Bug#809688: jessie-pu: package iptables-persistent/1.0.3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#809688: jessie-pu: package iptables-persistent/1.0.3
From: Jonathan Wiltshire <jmw@debian.org>
Date: Sat, 02 Jan 2016 21:22:47 +0000
Message-id: <[🔎] 20160102212247.18305.36277.reportbug@lupin.home.powdarrmonkey.net>
Reply-to: Jonathan Wiltshire <jmw@debian.org>, 809688@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

I would like to update iptables-persistent in jessie to fix a minor information
disclosure bug.

This update also takes the opportunity to apply the correct README and install
it for both packages, and update VCS links.


-- System Information:
Debian Release: 8.2
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.3.0-0.bpo.1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff --git a/debian/README b/debian/README
index fc62b23..c8dad16 100644
--- a/debian/README
+++ b/debian/README
@@ -1,17 +1,22 @@
-The Debian Package iptables-persistent
-----------------------------
+netfilter-persistent and its plugins
+------------------------------------
 
-This is a very simple script that restores the file /etc/iptables/rules.v4 as
-the active ruleset at system boot.
+netfilter-persistent does no work on its own. You need the accompanying
+plugins (for example, iptables-persistent) to load and save filter rules.
 
-If it exists, IPv6 rules are also restored from /etc/iptables/rules.v6
+However, commands are run from netfilter-persistent. For example, to save
+all filter rules:
 
-Loading of rules is guaranteed to happen before network interfaces are
-brought up.
+   netfilter-persistent save
 
-To save the current ruleset, use "iptables-save >/etc/iptables/rules.v4"
-or "ip6tables-save >/etc/iptables/rules.v6", or
-"invoke-rc.d iptables-persistent save"
+or to load them:
 
- -- Simon Richter <sjr@debian.org>  Wed, 01 Jul 2009 13:43:43 +0200
- -- Jonathan Wiltshire <jmw@debian.org>  Thu, 30 Dec 2010 00:00:00 +0000
+   netfilter-persistent start
+
+For more details, see `man netfilter-persistent`.
+
+The system service will try to load rules at startup if enabled, but by
+default it will not flush rules at shutdown. This behaviour can be changed
+by editing /etc/default/netfilter-persistent.
+
+ -- Jonathan Wiltshire <jmw@debian.org>  Sat, 02 Jan 2016 00:00:00 +0000
diff --git a/debian/changelog b/debian/changelog
index 8b688e5..0241b13 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+iptables-persistent (1.0.3+deb8u1) jessie; urgency=medium
+
+  * [10cab8] Stop rules files being world-readable.
+    Thanks to Bernhard Thaler (Closes: #764645)
+  * [dbeffc] Rewrite README, install for both packages (Closes: #807285)
+  * [dcd3f5] Update VCS links
+  * [e0e1cf] Re-tab plugins/15-ip4tables and plugins/25-ip6tables
+
+ -- Jonathan Wiltshire <jmw@debian.org>  Sat, 02 Jan 2016 21:17:03 +0000
+
 iptables-persistent (1.0.3) unstable; urgency=medium
 
   * [b7c661] systemd: start after local filesystem is available
diff --git a/debian/control b/debian/control
index 7aec52b..65e69af 100644
--- a/debian/control
+++ b/debian/control
@@ -5,8 +5,8 @@ Maintainer: Jonathan Wiltshire <jmw@debian.org>
 Uploaders: Andreas Rütten <AndreasRuetten@gmx.de>
 Build-Depends: debhelper (>= 7.0.50~), dh-systemd, po-debconf
 Standards-Version: 3.9.5
-Vcs-Browser: http://robin.powdarrmonkey.net/gitweb/p=iptables-persistent
-Vcs-Git: git://robin.powdarrmonkey.net/git/iptables-persistent/
+Vcs-Browser: http://anonscm.debian.org/cgit/collab-maint/iptables-persistent.git/
+Vcs-Git: git://anonscm.debian.org/collab-maint/iptables-persistent.git
 
 Package: netfilter-persistent
 Architecture: all
diff --git a/debian/netfilter-persistent.docs b/debian/netfilter-persistent.docs
new file mode 100644
index 0000000..df6f1f3
--- /dev/null
+++ b/debian/netfilter-persistent.docs
@@ -0,0 +1 @@
+debian/README
diff --git a/plugins/15-ip4tables b/plugins/15-ip4tables
index 578b237..d4cd740 100755
--- a/plugins/15-ip4tables
+++ b/plugins/15-ip4tables
@@ -35,6 +35,8 @@ save_rules()
 	if [ ! -f /proc/net/ip_tables_names ]; then
 		echo "Warning: skipping IPv4 (no modules loaded)"
 	elif [ -x /sbin/iptables-save ]; then
+		touch /etc/iptables/rules.v4
+		chmod 0640 /etc/iptables/rules.v4
 		iptables-save > /etc/iptables/rules.v4
 		if [ $? -ne 0 ]; then
 			rc=1
diff --git a/plugins/25-ip6tables b/plugins/25-ip6tables
index c8ca475..6dc8bff 100755
--- a/plugins/25-ip6tables
+++ b/plugins/25-ip6tables
@@ -35,6 +35,8 @@ save_rules()
 	if [ ! -f /proc/net/ip6_tables_names ]; then
 		log_action_cont_msg "Warning: skipping IPv6 (no modules loaded)"
 	elif [ -x /sbin/ip6tables-save ]; then
+		touch /etc/iptables/rules.v6
+		chmod 0640 /etc/iptables/rules.v6
 		ip6tables-save > /etc/iptables/rules.v6
 		if [ $? -ne 0 ]; then
 			rc=1

Reply to:

Follow-Ups:
- Bug#809688: jessie-pu: package iptables-persistent/1.0.3
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#809688: jessie-pu: package iptables-persistent/1.0.3
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#809688: jessie-pu: package iptables-persistent/1.0.3
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#809688: marked as done (jessie-pu: package iptables-persistent/1.0.3)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#809687: wheezy-pu: package iptables-persistent/0.5.7
Next by Date: Bug#801304: jessie-pu: package ejabberd/14.07-4+deb8u3
Previous by thread: Processed: Re: Bug#809687: wheezy-pu: package iptables-persistent/0.5.7
Next by thread: Bug#809688: jessie-pu: package iptables-persistent/1.0.3
Index(es):
- Date
- Thread