Package: rss2email Version: 1:3.12.1-1 Severity: serious Tags: upstream Today I learned that rss2email copies the email addresses from feed entries into both the From field and the envelope sender of messages.
This is not acceptable behaviour in an email generator. The envelope sender *must* be sent to an address that the user configures, where *they* can receive bounce messages. The current behaviour results in bounces being sent to the authors of feed entries, which is what just happened to me. It can also result in messages being dropped if the forgery is detected by MTAs that check SPF. Ben. -- System Information: Debian Release: bullseye/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.7.0-1-amd64 (SMP w/2 CPU threads) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages rss2email depends on: ii python3 3.8.2-3 ii python3-feedparser 5.2.1-2 pn python3-html2text <none> Versions of packages rss2email recommends: ii python3-bs4 4.9.1-1 Versions of packages rss2email suggests: pn esmtp <none> -- Ben Hutchings When in doubt, use brute force. - Ken Thompson
signature.asc
Description: This is a digitally signed message part
