Re: Bad press again...
* Michael Stone:
> Contact the security team. Describe the bug in such a way that the
> security team understands its severity and impact. It is not sufficient
> to say "just trust me and issue an advisory". From what I've seen so far
> this is not the obvious buffer overflow sort of bug, it's a configured
> behavior which deviates from some documented expectation. The question,
> then, is how that deviation occurs, what the documented expectation is,
> and (most importantly for stable) is there any chance that someone might
> be relying on the implemented behavior rather than the documented
> behavior.
It seems that shorewall generates an ACL that ACCEPTs all traffic once
a MAC rule matches. Further rules are not considered. The
explanations in version 2.2.3 seem to indicate that this was the
intended behavior, but its implications surprised upstream, and a
corrected version was released.
IMHO, Debian should publish at least a DSA that explains this
discrepancy, especially if the package maintainer also thinks that
it's necessary.
Reply to: