua1y/g5vloc+jeAixOOSkUKOR7cqxVBdWITQCGGWBGLn706l4FFBOwD sFA8M34o/YEfYx1PDqfU04pYsFcG0DmQjRjtgai3A9dyBB9Dv/vYWTzdTgzy/fta6qLK 8CFdSBuF+OXQfTjYZ+gJzYwbYoUIcnsFlHj7g5p2faGyY/ppVNPwGy8JOInc1FtRimzh e679QIjkrFtVV7JcSyANfF3PfK/DT2JaDPi7NVdPz94r81oCNZ+YLkOVUGLnGTkbgwNZ NX8kc1TxndvZGSPbiACWAUfJ5IE2IFBoW8VgUhOdcecKwdXSfRPrHR+Q8g/2chJ2+dOb wEOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tGjuzG/sdVjAX2SGBZXdJ6RLQ4Xv+OswlH5naixrpto=; b=4qzAB1m8NwwkH67Wqon49qFZ5xJ2wQQbIe7ikvz6SgXMs4kzn/QjX052kx+wP7B/d9 Q0UxnsaNXCHLr5KCUFKALsA0MaWrATDUBZVRqEigw22dWIk/ZweAfEW341osKM0LQC9K IElF9lqh5qdGfXTGsonUEWlkkZdwsrBWGn5ZjXCM/Q1XB6SEYjNmzh/kkKNSu1v/l8RR 8/adVeTv/2sl+iyK2V4RFB5AtNLRHVm5OAKQPajiBeG9DzT5GqHFxPLQMeOKP3Z2FjCc 8Ye89I1ZASzqAVN5qmH00j6Jt3Zr0FJzxSOsf84ecbK7LYY13RDDyW65+TtYg64586VA ol3Q== X-Gm-Message-State: AOAM532DW4jNJERlBwtTK207TVFXRA+Q02zLjFsKpVytqJVqmx13Sq5i W0T21o1jGHHBNQ5b3cOIH/nkoqVGAj2kO5PMl26AX9ns X-Google-Smtp-Source: ABdhPJw3OpeRpRavFiFf/dXFbhKJx7OB/vC5HNJszpV0i/z42zWvflPUgKBpEN0aQX6JRXdWe1q30L/3r60F8CiQEHs= X-Received: by 2002:a05:6830:1cc8:b0:5e6:f41c:f157 with SMTP id p8-20020a0568301cc800b005e6f41cf157mr4627768otg.82.1650316070459; Mon, 18 Apr 2022 14:07:50 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Kevin Oberman Date: Mon, 18 Apr 2022 14:06:48 -0700 Message-ID: Subject: Re: Lack of notification of security notices To: Gordon Tetlow Cc: postmaster@freebsd.org, freebsd-security@freebsd.org Content-Type: multipart/alternative; boundary="000000000000259d1105dcf42764" X-Rspamd-Queue-Id: 4Khzzc5cRVz3FF0 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-ThisMailContainsUnwantedMimeParts: N --000000000000259d1105dcf42764 Content-Type: text/plain; charset="UTF-8" On Mon, Apr 18, 2022 at 1:19 PM Gordon Tetlow wrote: > From the secteam point of view, we haven't changed anything in the way we > send messages to the mailing lists. I have double checked and all SAs are > sent to the three addresses listed. I suspect this is likely fallout of the > mailing list change over. > > I can say for my part, I have gotten a copy of the messages from both the > freebsd-announce and freebsd-security mailing lists for the SAs I have sent > out (I'm not subscribed to the freebsd-security-notifications list). I just > confirmed the headers for the 2 copies of SA-22:08.zlib that I received > that it is routing through the lists. > > It does appear as though the messages are not properly archiving into the > mailing list archives. Adding postmaster to the thread for them to dig into > why that might be. > > Gordon > Hat: security-officer > Clearly, something has failed. The archives show no messages to stable, security-notifications or announce for security advisories or errata notes since an errata note on March 22. There was an e-mail on stable sent on the 7th asking why the April 6 messages did not get posted to stable, so it is not just me. The issue is new this month, so the change in mailers last year is not directly responsible. If I was to take a guess, I suspect something changed between the March ENs and April 6 in how the mai;er treats cross-posts. Looks like something changed in hte two weeks between March 22 and April 6. Mr. Postmaster??? > On Apr 18, 2022, at 12:57 PM, Kevin Oberman wrote: > > As per the FreeBSD Security Information web page > , security notifications are sent to: > > - > > FreeBSD-security-notifications@FreeBSD.org > - > > FreeBSD-security@FreeBSD.org > - > > FreeBSD-announce@FreeBSD.org > > This policy has lately been ignored. No postings show up in the archives > of FreeBSD-security-notifications@FreeBSD.org since January. Likewise for > freebsd-announce. The only list showing the April 6 announcements is this > one, freebsd-security@freebad.org. > > In the past, Security Announcements and Errata Notes have also been copied > to the stable and current lists as appropriate, although this is not > mentioned. This delayed the update of my systems by several days. > Fortunately, only one of these vulnerabilities was relevant to my systems. > > Even though the announcements are almost 2 weeks old, it is still likely > that some people are unaware of them, so I would strongly urge that they be > posted to, at least, FreeBSD-Announce and FreeBSD-Stable lists. > > In passing, I will note that the same issue appears to be occurring with > posts of Errata Notices. > -- > Kevin Oberman, Part time kid herder and retired Network Engineer > E-mail: rkoberman@gmail.com > PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 > > > -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkoberman@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 --000000000000259d1105dcf42764 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Mon, Apr 18, 2022 at 1:19 PM= Gordon Tetlow <= gordon@tetlows.org> wrote:
From the secteam po= int of view, we haven't changed anything in the way we send messages to= the mailing lists. I have double checked and all SAs are sent to the three= addresses listed. I suspect this is likely fallout of the mailing list cha= nge over.

I can say for my part, I have gotten a copy of= the messages from both the freebsd-announce and freebsd-security mailing l= ists for the SAs I have sent out (I'm not subscribed to the freebsd-sec= urity-notifications list). I just confirmed the headers for the 2 copies of= SA-22:08.zlib that I received that it is routing through the lists.=C2=A0<= /div>

It does appear as though the messages are not prop= erly archiving into the mailing list archives. Adding postmaster to the thr= ead for them to dig into why that might be.

Gordon=
Hat: security-officer

Clearly, something has failed. The archives show no messages to stab= le, security-notifications or announce for security advisories or errata no= tes since an errata note on March 22. There was an e-mail on stable sent on= the 7th asking why the April 6 messages did not get posted to stable, so i= t is not just me. The issue is new this month, so the change in mailers las= t year is not directly responsible. If I was to take a guess, I suspect som= ething changed between the March ENs and April 6 in how the mai;er treats c= ross-posts. Looks like something changed in hte two weeks between March 22 = and April 6.

Mr. Postmaster???



On Apr 18, 202= 2, at 12:57 PM, Kevin Oberman <rkoberman@gmail.com> wrote:

As per the FreeBSD Security I= nformation web page, security notifications are sent to:
Th= is policy has lately been ignored. No postings show up in the archives of <= a href=3D"mailto:FreeBSD-security-notifications@FreeBSD.org" target=3D"_bla= nk">FreeBSD-security-notifications@FreeBSD.org since January. Likewise = for freebsd-announce. The only list showing the April 6 announcements is th= is one, f= reebsd-security@freebad.org.

In the past, Security Announcements and Errata Notes have also been copied to the stable and current lists as appropriate, although this is not menti= oned.=C2=A0 This=20 delayed the update of my systems by several days. Fortunately, only one=20 of these vulnerabilities was relevant to my systems.

Even though the announcements are almost 2 weeks old, it is still likely=20 that some people are unaware of them, so I would strongly urge that they be posted to, at least, FreeBSD-Announce and=C2=A0 FreeBSD-Stable=20 lists.
In pas= sing, I will note=C2=A0 that the same issue appears to be occurring with po= sts of Errata Notices.
--
Kevin Oberman, Pa= rt time kid herder and retired Network Engineer
E-mail: rkoberman@gmail.com
<= div>PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683



--
=
Kevin Oberman, Part time kid herder = and retired Network Engineer
E-mail: rkoberman@gmail.com
PGP Fingerprint= : D03FB98AFA78E3B78C1694B318AB39EF1B055683
--000000000000259d1105dcf42764--