* Martin Schulze: > What was the behaviour pre-sarge? > What is the behaviour post-sarge (or rather in sarge)?
Do you mean "before and after the upstream security update"? The terms pre-sarge/post-sarge do not make much sense to me in this context, I'm afraid. > What do you think is the vulnerability? The vulnerability is that the firewall fails to enforce the security policy the user has configured. I'm aware that this is not a vulnerability according to the OIS definition. But few security bugs are because this definition is too narrow to be practical. > Why do you think there should be a DSA and what should > it cover? Here's a draft, in case you want to upload a fixed package. (Note that I have yet to test Lorenzo's new package.) -------------------------------------------------------------------------- Debian Security Advisory DSA ???-1 [EMAIL PROTECTED] http://www.debian.org/security/ September ???, 2005 http://www.debian.org/security/faq -------------------------------------------------------------------------- Package : shorewall Vulnerability : programming error Problem-Type : remote Debian-specific: no CVE ID : CAN-2005-???? Debian Bug : 318946 Supernaut noticed that shorewall could generate an iptables configuration which is significantly more permissive than the rule set given in the shorewall configuration. There are two issues, both related to the MAC verification configured in the "maclist" file. When MACLIST_DISPOSITION is set to ACCEPT in the shorewall.conf file, all packets from hosts which fail the MAC verification pass through the firewall, without further checks. When MACLIST_TTL is set to a non-zero value, packets from hosts which pass the MAC verification pass through the firewall, again without further checks. Configurations which do not use MAC verification or use MAC verification with the default values for MACLIST_DISPOSITION or MACLIST_TTL are not affected. The update corrects both problems, by enforcing a stricter policy: The remaining rules are always processed, even if MAC filters are present, and independently of the result of MAC verification. The old stable distribution (woody) is not affected by this problem. For the stable distribution (sarge) this problem has been fixed in version 2.2.3-2. For the unstable distribution (sid) this problem has been fixed in version 2.4.1-2. Upgrade Instructions -------------------- [snip] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
