Hi, Bill; Sure. I've updated the scripts to set the reply-to address and also fired a message off to [email protected] to wrap it up. I didn't change the date of the announcement, so hopefully that won't pose a problem.
Later I'll commit a change to just send separate emails instead of a multi-to message since that seems like the easiest approach. -- Daniel Ruggeri On 9/28/2018 9:13 PM, William A Rowe Jr wrote: > Sebb thank you for your analysis! > > Two issues; one, the reply-to field of security announcements was set > to security@, and this is in direct contravention of Apache policy. > Security@ is exclusively for reporting undisclosed vulnerabilities, > and all other traffic is ignored. This group of email addresses must > never be shared without context and usage guidance. Please, never do > that again. > > Two, this announce is still not published to [email protected]. What is the next > step to cause this to happen? Daniel, could you use a conventional > mail agent to wrap this cycle up? > > > > On Wed, Sep 26, 2018, 18:40 sebb <[email protected] > <mailto:[email protected]>> wrote: > > Also just realised the Message-Id is missing. > > Some servers (e.g. GMail) may add it; if they don't it can causes > issues for mod_mbox and possibly other archivers. > It also causes problems for mail threading. > And if the mail is sent to multiple destinations, each generated > Message-Id will be different. > > On 26 September 2018 at 22:04, Noel Butler <[email protected] > <mailto:[email protected]>> wrote: > > On 27/09/2018 05:37, sebb AT ASF wrote: > >> >> I don't know if this is relevant, but the messages don't have >> a Date: header. > > Ahhhh this would be because Daniel used curl to send them > rather than a sane method :) > > > >> Also some of the received headers look odd: >> >> Received: from Announcement.txt (IP redacted) >> by mailrelay1-lw-us.apache.org >> <http://mailrelay1-lw-us.apache.org> (ASF Mail Server at >> mailrelay1-lw-us.apache.org >> <http://mailrelay1-lw-us.apache.org>) with ESMTPSA id redacted >> for <[email protected] >> <mailto:[email protected]>>; Sat, 22 Sep 2018 >> 11:41:35 +0000 (UTC) >> >> and >> >> Received: from CVE-2018-11763-h2-dos-by-settings.txt (IP >> redacted) >> by mailrelay2-lw-us.apache.org >> <http://mailrelay2-lw-us.apache.org> (ASF Mail Server at >> mailrelay2-lw-us.apache.org >> <http://mailrelay2-lw-us.apache.org>) with ESMTPSA id redacted >> for <[email protected] >> <mailto:[email protected]>>; Sat, 22 Sep 2018 >> 11:41:38 +0000 (UTC) >> > -- > > Kind Regards, > > Noel Butler > > This Email, including any attachments, may contain legally > privileged information, therefore remains confidential and > subject to copyright protected under international law. You > may not disseminate, discuss, or reveal, any part, to anyone, > without the authors express written authority to do so. If you > are not the intended recipient, please notify the sender then > delete all copies of this message including attachments, > immediately. Confidentiality, copyright, and legal privilege > are not waived or lost by reason of the mistaken delivery of > this message. Only PDF <http://www.adobe.com/> and ODF > <http://en.wikipedia.org/wiki/OpenDocument> documents > accepted, please do not send proprietary formatted documents > >
