Florian Weimer wrote: > * Michael Stone: > > >>Contact the security team. Describe the bug in such a way that the >>security team understands its severity and impact. It is not sufficient >>to say "just trust me and issue an advisory". From what I've seen so far >>this is not the obvious buffer overflow sort of bug, it's a configured >>behavior which deviates from some documented expectation. The question, >>then, is how that deviation occurs, what the documented expectation is, >>and (most importantly for stable) is there any chance that someone might >>be relying on the implemented behavior rather than the documented >>behavior. > > > It seems that shorewall generates an ACL that ACCEPTs all traffic once > a MAC rule matches. Further rules are not considered. The > explanations in version 2.2.3 seem to indicate that this was the > intended behavior, but its implications surprised upstream, and a > corrected version was released. > > IMHO, Debian should publish at least a DSA that explains this > discrepancy, especially if the package maintainer also thinks that > it's necessary.
It seems to be fairly tricky to determine how much of a security risk a bug has to be before a fix will find its way into stable. Another example is fwbuilder which *silently* fails to overwrite its generated script at compile time if the user doesn't have write permissions on the existing script. I view this as a security problem because what if you *think* you've made changes to your firewall and are now protected only... you arn't and the firewall hasn't been updated? Is that enough of a security problem for the fix to get into stable? Who decides? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
