[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Wed Aug 1 21:10:29 BST 2018
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
da55727a by security tracker role at 2018-08-01T20:10:20Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,3 +1,21 @@
+CVE-2018-14777 (An issue was discovered in DataLife Engine (DLE) through 13.0. An ...)
+ TODO: check
+CVE-2018-1000631
+ RESERVED
+CVE-2018-1000630
+ RESERVED
+CVE-2018-1000629
+ RESERVED
+CVE-2018-1000628
+ RESERVED
+CVE-2018-1000627
+ RESERVED
+CVE-2018-1000626
+ RESERVED
+CVE-2018-1000625
+ RESERVED
+CVE-2018-1000624
+ RESERVED
CVE-2018-14776 (Click Studios Passwordstate before 8.3 Build 8397 allows XSS by ...)
NOT-FOR-US: Click Studios Passwordstate
CVE-2018-14775 (tss_alloc in sys/arch/i386/i386/gdt.c in OpenBSD 6.2 and 6.3 has a ...)
@@ -16,39 +34,39 @@ CVE-2018-14769
RESERVED
CVE-2018-14768
RESERVED
-CVE-2018-1999025
+CVE-2018-1999025 (A man in the middle vulnerability exists in Jenkins TraceTronic ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1999026
+CVE-2018-1999026 (A server-side request forgery vulnerability exists in Jenkins ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1999027
+CVE-2018-1999027 (An exposure of sensitive information vulnerability exists in Jenkins ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1999028
+CVE-2018-1999028 (An exposure of sensitive information vulnerability exists in Jenkins ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1999029
+CVE-2018-1999029 (A cross-site scripting vulnerability exists in Jenkins Shelve Project ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1999041
+CVE-2018-1999041 (An exposure of sensitive information vulnerability exists in Jenkins ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1999040
+CVE-2018-1999040 (An exposure of sensitive information vulnerability exists in Jenkins ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1999039
+CVE-2018-1999039 (A server-side request forgery vulnerability exists in Jenkins ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1999038
+CVE-2018-1999038 (A confused deputy vulnerability exists in Jenkins Publisher Over CIFS ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1999037
+CVE-2018-1999037 (A data modification vulnerability exists in Jenkins Resource Disposer ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1999036
+CVE-2018-1999036 (An exposure of sensitive information vulnerability exists in Jenkins ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1999030
+CVE-2018-1999030 (An exposure of sensitive information vulnerability exists in Jenkins ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1999031
+CVE-2018-1999031 (An exposure of sensitive information vulnerability exists in Jenkins ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1999032
+CVE-2018-1999032 (A data modification vulnerability exists in Jenkins Agiletestware ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1999033
+CVE-2018-1999033 (An exposure of sensitive information vulnerability exists in Jenkins ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1999034
+CVE-2018-1999034 (A man in the middle vulnerability exists in Jenkins Inedo ProGet ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1999035
+CVE-2018-1999035 (A man in the middle vulnerability exists in Jenkins Inedo BuildMaster ...)
NOT-FOR-US: Jenkins plugin
CVE-2018-14767 (In Kamailio before 5.0.7 and 5.1.x before 5.1.4, a crafted SIP message ...)
- kamailio 5.1.4-1
@@ -5638,10 +5656,10 @@ CVE-2018-12469
RESERVED
CVE-2018-12468
RESERVED
-CVE-2018-12467
- RESERVED
-CVE-2018-12466
- RESERVED
+CVE-2018-12467 (Authorized users of the openbuildservice before 2.9.4 could delete ...)
+ TODO: check
+CVE-2018-12466 (openSUSE openbuildservice before 9.2.4 allowed authenticated users to ...)
+ TODO: check
CVE-2018-12465 (An OS command injection vulnerability in the web administration ...)
NOT-FOR-US: Micro Focus
CVE-2018-12464 (A SQL injection vulnerability in the web administration and quarantine ...)
@@ -9728,8 +9746,7 @@ CVE-2018-10918
RESERVED
CVE-2018-10917
RESERVED
-CVE-2018-10916 [Exploit in reverse mirror job deletes cwd on source]
- RESERVED
+CVE-2018-10916 (It has been discovered that lftp up to and including version 4.8.3 ...)
- lftp <unfixed> (bug #905163)
[stretch] - lftp <no-dsa> (Minor issue)
NOTE: https://github.com/lavv17/lftp/issues/452
@@ -9788,14 +9805,12 @@ CVE-2018-10899
RESERVED
CVE-2018-10898 (A vulnerability was found in openstack-tripleo-heat-templates before ...)
- tripleo-heat-templates <removed>
-CVE-2018-10897 [reposync: improper path validation may lead to directory traversal]
- RESERVED
+CVE-2018-10897 (A directory traversal issue was found in reposync, a part of ...)
- yum-utils <unfixed>
[stretch] - yum-utils <ignored> (Minor issue)
[jessie] - yum-utils <ignored> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1600221
-CVE-2018-10896
- RESERVED
+CVE-2018-10896 (The default cloud-init configuration, in cloud-init 0.6.2 and newer, ...)
NOT-FOR-US: Red Hat-specific packaging flaw of cloud-init default config
CVE-2018-10895 (qutebrowser before version 1.4.1 is vulnerable to a cross-site request ...)
- qutebrowser 1.4.1-1
@@ -9803,8 +9818,7 @@ CVE-2018-10895 (qutebrowser before version 1.4.1 is vulnerable to a cross-site r
NOTE: https://github.com/qutebrowser/qutebrowser/issues/4060
NOTE: Introduced in: https://github.com/qutebrowser/qutebrowser/commit/ffc29ee (v1.0.0)
NOTE: Fixed in: https://github.com/qutebrowser/qutebrowser/commit/43e58ac865ff862c2008c510fc5f7627e10b4660 (v1.4.1)
-CVE-2018-10894
- RESERVED
+CVE-2018-10894 (It was found that SAML authentication in Keycloak 3.4.3.Final ...)
NOT-FOR-US: Keycloak
CVE-2018-10893 [Insufficient encoding checks for LZ can cause different integer/buffer overflows]
RESERVED
@@ -10576,8 +10590,8 @@ CVE-2018-10620 (AVEVA InduSoft Web Studio v8.1 and v8.1SP1, and InTouch Machine
NOT-FOR-US: AVEVA
CVE-2018-10619 (An unquoted search path or element in RSLinx Classic Versions 3.90.01 ...)
NOT-FOR-US: RSLinx
-CVE-2018-10618
- RESERVED
+CVE-2018-10618 (Davolink DVW-3200N all version prior to Version 1.00.06. The device ...)
+ TODO: check
CVE-2018-10617 (Delta Electronics Delta Industrial Automation DOPSoft version 4.00.04 ...)
NOT-FOR-US: Delta Electronics Delta Industrial Automation DOPSoft
CVE-2018-10616 (ABB Panel Builder 800 all versions has an improper input validation ...)
@@ -16970,8 +16984,7 @@ CVE-2018-8036 (In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefu
NOTE: http://www.openwall.com/lists/oss-security/2018/06/29/2
CVE-2018-8035
RESERVED
-CVE-2018-8034 [host name verification missing in WebSocket client]
- RESERVED
+CVE-2018-8034 (The host name verification when using TLS with the WebSocket client ...)
{DLA-1453-1}
- tomcat9 <itp> (bug #802312)
- tomcat8 8.5.32-1
@@ -28968,12 +28981,12 @@ CVE-2018-3925
RESERVED
CVE-2018-3924
RESERVED
-CVE-2018-3923
- RESERVED
-CVE-2018-3922
- RESERVED
-CVE-2018-3921
- RESERVED
+CVE-2018-3923 (A memory corruption vulnerability exists in the PCX-parsing ...)
+ TODO: check
+CVE-2018-3922 (A memory corruption vulnerability exists in the ANI-parsing ...)
+ TODO: check
+CVE-2018-3921 (A memory corruption vulnerability exists in the PSD-parsing ...)
+ TODO: check
CVE-2018-3920
RESERVED
CVE-2018-3919
@@ -29128,8 +29141,8 @@ CVE-2018-3848 (In the ffghbn function in NASA CFITSIO 3.42, specially crafted im
[jessie] - cfitsio <no-dsa> (Minor issue)
NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0531
NOTE: Mitigated to a crash due to hardened build flags
-CVE-2018-3847
- RESERVED
+CVE-2018-3847 (Multiple exploitable buffer overflow vulnerabilities exist in image ...)
+ TODO: check
CVE-2018-3846 (In the ffgphd and ffgtkn functions in NASA CFITSIO 3.42, specially ...)
- cfitsio 3.430-1 (low; bug #892458)
[stretch] - cfitsio <no-dsa> (Minor issue)
@@ -29851,20 +29864,20 @@ CVE-2018-3674
RESERVED
CVE-2018-3673
RESERVED
-CVE-2018-3672
- RESERVED
-CVE-2018-3671
- RESERVED
-CVE-2018-3670
- RESERVED
+CVE-2018-3672 (Driver module in Intel Smart Sound Technology before version ...)
+ TODO: check
+CVE-2018-3671 (Escalation of privilege in Intel Saffron admin application before 11.4 ...)
+ TODO: check
+CVE-2018-3670 (Driver module in Intel Smart Sound Technology before version ...)
+ TODO: check
CVE-2018-3669
RESERVED
CVE-2018-3668 (Unquoted service paths in Intel Processor Diagnostic Tool (IPDT) ...)
NOT-FOR-US: Intel
CVE-2018-3667 (Installation tool IPDT (Intel Processor Diagnostic Tool) 4.1.0.24 sets ...)
NOT-FOR-US: Intel
-CVE-2018-3666
- RESERVED
+CVE-2018-3666 (Driver module in Intel Smart Sound Technology before version ...)
+ TODO: check
CVE-2018-3665 (System software utilizing Lazy FP state restore technique on systems ...)
{DSA-4232-1 DLA-1422-1}
- linux 4.6.1-1
@@ -29875,10 +29888,10 @@ CVE-2018-3665 (System software utilizing Lazy FP state restore technique on syst
NOTE: Hard-disable lazy FPU mode: https://git.kernel.org/linus/ca6938a1cd8a1c5e861a99b67f84ac166fc2b9e7
CVE-2018-3664
RESERVED
-CVE-2018-3663
- RESERVED
-CVE-2018-3662
- RESERVED
+CVE-2018-3663 (Escalation of privilege in Intel Saffron MemoryBase before 11.4 allows ...)
+ TODO: check
+CVE-2018-3662 (Escalation of privilege in Intel Saffron MemoryBase before version ...)
+ TODO: check
CVE-2018-3661 (Buffer overflow in Intel system Configuration utilities selview.exe ...)
NOT-FOR-US: Intel
CVE-2018-3660
@@ -29901,8 +29914,8 @@ CVE-2018-3652 (Existing UEFI setting restrictions for DCI (Direct Connect Interf
NOT-FOR-US: Intel
CVE-2018-3651
RESERVED
-CVE-2018-3650
- RESERVED
+CVE-2018-3650 (Insufficient Input Validation in Bleach module in INTEL Distribution ...)
+ TODO: check
CVE-2018-3649 (DLL injection vulnerability in the installation executables ...)
NOT-FOR-US: Intel
CVE-2018-3648
@@ -35321,8 +35334,8 @@ CVE-2018-1597
RESERVED
CVE-2018-1596
RESERVED
-CVE-2018-1595
- RESERVED
+CVE-2018-1595 (IBM Spectrum Symphony and Platform Symphony 7.1.2 and 7.2.0.2 could ...)
+ TODO: check
CVE-2018-1594
RESERVED
CVE-2018-1593
@@ -75661,8 +75674,8 @@ CVE-2017-5694 (Data corruption vulnerability in firmware in Intel Solid-State Dr
NOT-FOR-US: Intel
CVE-2017-5693 (Firmware in the Intel Puma 5, 6, and 7 Series might experience ...)
NOT-FOR-US: Intel Puma
-CVE-2017-5692
- RESERVED
+CVE-2017-5692 (Out-of-bounds read condition in older versions of some Intel Graphics ...)
+ TODO: check
CVE-2017-5691 (Incorrect check in Intel processors from 6th and 7th Generation Intel ...)
NOT-FOR-US: Intel CPUs
CVE-2017-5690
@@ -90790,8 +90803,7 @@ CVE-2016-9584 (libical allows remote attackers to cause a denial of service ...)
[jessie] - libical <no-dsa> (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2016/12/15/5
NOTE: Upstream ticket: https://github.com/libical/libical/issues/253
-CVE-2016-9583 [Out of bounds heap read in jpc_pi_nextpcrl()]
- RESERVED
+CVE-2016-9583 (An out-of-bounds heap read vulnerability was found in the ...)
- jasper <removed> (unimportant)
NOTE: https://github.com/mdadams/jasper/issues/103
NOTE: Fixed by https://github.com/mdadams/jasper/commit/99a50593254d1b53002719bbecfc946c84b23d27
@@ -90801,20 +90813,17 @@ CVE-2016-9583 [Out of bounds heap read in jpc_pi_nextpcrl()]
NOTE: Not suitable for code injection, hardly denial of service
CVE-2016-9582
REJECTED
-CVE-2016-9581 [infinite loop in tiftoimage resulting into heap buffer overflow in convert_32s_C1P1]
- RESERVED
+CVE-2016-9581 (An infinite loop vulnerability in tiftoimage that results in heap ...)
- openjpeg2 <unfixed> (unimportant)
NOTE: https://github.com/uclouvain/openjpeg/issues/872
NOTE: Fixed by: https://github.com/szukw000/openjpeg/commit/cadff5fb6e73398de26a92e96d3d7cac893af255
NOTE: not built into the binary packages
-CVE-2016-9580 [integer overflow in tiftoimage resulting into heap buffer overflow]
- RESERVED
+CVE-2016-9580 (An integer overflow vulnerability was found in tiftoimage function in ...)
- openjpeg2 <unfixed> (unimportant)
NOTE: https://github.com/uclouvain/openjpeg/issues/871
NOTE: Fixed by: https://github.com/szukw000/openjpeg/commit/cadff5fb6e73398de26a92e96d3d7cac893af255
NOTE: not built into the binary packages
-CVE-2016-9579 [RGW server DoS via request with invalid HTTP Origin header]
- RESERVED
+CVE-2016-9579 (A flaw was found in the way Ceph Object Gateway would process ...)
- ceph 10.2.5-2 (bug #849048)
[jessie] - ceph 0.80.7-2+deb8u2
NOTE: http://tracker.ceph.com/issues/18187
@@ -90855,8 +90864,7 @@ CVE-2016-9573 (An out-of-bounds read vulnerability was found in OpenJPEG 2.1.2,
- openjpeg2 2.1.2-1.1 (bug #851422)
NOTE: https://github.com/uclouvain/openjpeg/issues/863
NOTE: https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d
-CVE-2016-9572
- RESERVED
+CVE-2016-9572 (A NULL pointer dereference flaw was found in the way openjpeg 2.1.2 ...)
{DSA-3768-1}
- openjpeg2 2.1.2-1.1 (bug #851422)
NOTE: https://github.com/uclouvain/openjpeg/issues/863
@@ -94021,22 +94029,19 @@ CVE-2016-8655 (Race condition in net/packet/af_packet.c in the Linux kernel thro
NOTE: Introduced by: https://git.kernel.org/linus/f6fb8f100b807378fda19e83e5ac6828b638603a (v3.2-rc1)
NOTE: Fixed by: https://git.kernel.org/linus/84ac7260236a49c79eede91617700174c2c19b0c (v4.9-rc8)
NOTE: Non-privileged user namespaces disabled by default, only exploitable by arbitrary user if sysctl kernel.unprivileged_userns_clone=1
-CVE-2016-8654 [Heap-based buffer overflow in QMFB code in JPC codec]
- RESERVED
+CVE-2016-8654 (A heap-buffer overflow vulnerability was found in QMFB code in JPC ...)
{DSA-3785-1 DLA-739-1}
- jasper <removed>
NOTE: Upstream bug: https://github.com/mdadams/jasper/issues/93
NOTE: Upstream bug: https://github.com/mdadams/jasper/issues/94
NOTE: https://github.com/mdadams/jasper/commit/4a59cfaf9ab3d48fca4a15c0d2674bf7138e3d1a
-CVE-2016-8653
- RESERVED
+CVE-2016-8653 (It was found that the JMX endpoint of Red Hat JBoss Fuse 6, and Red ...)
NOT-FOR-US: JMX endpoint of Red Hat JBoss Fuse 6 and Red Hat A-MQ 6
CVE-2016-8652 (The auth component in Dovecot before 2.2.27, when auth-policy is ...)
- dovecot 1:2.2.27-1 (bug #846605)
[jessie] - dovecot <not-affected> (Only affects 2.2.25 up and including 2.2.26.1)
[wheezy] - dovecot <not-affected> (Only affects 2.2.25 up and including 2.2.26.1)
-CVE-2016-8651
- RESERVED
+CVE-2016-8651 (An input validation flaw was found in the way OpenShift 3 handles ...)
NOT-FOR-US: OpenShift Enterprise
CVE-2016-8650 (The mpi_powm function in lib/mpi/mpi-pow.c in the Linux kernel through ...)
- linux 4.8.11-1
@@ -94054,8 +94059,7 @@ CVE-2016-8649 (lxc-attach in LXC before 1.0.9 and 2.x before 2.0.6 allows an att
NOTE: Fixed by: https://github.com/lxc/lxc/commit/81f466d05f2a89cb4f122ef7f593ff3f279b165c
NOTE: Details: https://launchpad.net/bugs/1639345
NOTE: To be complete this needs as well changes to src:linux
-CVE-2016-8648
- RESERVED
+CVE-2016-8648 (It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, ...)
NOT-FOR-US: Karaf container uses by Red Hat products
CVE-2016-8647 (An input validation vulnerability was found in Ansible's mysql_user ...)
- ansible 2.2.0.0-4 (bug #844691)
@@ -94084,17 +94088,14 @@ CVE-2016-8642 (In Moodle 2.x and 3.x, the question engine allows access to files
CVE-2016-10089 (Nagios 4.3.2 and earlier allows local users to gain root privileges ...)
- nagios3 <not-affected> (Vulnerable code not present)
NOTE: Flaw in upstream damon-init.in. Debian package installs an own init-skript.
-CVE-2016-8641
- RESERVED
+CVE-2016-8641 (A privilege escalation vulnerability was found in nagios 4.2.x that ...)
- nagios3 <not-affected> (Vulnerable code not present)
NOTE: Flaw in upstream damon-init.in. Debian package installs an own init-skript.
-CVE-2016-8640
- RESERVED
+CVE-2016-8640 (A SQL injection vulnerability in pycsw all versions before 2.0.2, ...)
- pycsw 2.0.2+dfsg-1
NOTE: https://github.com/geopython/pycsw/pull/474/files
NOTE: https://patch-diff.githubusercontent.com/raw/geopython/pycsw/pull/474.patch
-CVE-2016-8639
- RESERVED
+CVE-2016-8639 (It was found that foreman before 1.13.0 is vulnerable to a stored XSS ...)
- foreman <itp> (bug #663101)
NOTE: http://projects.theforeman.org/issues/15037
NOTE: https://github.com/theforeman/foreman/pull/3523
@@ -94102,8 +94103,7 @@ CVE-2016-8638 (A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.
- ipsilon <itp> (bug #826838)
NOTE: https://ipsilon-project.org/advisory/CVE-2016-8638.txt
NOTE: https://pagure.io/ipsilon/c/511fa8b7001c2f9a42301aa1d4b85aaf170a461c
-CVE-2016-8637 [dracut creates world readble initramfs when early cpio is used]
- RESERVED
+CVE-2016-8637 (A local information disclosure issue was found in dracut before 045 ...)
- dracut 044+189-1 (low; bug #843697)
[jessie] - dracut <no-dsa> (Minor issue)
[wheezy] - dracut <not-affected> (Introduced in 030 upstream)
@@ -94114,15 +94114,13 @@ CVE-2016-8636 (Integer overflow in the mem_check_range function in ...)
[jessie] - linux <not-affected> (Vulnerable code not present)
[wheezy] - linux <not-affected> (Vulnerable code not present)
NOTE: Fix https://github.com/torvalds/linux/commit/647bf3d8a8e5777319da92af672289b2a6c4dc66
-CVE-2016-8635 [small-subgroups attack flaw]
- RESERVED
+CVE-2016-8635 (It was found that Diffie Hellman Client key exchange handling in NSS ...)
- nss 2:3.25-1
NOTE: Patch as applied in CentOS (but contains other changes):
NOTE: https://git.centos.org/blob/rpms!nss!/aada6b10b73091276397404059605d13e7548462/SOURCES!moz-1314604.patch
NOTE: Further info: https://bugzilla.redhat.com/show_bug.cgi?id=1391818
NOTE: Upstream bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1314604
-CVE-2016-8634
- RESERVED
+CVE-2016-8634 (A vulnerability was found in foreman 1.14.0. When creating an ...)
- foreman <itp> (bug #663101)
NOTE: http://projects.theforeman.org/issues/17195
CVE-2016-8633 (drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain ...)
@@ -94249,11 +94247,9 @@ CVE-2016-8610 (A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2
NOTE: Fixed by: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=af58be768ebb690f78530f796e92b8ae5c9a4401
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1384743 mentions countermeasures in gnutls
NOTE: https://gitlab.com/gnutls/gnutls/commit/1ffb827e45721ef56982d0ffd5c5de52376c428e
-CVE-2016-8609
- RESERVED
+CVE-2016-8609 (It was found that the keycloak before 2.3.0 did not implement ...)
NOT-FOR-US: Keycloak
-CVE-2016-8608
- RESERVED
+CVE-2016-8608 (JBoss BRMS 6 and BPM Suite 6 are vulnerable to a stored XSS via ...)
NOT-FOR-US: JBoss BPMS
CVE-2016-8607
RESERVED
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/da55727a1a0a6fbf07a64caf7039ce92205e6c29
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/da55727a1a0a6fbf07a64caf7039ce92205e6c29
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180801/32223bae/attachment.html>
More information about the debian-security-tracker-commits
mailing list