Package: iptables Version: 1.4.14-3.1 Severity: grave Tags: security Justification: user security hole X-Debbugs-Cc: t...@security.debian.org, secure-testing-t...@lists.alioth.debian.org
After a squeeze -> wheezy upgrade, iptables refuses to load rules that worked in squeeze and were generated using squeeze's iptables-save. The result is that after the upgrade the entire iptables system is broken, leaving the machine completely open to the network. It is a mostly silent failure, and the admin would only discover it by reviewing startup logs or portscanning the machine. There are no notifications of the incompatible change during the upgrade and it's not even documented in either of the changelogs. The specific syntax change to rules was: squeeze: -d !123.123.123.123 wheezy: ! -d 123.123.123.123 where -d could be any of a number of flags that accept negative arguments. Because iptables-restore uses an all-or-nothing approach, having even one rule with the incompatible syntax will prevent all rules from being loaded. If an upgrade breaks existing rules in a way that will cause iptables-restore to fail, there should be a VERY prominent warning during the upgrade. I'd say that about almost any package, but for one as security-critical as iptables to break silently after a routine upgrade really seems to fall below Debian's quality standards. To fill in a bit of relevant information, Debian's iptables package doesn't include a method of automatically saving or restoring rules on shutdown/boot. That means this bug could manifest itself in a number of ways depending on how the admin has configured the save/restore process. The simplest and possibly most common method would be to use /etc/rc.local or an /etc/init.d script to run iptables-restore. In any case the restore would certainly be done automatically on boot in order to secure the network as soon as possible. If the admin had set up an automatic iptables-save during shutdown they may have avoided this bug by happenstance since the rules would be saved by wheezy's iptables-save before the next reboot. However automatically saving rules may not be common, and the iptables-persistent package in Debian only auto-restores and does not auto-save. -- System Information: Debian Release: 7.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686-bigmem (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages iptables depends on: ii libc6 2.13-38+deb7u1 ii libnfnetlink0 1.0.0-1.1 iptables recommends no packages. iptables suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
