Re: Bad press again...

[Florian Weimer <fw@deneb.enyo.de>]

* Michael Stone:

> Contact the security team. Describe the bug in such a way that the
> security team understands its severity and impact. It is not sufficient
> to say "just trust me and issue an advisory". From what I've seen so far
> this is not the obvious buffer overflow sort of bug, it's a configured
> behavior which deviates from some documented expectation. The question,
> then, is how that deviation occurs, what the documented expectation is,
> and (most importantly for stable) is there any chance that someone might
> be relying on the implemented behavior rather than the documented
> behavior.

It seems that shorewall generates an ACL that ACCEPTs all traffic once
a MAC rule matches.  Further rules are not considered.  The
explanations in version 2.2.3 seem to indicate that this was the
intended behavior, but its implications surprised upstream, and a
corrected version was released.

IMHO, Debian should publish at least a DSA that explains this
discrepancy, especially if the package maintainer also thinks that
it's necessary.