[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Announce missing - in moderation?

Hi, Bill;

   Sure. I've updated the scripts to set the reply-to address and also
fired a message off to ann@a.o to wrap it up. I didn't change the date
of the announcement, so hopefully that won't pose a problem.

   Later I'll commit a change to just send separate emails instead of a
multi-to message since that seems like the easiest approach.

Daniel Ruggeri

On 9/28/2018 9:13 PM, William A Rowe Jr wrote:
> Sebb thank you for your analysis!
> Two issues; one, the reply-to field of security announcements was set
> to security@, and this is in direct contravention of Apache policy.
> Security@ is exclusively for reporting undisclosed vulnerabilities,
> and all other traffic is ignored. This group of email addresses must
> never be shared without context and usage guidance. Please, never do
> that again.
> Two, this announce is still not published to ann@a.o. What is the next
> step to cause this to happen? Daniel, could you use a conventional
> mail agent to wrap this cycle up?
> On Wed, Sep 26, 2018, 18:40 sebb <sebbaz@xxxxxxxxx
> <mailto:sebbaz@xxxxxxxxx>> wrote:
>     Also just realised the Message-Id is missing.
>     Some servers (e.g. GMail) may add it; if they don't it can causes
>     issues for mod_mbox and possibly other archivers.
>     It also causes problems for mail threading.
>     And if the mail is sent to multiple destinations, each generated
>     Message-Id will be different.
>     On 26 September 2018 at 22:04, Noel Butler <noel.butler@xxxxxxxxxx
>     <mailto:noel.butler@xxxxxxxxxx>> wrote:
>         On 27/09/2018 05:37, sebb AT ASF wrote:
>>         I don't know if this is relevant, but the messages don't have
>>         a Date: header.
>         Ahhhh  this would be because Daniel used curl to send them
>         rather than a sane method :)
>>         Also some of the received headers look odd:
>>         Received: from Announcement.txt (IP redacted)
>>                 by mailrelay1-lw-us.apache.org
>>         <http://mailrelay1-lw-us.apache.org> (ASF Mail Server at
>>         mailrelay1-lw-us.apache.org
>>         <http://mailrelay1-lw-us.apache.org>) with ESMTPSA id redacted
>>                 for <announce@xxxxxxxxxxxxxxxx
>>         <mailto:announce@xxxxxxxxxxxxxxxx>>; Sat, 22 Sep 2018
>>         11:41:35 +0000 (UTC)
>>         and
>>         Received: from CVE-2018-11763-h2-dos-by-settings.txt (IP
>>         redacted)
>>                 by mailrelay2-lw-us.apache.org
>>         <http://mailrelay2-lw-us.apache.org> (ASF Mail Server at
>>         mailrelay2-lw-us.apache.org
>>         <http://mailrelay2-lw-us.apache.org>) with ESMTPSA id redacted
>>                 for <announce@xxxxxxxxxxxxxxxx
>>         <mailto:announce@xxxxxxxxxxxxxxxx>>; Sat, 22 Sep 2018
>>         11:41:38 +0000 (UTC)
>         -- 
>         Kind Regards,
>         Noel Butler
>         This Email, including any attachments, may contain legally
>         privileged information, therefore remains confidential and
>         subject to copyright protected under international law. You
>         may not disseminate, discuss, or reveal, any part, to anyone,
>         without the authors express written authority to do so. If you
>         are not the intended recipient, please notify the sender then
>         delete all copies of this message including attachments,
>         immediately. Confidentiality, copyright, and legal privilege
>         are not waived or lost by reason of the mistaken delivery of
>         this message. Only PDF <http://www.adobe.com/> and ODF
>         <http://en.wikipedia.org/wiki/OpenDocument> documents
>         accepted, please do not send proprietary formatted documents