Bug#809687: wheezy-pu: package iptables-persistent/0.5.7

Sat, 02 Jan 2016 13:15:31 -0800 

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian....@packages.debian.org
Usertags: pu

I would like to update iptables-persistent in wheezy to fix a minor information
disclosure bug. A diff is attached.

Thanks,

-- System Information:
Debian Release: 8.2
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'unstable'), 
(500, 'testing'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.3.0-0.bpo.1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff --git a/debian/changelog b/debian/changelog
index a3ec0fe..2c467a2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+iptables-persistent (0.5.7+deb7u1) wheezy; urgency=medium
+
+  * [062648] Stop rules files being world-readable.
+    Thanks to Bernhard Thaler (Closes: #764645)
+
+ -- Jonathan Wiltshire <j...@debian.org>  Sat, 02 Jan 2016 21:00:01 +0000
+
 iptables-persistent (0.5.7) unstable; urgency=low
 
   * [e7534a] Fix bashism in debian/iptables-persistent.init.
diff --git a/debian/iptables-persistent.init b/debian/iptables-persistent.init
index c7be564..15ad315 100644
--- a/debian/iptables-persistent.init
+++ b/debian/iptables-persistent.init
@@ -61,6 +61,8 @@ save_rules()
 		log_action_cont_msg " skipping IPv4 (no modules loaded)"
 	elif [ -x /sbin/iptables-save ]; then
 		log_action_cont_msg " IPv4"
+		touch /etc/iptables/rules.v4
+		chmod 0640 /etc/iptables/rules.v4
 		iptables-save > /etc/iptables/rules.v4
 		if [ $? -ne 0 ]; then
 			rc=1
@@ -74,6 +76,8 @@ save_rules()
 		log_action_cont_msg " skipping IPv6 (no modules loaded)"
 	elif [ -x /sbin/ip6tables-save ]; then
 		log_action_cont_msg " IPv6"
+		touch /etc/iptables/rules.v6
+		chmod 0640 /etc/iptables/rules.v6
 		ip6tables-save > /etc/iptables/rules.v6
 		if [ $? -ne 0 ]; then
 			rc=1

Reply via email to