From foxboron at archlinux.org Tue Jul 17 16:25:49 2018 From: foxboron at archlinux.org (Morten Linderud) Date: Tue, 17 Jul 2018 16:25:49 +0200 Subject: [mailman] Please stop forwarding emails from arch-security Message-ID: <20180717142549.GD16805@theia> Yo. Can you guys please stop blanket forwarding emails from arch-security to manjaro-security? It serves no purpose as the packages are not available within a sensible timeframe in your repositories. It currently creates noise to the security team publishing the emails, and I would much rather see you resending and resigning the mails appropriately whenever you have the packages pushed in your repositories. Example: > Date: Tue, 17 Jul 2018 13:02:47 +0200 > From: Cryptycat 7 > To: Morten Linderud > Subject: Re: [manjaro-security] [ASA-201807-4] thunderbird: multiple issues > > Thanks for your hard work. I tumbled down the rabbit hole and found an NSA > botnet. Used for mass surveillance and censorship. Where can I upload my > wireshark and ettercap files? You can reach me on twitter as well > @cryptycat7. Signal, Threema, xmpp. I use all of them. > https://youtu.be/yeThBz_RJUc > > This shows how performing an evil twin Bettercap SSL attack via anti DDOS > VPN server on a target device of the NSA shuts down the entire > neighborhood. Not sure if this is legal. Guess it's not, still the world > had to know. > I would really appreciate to get in touch with the Manjaro team to close > this exploit. It's more like exploiting DSL VDSL and isdn. > > Normally I am considered to be a fool. That's what I recorded this video > for. > On Tue, 17 Jul 2018, 10:55 Morten Linderud, wrote: > > > Arch Linux Security Advisory ASA-201807-4 > > ========================================= -- Morten Linderud PGP: 9C02FF419FECBE16 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From philm at manjaro.org Tue Jul 17 17:04:40 2018 From: philm at manjaro.org (=?UTF-8?Q?Philip_M=c3=bcller?=) Date: Tue, 17 Jul 2018 17:04:40 +0200 Subject: [mailman] Please stop forwarding emails from arch-security In-Reply-To: <20180717142549.GD16805@theia> References: <20180717142549.GD16805@theia> Message-ID: <033974d7-53e0-52f9-005b-947c466808e2@manjaro.org> On 17.07.2018 16:25, Morten Linderud wrote: > Yo. > > Can you guys please stop blanket forwarding emails from arch-security to > manjaro-security? It serves no purpose as the packages are not available within > a sensible timeframe in your repositories. > > It currently creates noise to the security team publishing the emails, and I > would much rather see you resending and resigning the mails appropriately > whenever you have the packages pushed in your repositories. > Hi Morten, we always push the security packages mostly ASAP to all our branches. Thunderbird we uploaded on the 11th of July: https://manjaro.moson.eu/pool/overlay/thunderbird-52.9.1-0-x86_64.pkg.tar.xz x64 https://lists.manjaro.org/pipermail/manjaro-packages/Week-of-Mon-20180709/017864.html https://lists.manjaro.org/pipermail/manjaro-packages/Week-of-Mon-20180709/017865.html https://lists.manjaro.org/pipermail/manjaro-packages/Week-of-Mon-20180709/017866.html x32 https://lists.manjaro.org/pipermail/manjaro-packages/Week-of-Mon-20180709/017862.html https://lists.manjaro.org/pipermail/manjaro-packages/Week-of-Mon-20180709/017861.html https://lists.manjaro.org/pipermail/manjaro-packages/Week-of-Mon-20180709/017860.html Therefore we already acted before the announcement in that case, as this happend on the 17th: https://lists.manjaro.org/pipermail/manjaro-security/2018-July/000764.html So I don't know why Cryptycat7 wrote you. Manjaro uses revision 0 mostly for our security packages. @Jonathon, thoughts? Best, Philip From foxboron at archlinux.org Tue Jul 17 17:07:42 2018 From: foxboron at archlinux.org (Morten Linderud) Date: Tue, 17 Jul 2018 17:07:42 +0200 Subject: [mailman] Please stop forwarding emails from arch-security In-Reply-To: <033974d7-53e0-52f9-005b-947c466808e2@manjaro.org> References: <20180717142549.GD16805@theia> <033974d7-53e0-52f9-005b-947c466808e2@manjaro.org> Message-ID: <20180717150742.GE16805@theia> On Tue, Jul 17, 2018 at 05:04:40PM +0200, Philip Müller wrote: > we always push the security packages mostly ASAP to all our branches. > Thunderbird we uploaded on the 11th of July: qutebrowser is still in testing, and that was embargoed and announced properly 11th of June. -- Morten Linderud PGP: 9C02FF419FECBE16 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From cryptycat7 at gmail.com Tue Jul 17 17:08:21 2018 From: cryptycat7 at gmail.com (Cryptycat 7) Date: Tue, 17 Jul 2018 17:08:21 +0200 Subject: [mailman] Please stop forwarding emails from arch-security In-Reply-To: <033974d7-53e0-52f9-005b-947c466808e2@manjaro.org> References: <20180717142549.GD16805@theia> <033974d7-53e0-52f9-005b-947c466808e2@manjaro.org> Message-ID: Ok, thanks. I just want to raise awareness for the issue. This malware infects routers and so far I didn't find a single one that isn't infected. Same goes for university and public wifis, business wifis whatever. I reached out to you because I hope that you can shed some light. Using manjaro I can't connect to the internet anymore not even if I use a LAN cable. I am in touch with NordVPN since this is established by blacklisting MAC adressses and BSSIDs starting with EE. If you know someone, that I should contact instead, that would be much appreciated. On Tue, 17 Jul 2018, 17:04 Philip Müller, wrote: > On 17.07.2018 16:25, Morten Linderud wrote: > > Yo. > > > > Can you guys please stop blanket forwarding emails from arch-security to > > manjaro-security? It serves no purpose as the packages are not available > within > > a sensible timeframe in your repositories. > > > > It currently creates noise to the security team publishing the emails, > and I > > would much rather see you resending and resigning the mails appropriately > > whenever you have the packages pushed in your repositories. > > > > Hi Morten, > > we always push the security packages mostly ASAP to all our branches. > Thunderbird we uploaded on the 11th of July: > > > https://manjaro.moson.eu/pool/overlay/thunderbird-52.9.1-0-x86_64.pkg.tar.xz > > x64 > > https://lists.manjaro.org/pipermail/manjaro-packages/Week-of-Mon-20180709/017864.html > > https://lists.manjaro.org/pipermail/manjaro-packages/Week-of-Mon-20180709/017865.html > > https://lists.manjaro.org/pipermail/manjaro-packages/Week-of-Mon-20180709/017866.html > > x32 > > https://lists.manjaro.org/pipermail/manjaro-packages/Week-of-Mon-20180709/017862.html > > https://lists.manjaro.org/pipermail/manjaro-packages/Week-of-Mon-20180709/017861.html > > https://lists.manjaro.org/pipermail/manjaro-packages/Week-of-Mon-20180709/017860.html > > Therefore we already acted before the announcement in that case, as this > happend on the 17th: > > https://lists.manjaro.org/pipermail/manjaro-security/2018-July/000764.html > > So I don't know why Cryptycat7 wrote you. Manjaro uses revision 0 mostly > for our security packages. > > @Jonathon, thoughts? > > Best, Philip > -------------- next part -------------- An HTML attachment was scrubbed... URL: From philm at manjaro.org Tue Jul 17 17:17:48 2018 From: philm at manjaro.org (=?UTF-8?Q?Philip_M=c3=bcller?=) Date: Tue, 17 Jul 2018 17:17:48 +0200 Subject: [mailman] Please stop forwarding emails from arch-security In-Reply-To: <20180717150742.GE16805@theia> References: <20180717142549.GD16805@theia> <033974d7-53e0-52f9-005b-947c466808e2@manjaro.org> <20180717150742.GE16805@theia> Message-ID: <318b8ccd-1b1e-cb6b-2b7a-a691a84677b6@manjaro.org> On 17.07.2018 17:07, Morten Linderud wrote: > On Tue, Jul 17, 2018 at 05:04:40PM +0200, Philip Müller wrote: >> we always push the security packages mostly ASAP to all our branches. >> Thunderbird we uploaded on the 11th of July: > > qutebrowser is still in testing, and that was embargoed and announced properly > 11th of June. > Yep, that is true, as we have the snapshot of Mon Jul 9 06:59:43 CEST 2018 in our stable branch. That is why we say mostly ASAP. I'm sorry that the user directly reached out to you without consulting us first. From philm at manjaro.org Tue Jul 17 17:22:50 2018 From: philm at manjaro.org (=?UTF-8?Q?Philip_M=c3=bcller?=) Date: Tue, 17 Jul 2018 17:22:50 +0200 Subject: [mailman] Please stop forwarding emails from arch-security In-Reply-To: References: <20180717142549.GD16805@theia> <033974d7-53e0-52f9-005b-947c466808e2@manjaro.org> Message-ID: On 17.07.2018 17:08, Cryptycat 7 wrote: > Ok, thanks. I just want to raise awareness for the issue. This malware > infects routers and so far I didn't find a single one that isn't > infected. Same goes for university and public wifis, business wifis > whatever. I reached out to you because I hope that you can shed some > light. Using manjaro I can't connect to the internet anymore not even if > I use a LAN cable. I am in touch with NordVPN since this is established > by blacklisting MAC adressses and BSSIDs starting with EE. If you know > someone, that I should contact instead, that would be much appreciated. Well, it seems you had reached out directly to Arch. We used to use the announcements by Arch to give you a similar service. Most of the packages are added to our testing and unstable branches earlier. For some of them we do rebuilds for our stable snapshot as needed. Issues regarding general network can be vary a lot based on your setup. Please use the forum to find a proper answer of your problem. Manjaro tries to do the best in finding the balance between stability and security. Since our security team is small, we might not be able to push all needed fixes as soon as needed to our stable branch. Also it may vary on which mirror you get the packages from. From cryptycat7 at gmail.com Tue Jul 17 17:29:41 2018 From: cryptycat7 at gmail.com (Cryptycat 7) Date: Tue, 17 Jul 2018 17:29:41 +0200 Subject: [mailman] Please stop forwarding emails from arch-security In-Reply-To: References: <20180717142549.GD16805@theia> <033974d7-53e0-52f9-005b-947c466808e2@manjaro.org>

Message-ID: Thank you for the clarification. I wasn't aware, that I was mailing to arch directly. Sorry about that. On Tue, 17 Jul 2018, 17:22 Philip Müller, wrote: > On 17.07.2018 17:08, Cryptycat 7 wrote: > > Ok, thanks. I just want to raise awareness for the issue. This malware > > infects routers and so far I didn't find a single one that isn't > > infected. Same goes for university and public wifis, business wifis > > whatever. I reached out to you because I hope that you can shed some > > light. Using manjaro I can't connect to the internet anymore not even if > > I use a LAN cable. I am in touch with NordVPN since this is established > > by blacklisting MAC adressses and BSSIDs starting with EE. If you know > > someone, that I should contact instead, that would be much appreciated. > > Well, it seems you had reached out directly to Arch. We used to use the > announcements by Arch to give you a similar service. Most of the > packages are added to our testing and unstable branches earlier. For > some of them we do rebuilds for our stable snapshot as needed. > > Issues regarding general network can be vary a lot based on your setup. > Please use the forum to find a proper answer of your problem. > > Manjaro tries to do the best in finding the balance between stability > and security. Since our security team is small, we might not be able to > push all needed fixes as soon as needed to our stable branch. Also it > may vary on which mirror you get the packages from. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: