oss-sec mailing list archives
CC'ing external lists/bugs (Re: [oss-security] Bug#771125: Info received ([oss-security] CVE request: mutt: heap-based buffer overflow in mutt_substrdup()))
From: Solar Designer <solar () openwall com>
Date: Thu, 27 Nov 2014 18:19:18 +0300
On Thu, Nov 27, 2014 at 04:15:10AM +0000, Debian Bug Tracking System wrote:
Thank you for the additional information you have supplied regarding this Bug report.
[...]
Please do not send mail to owner () bugs debian org unless you wish to report a problem with the Bug-tracking system.
We have this problem when someone CC's a Debian bug on oss-security postings. (But somehow not all the time? Perhaps the Debian bug tracker has some rules for when not to notify of "the additional information"? Or was Reply-To or whatever set differently this time?) Neither approving nor rejecting these messages feels right. Rejecting currently means a message would be sent to owner () bugs debian org, and also the thread might be broken in mailing list archives. Doing nothing means that a message to that extent would be sent a few days later. I can SSH in to the server and manually remove the message from the moderation queue to avoid that, but this also feels weird. Well, or I can update the spam filter to catch and drop these before they get to the mailing list manager (and hence before moderation) - maybe I should. Besides, any CC's to other lists tend to result in some "noise" being sent to oss-security (some messages that would be appropriate for the other instance of the thread, but not so much for oss-security). So I am posting this for three reasons: 1. To ask that we please cut down on use of CC's to external lists. 2. To point out and ask about the issue with Debian bugs specifically - how do we handle it best going forward? Any suggestions? 3. To explain why this undesirable message appeared in here. Alexander
Current thread:
- CVE request: mutt: heap-based buffer overflow in mutt_substrdup() Murray McAllister (Nov 26)
- Re: CVE request: mutt: heap-based buffer overflow in mutt_substrdup() Murray McAllister (Nov 26)
- Bug#771125: Info received ([oss-security] CVE request: mutt: heap-based buffer overflow in mutt_substrdup()) Debian Bug Tracking System (Nov 27)
- CC'ing external lists/bugs (Re: [oss-security] Bug#771125: Info received ([oss-security] CVE request: mutt: heap-based buffer overflow in mutt_substrdup())) Solar Designer (Nov 27)
- Re: CC'ing external lists/bugs Jakub Wilk (Nov 29)
- Bug#771125: Info received ([oss-security] CVE request: mutt: heap-based buffer overflow in mutt_substrdup()) Debian Bug Tracking System (Nov 27)
- Re: CVE request: mutt: heap-based buffer overflow in mutt_substrdup() Murray McAllister (Nov 26)
- Re: CVE request: mutt: heap-based buffer overflow in mutt_substrdup() cve-assign (Nov 26)
- Re: Bug#771125: CVE request: mutt: heap-based buffer overflow in mutt_substrdup() Antonio Radici (Nov 27)