Bug#862485: fwsnort mustn't set iptables rules when purged
Package: fwsnort Version: 1.6.5-3 Severity: critical Tags: security The #861999 fix adds the following on purging: grep -v FWSNORT /var/lib/fwsnort/fwsnort.save | iptables-restore Imagine the following: 1. today I install fwsnort and try it 2. later today I uninstall it 3. 2 years later I purge all long-removed packages This would in 2 years set the iptables rules to what they were today before I shortly played with fwsnort. A case could be made for "fwsnort --ipt-flush" in prerm. Or considering that activating any fwsnort rules is not done automatically and that the package should not interfere with what the the admin has done.
Processed: Re: Bug#862485: fwsnort mustn't set iptables rules when purged
Processing control commands: > tag -1 + moreinfo Bug #862485 [fwsnort] fwsnort mustn't set iptables rules when purged Added tag(s) moreinfo. > severity -1 important Bug #862485 [fwsnort] fwsnort mustn't set iptables rules when purged Severity set to 'important' from 'critical' -- 862485: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862485 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#862485: fwsnort mustn't set iptables rules when purged
Control: tag -1 + moreinfo Control: severity -1 important Hi Adrian, Adrian Bunk wrote: > Severity: critical I think that's overly exaggerated. > Tags: security I also disagree with this tag. > The #861999 fix adds the following on purging: > grep -v FWSNORT /var/lib/fwsnort/fwsnort.save | iptables-restore Yes. In postrm on purge. > Imagine the following: > 1. today I install fwsnort and try it > 2. later today I uninstall it You usually purge package if you play with packages which make changes to your system. > This would in 2 years set the iptables rules to what they > were today before I shortly played with fwsnort. I consider this (i.e. just removing but not purging when wanting to get rid of a package and all its effects) to be the admin's fault, not the package's fault. > A case could be made for "fwsnort --ipt-flush" in prerm. This would be against the expectation of users that configurations, settings etc. are removed on purge and not on removal. > Or considering that activating any fwsnort rules is not done > automatically and that the package should not interfere with > what the the admin has done. I disagree. I expect a package to clean up its changes on purge which result on common usage. To be more specifically, seeing 11'000 iptables rules left on my system after pruging fwsnort with no chance to remove them without reinstalling the package or removing 11'000 rules by hand. Not cleaning up these rules is a bug. And cleaning up is a task for "purge", not for "remove". Regards, Axel -- ,''`. | Axel Beckert , http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `-| 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Bug#862485: fwsnort mustn't set iptables rules when purged
Control: severity -1 serious On Sat, May 13, 2017 at 07:27:27PM +0200, Axel Beckert wrote: > Control: tag -1 + moreinfo > Control: severity -1 important > > Hi Adrian, Hi Axel, > Adrian Bunk wrote: > > Severity: critical > > I think that's overly exaggerated. > > > Tags: security > > I also disagree with this tag. messing up the iptables setup at an unexpected time can have bad consequences. > > The #861999 fix adds the following on purging: > > grep -v FWSNORT /var/lib/fwsnort/fwsnort.save | iptables-restore > > Yes. In postrm on purge. > > > Imagine the following: > > 1. today I install fwsnort and try it > > 2. later today I uninstall it > > You usually purge package if you play with packages which make changes > to your system. > > > This would in 2 years set the iptables rules to what they > > were today before I shortly played with fwsnort. > > I consider this (i.e. just removing but not purging when wanting to > get rid of a package and all its effects) to be the admin's fault, not > the package's fault. > > > A case could be made for "fwsnort --ipt-flush" in prerm. > > This would be against the expectation of users that configurations, > settings etc. are removed on purge and not on removal. When you remove (not purge) a package containing a webserver, do you expect that the webserver is stopped or do you expect that the webserver is still running after removing the package? > > Or considering that activating any fwsnort rules is not done > > automatically and that the package should not interfere with > > what the the admin has done. > > I disagree. I expect a package to clean up its changes on purge which > result on common usage. To be more specifically, seeing 11'000 > iptables rules left on my system after pruging fwsnort with no chance > to remove them without reinstalling the package or removing 11'000 > rules by hand. Not cleaning up these rules is a bug. And cleaning up > is a task for "purge", not for "remove". "Remove an installed package. This removes everything except conffiles" This the dpkg (and similar in apt) description of what remove does. A package that is removed but not purged is in the Config-Files states. This means the old configuration is still present if the package gets installed again. Purging is supposed to remove the (at that point already unused) configuration files of the package. Purging is not supposed to do any reconfiguration of the system. > Regards, Axel cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed
Processed: Re: Bug#862485: fwsnort mustn't set iptables rules when purged
Processing control commands: > severity -1 serious Bug #862485 [fwsnort] fwsnort mustn't set iptables rules when purged Severity set to 'serious' from 'important' -- 862485: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862485 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Package is completely broken
Processing commands for cont...@bugs.debian.org: > severity 858178 serious Bug #858178 [uuidcdef] uuidcdef: buffer overflow Severity set to 'serious' from 'normal' > thanks Stopping processing here. Please contact me if you need assistance. -- 858178: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858178 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#862485: fwsnort mustn't set iptables rules when purged
Control: tag -1 + confirmed - moreinfo Hi Adrian, Adrian Bunk wrote: > > > Tags: security > > > > I also disagree with this tag. > > messing up the iptables setup at an unexpected time can have bad > consequences. bad != security > > > A case could be made for "fwsnort --ipt-flush" in prerm. > > > > This would be against the expectation of users that configurations, > > settings etc. are removed on purge and not on removal. > > When you remove (not purge) a package containing a webserver, do you > expect that the webserver is stopped or do you expect that the webserver > is still running after removing the package? Granted. Thanks for that comparison. > > > Or considering that activating any fwsnort rules is not done > > > automatically and that the package should not interfere with > > > what the the admin has done. > > > > I disagree. I expect a package to clean up its changes on purge which > > result on common usage. To be more specifically, seeing 11'000 > > iptables rules left on my system after pruging fwsnort with no chance > > to remove them without reinstalling the package or removing 11'000 > > rules by hand. Not cleaning up these rules is a bug. And cleaning up > > is a task for "purge", not for "remove". > > "Remove an installed package. This removes everything except conffiles" > This the dpkg (and similar in apt) description of what remove does. > > A package that is removed but not purged is in the Config-Files states. > This means the old configuration is still present if the package gets > installed again. > > Purging is supposed to remove the (at that point already unused) > configuration files of the package. Point taken. Will move that line (or an "fwsnort --ipt-flush") into a (to be created) prerm and do another QA upload. (Unless you're already onto it. Feel free to do that.) Regards, Axel -- ,''`. | Axel Beckert , http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `-| 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Processed: Re: Bug#862485: fwsnort mustn't set iptables rules when purged
Processing control commands: > tag -1 + confirmed - moreinfo Bug #862485 [fwsnort] fwsnort mustn't set iptables rules when purged Added tag(s) confirmed. Bug #862485 [fwsnort] fwsnort mustn't set iptables rules when purged Removed tag(s) moreinfo. -- 862485: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862485 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
wvstreams is marked for autoremoval from testing
wvstreams 4.6.1-11 is marked for autoremoval from testing on 2017-06-13 It (build-)depends on packages with these RC bugs: 858178: uuidcdef: buffer overflow
gnome-ppp is marked for autoremoval from testing
gnome-ppp 0.3.23-2 is marked for autoremoval from testing on 2017-06-13 It (build-)depends on packages with these RC bugs: 858178: uuidcdef: buffer overflow
xplc is marked for autoremoval from testing
xplc 0.3.13-6 is marked for autoremoval from testing on 2017-06-13 It is affected by these RC bugs: 858178: uuidcdef: buffer overflow
