found 318946 2.2.3-1 thanks (2.2.3-1 is the version in sarge. Hopefully this prevents the bug from being archived.)
| Description | | A security vulnerability has been discovered which affects all | supported stable versions of Shorewall. This vulnerability enables | a client accepted by MAC address filtering to bypass any other rule. | If MACLIST_TTL is set to a value greater than 0 or | MACLIST_DISPOSITION is set to "ACCEPT" in | /etc/shorewall/shorewall.conf (default is MACLIST_TTL=0 and | MACLIST_DISPOSITION=REJECT), and a client is positively identified | through its MAC address, it bypasses all other policies/rules in | place, thus gaining access to all open services on the firewall. | | Fix | Workaround | | For Shorewall 2.2.x or 2.4.x, set MACLIST_TTL=0 or | MACLIST_DISPOSITION=REJECT in /etc/shorewall/shorewall.conf. For | Shorewall 2.0.x, set MACLIST_DISPOSITION=REJECT in | /etc/shorewall/shorewall.conf. MACLIST filtering is of limited | value on Internet-connected hosts, and the Shorewall team recommends | this approach to be used if possible. <http://www.shorewall.net/News.htm#20050717> Unfortunately, the errate for 2.2.5 does not apply cleanly to 2.2.3. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
