Bug#809688: marked as done (jessie-pu: package iptables-persistent/1.0.3)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 23 Jan 2016 13:57:15 +0000
with message-id <1453557435.1835.52.camel@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #809688,
regarding jessie-pu: package iptables-persistent/1.0.3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
809688: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809688
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: jessie-pu: package iptables-persistent/1.0.3
• From: Jonathan Wiltshire <jmw@debian.org>
• Date: Sat, 02 Jan 2016 21:22:47 +0000
• Message-id: <[🔎] 20160102212247.18305.36277.reportbug@lupin.home.powdarrmonkey.net>

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

I would like to update iptables-persistent in jessie to fix a minor information
disclosure bug.

This update also takes the opportunity to apply the correct README and install
it for both packages, and update VCS links.


-- System Information:
Debian Release: 8.2
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.3.0-0.bpo.1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff --git a/debian/README b/debian/README
index fc62b23..c8dad16 100644
--- a/debian/README
+++ b/debian/README
@@ -1,17 +1,22 @@
-The Debian Package iptables-persistent
-----------------------------
+netfilter-persistent and its plugins
+------------------------------------
 
-This is a very simple script that restores the file /etc/iptables/rules.v4 as
-the active ruleset at system boot.
+netfilter-persistent does no work on its own. You need the accompanying
+plugins (for example, iptables-persistent) to load and save filter rules.
 
-If it exists, IPv6 rules are also restored from /etc/iptables/rules.v6
+However, commands are run from netfilter-persistent. For example, to save
+all filter rules:
 
-Loading of rules is guaranteed to happen before network interfaces are
-brought up.
+   netfilter-persistent save
 
-To save the current ruleset, use "iptables-save >/etc/iptables/rules.v4"
-or "ip6tables-save >/etc/iptables/rules.v6", or
-"invoke-rc.d iptables-persistent save"
+or to load them:
 
- -- Simon Richter <sjr@debian.org>  Wed, 01 Jul 2009 13:43:43 +0200
- -- Jonathan Wiltshire <jmw@debian.org>  Thu, 30 Dec 2010 00:00:00 +0000
+   netfilter-persistent start
+
+For more details, see `man netfilter-persistent`.
+
+The system service will try to load rules at startup if enabled, but by
+default it will not flush rules at shutdown. This behaviour can be changed
+by editing /etc/default/netfilter-persistent.
+
+ -- Jonathan Wiltshire <jmw@debian.org>  Sat, 02 Jan 2016 00:00:00 +0000
diff --git a/debian/changelog b/debian/changelog
index 8b688e5..0241b13 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+iptables-persistent (1.0.3+deb8u1) jessie; urgency=medium
+
+  * [10cab8] Stop rules files being world-readable.
+    Thanks to Bernhard Thaler (Closes: #764645)
+  * [dbeffc] Rewrite README, install for both packages (Closes: #807285)
+  * [dcd3f5] Update VCS links
+  * [e0e1cf] Re-tab plugins/15-ip4tables and plugins/25-ip6tables
+
+ -- Jonathan Wiltshire <jmw@debian.org>  Sat, 02 Jan 2016 21:17:03 +0000
+
 iptables-persistent (1.0.3) unstable; urgency=medium
 
   * [b7c661] systemd: start after local filesystem is available
diff --git a/debian/control b/debian/control
index 7aec52b..65e69af 100644
--- a/debian/control
+++ b/debian/control
@@ -5,8 +5,8 @@ Maintainer: Jonathan Wiltshire <jmw@debian.org>
 Uploaders: Andreas Rütten <AndreasRuetten@gmx.de>
 Build-Depends: debhelper (>= 7.0.50~), dh-systemd, po-debconf
 Standards-Version: 3.9.5
-Vcs-Browser: http://robin.powdarrmonkey.net/gitweb/p=iptables-persistent
-Vcs-Git: git://robin.powdarrmonkey.net/git/iptables-persistent/
+Vcs-Browser: http://anonscm.debian.org/cgit/collab-maint/iptables-persistent.git/
+Vcs-Git: git://anonscm.debian.org/collab-maint/iptables-persistent.git
 
 Package: netfilter-persistent
 Architecture: all
diff --git a/debian/netfilter-persistent.docs b/debian/netfilter-persistent.docs
new file mode 100644
index 0000000..df6f1f3
--- /dev/null
+++ b/debian/netfilter-persistent.docs
@@ -0,0 +1 @@
+debian/README
diff --git a/plugins/15-ip4tables b/plugins/15-ip4tables
index 578b237..d4cd740 100755
--- a/plugins/15-ip4tables
+++ b/plugins/15-ip4tables
@@ -35,6 +35,8 @@ save_rules()
 	if [ ! -f /proc/net/ip_tables_names ]; then
 		echo "Warning: skipping IPv4 (no modules loaded)"
 	elif [ -x /sbin/iptables-save ]; then
+		touch /etc/iptables/rules.v4
+		chmod 0640 /etc/iptables/rules.v4
 		iptables-save > /etc/iptables/rules.v4
 		if [ $? -ne 0 ]; then
 			rc=1
diff --git a/plugins/25-ip6tables b/plugins/25-ip6tables
index c8ca475..6dc8bff 100755
--- a/plugins/25-ip6tables
+++ b/plugins/25-ip6tables
@@ -35,6 +35,8 @@ save_rules()
 	if [ ! -f /proc/net/ip6_tables_names ]; then
 		log_action_cont_msg "Warning: skipping IPv6 (no modules loaded)"
 	elif [ -x /sbin/ip6tables-save ]; then
+		touch /etc/iptables/rules.v6
+		chmod 0640 /etc/iptables/rules.v6
 		ip6tables-save > /etc/iptables/rules.v6
 		if [ $? -ne 0 ]; then
 			rc=1

--- End Message ---

--- Begin Message ---

• To: 783355-done@bugs.debian.org, 784944-done@bugs.debian.org, 787021-done@bugs.debian.org, 787423-done@bugs.debian.org, 791403-done@bugs.debian.org, 792468-done@bugs.debian.org, 792806-done@bugs.debian.org, 793556-done@bugs.debian.org, 794940-done@bugs.debian.org, 796281-done@bugs.debian.org, 797170-done@bugs.debian.org, 797710-done@bugs.debian.org, 798028-done@bugs.debian.org, 798584-done@bugs.debian.org, 798749-done@bugs.debian.org, 798889-done@bugs.debian.org, 798890-done@bugs.debian.org, 798891-done@bugs.debian.org, 798892-done@bugs.debian.org, 798893-done@bugs.debian.org, 798895-done@bugs.debian.org, 799033-done@bugs.debian.org, 799070-done@bugs.debian.org, 799229-done@bugs.debian.org, 799230-done@bugs.debian.org, 799369-done@bugs.debian.org, 799477-done@bugs.debian.org, 799758-done@bugs.debian.org, 799777-done@bugs.debian.org, 800006-done@bugs.debian.org, 800664-done@bugs.debian.org, 800793-done@bugs.debian.org, 800881-done@bugs.debian.org, 801095-done@bugs.debian.org, 801098-done@bugs.debian.org, 801100-done@bugs.debian.org, 801304-done@bugs.debian.org, 801318-done@bugs.debian.org, 801441-done@bugs.debian.org, 801580-done@bugs.debian.org, 801743-done@bugs.debian.org, 801851-done@bugs.debian.org, 801892-done@bugs.debian.org, 802851-done@bugs.debian.org, 802879-done@bugs.debian.org, 802900-done@bugs.debian.org, 802942-done@bugs.debian.org, 803362-done@bugs.debian.org, 803467-done@bugs.debian.org, 803490-done@bugs.debian.org, 803569-done@bugs.debian.org, 803678-done@bugs.debian.org, 803730-done@bugs.debian.org, 804157-done@bugs.debian.org, 804172-done@bugs.debian.org, 804208-done@bugs.debian.org, 804381-done@bugs.debian.org, 804383-done@bugs.debian.org, 804734-done@bugs.debian.org, 804885-done@bugs.debian.org, 805024-done@bugs.debian.org, 805127-done@bugs.debian.org, 805190-done@bugs.debian.org, 805214-done@bugs.debian.org, 805260-done@bugs.debian.org, 805293-done@bugs.debian.org, 805383-done@bugs.debian.org, 805634-done@bugs.debian.org, 805721-done@bugs.debian.org, 805894-done@bugs.debian.org, 806129-done@bugs.debian.org, 806165-done@bugs.debian.org, 806247-done@bugs.debian.org, 806252-done@bugs.debian.org, 806338-done@bugs.debian.org, 806529-done@bugs.debian.org, 806640-done@bugs.debian.org, 807129-done@bugs.debian.org, 807140-done@bugs.debian.org, 807142-done@bugs.debian.org, 807273-done@bugs.debian.org, 807280-done@bugs.debian.org, 807467-done@bugs.debian.org, 807489-done@bugs.debian.org, 807515-done@bugs.debian.org, 807576-done@bugs.debian.org, 807612-done@bugs.debian.org, 807828-done@bugs.debian.org, 807917-done@bugs.debian.org, 808559-done@bugs.debian.org, 808890-done@bugs.debian.org, 809200-done@bugs.debian.org, 809255-done@bugs.debian.org, 809258-done@bugs.debian.org, 809307-done@bugs.debian.org, 809534-done@bugs.debian.org, 809561-done@bugs.debian.org, 809688-done@bugs.debian.org, 809757-done@bugs.debian.org, 809824-done@bugs.debian.org, 810004-done@bugs.debian.org, 810111-done@bugs.debian.org, 810130-done@bugs.debian.org, 810542-done@bugs.debian.org, 810760-done@bugs.debian.org, 810887-done@bugs.debian.org, 811132-done@bugs.debian.org, 811320-done@bugs.debian.org, 792779-done@bugs.debian.org
• Subject: 8.3 point release cleanup
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 23 Jan 2016 13:57:15 +0000
• Message-id: <1453557435.1835.52.camel@adam-barratt.org.uk>

Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam

--- End Message ---