Bug#359905: PTS: unsubscription fraud possible
On Wed, Mar 29, 2006 at 02:18:34PM +0100, MJ Ray (Debian) wrote:
> Package: qa.debian.org
> Severity: important
> Recently, I stopped receiving bug information via the PTS for
> rsnapshot (with various consequences including an NMU). I
> found nothing relevant in the PTS log files but I did see
> PTS mail was sent to several of my different email addresses.
> When tidying my PTS subscriptions after that, it seemed that
> I was not asked for confirmation when unsubscribing email
> addresses from some packages - anyone can unsubscribe
> any address from packages without the victim being told.
> I hope I have misunderstood. If not and this bug is tagged
> confirmed help, I will work on a patch when I get time.
This is briefly discussed and justified at:
#339724: unsubscribing to bug reports from web page open to malicious use
Package: qa.debian.org; Reported by: Shaddy_Baddah@hotmail.com; Tags: pts
Done: Raphael Hertzog <firstname.lastname@example.org>; Will be archived in 11 days.