Re: Bad press again...
Florian Weimer wrote:
> * Michael Stone:
>
>
>>Contact the security team. Describe the bug in such a way that the
>>security team understands its severity and impact. It is not sufficient
>>to say "just trust me and issue an advisory". From what I've seen so far
>>this is not the obvious buffer overflow sort of bug, it's a configured
>>behavior which deviates from some documented expectation. The question,
>>then, is how that deviation occurs, what the documented expectation is,
>>and (most importantly for stable) is there any chance that someone might
>>be relying on the implemented behavior rather than the documented
>>behavior.
>
>
> It seems that shorewall generates an ACL that ACCEPTs all traffic once
> a MAC rule matches. Further rules are not considered. The
> explanations in version 2.2.3 seem to indicate that this was the
> intended behavior, but its implications surprised upstream, and a
> corrected version was released.
>
> IMHO, Debian should publish at least a DSA that explains this
> discrepancy, especially if the package maintainer also thinks that
> it's necessary.
It seems to be fairly tricky to determine how much of a security risk a
bug has to be before a fix will find its way into stable.
Another example is fwbuilder which *silently* fails to overwrite its
generated script at compile time if the user doesn't have write
permissions on the existing script.
I view this as a security problem because what if you *think* you've
made changes to your firewall and are now protected only... you arn't
and the firewall hasn't been updated?
Is that enough of a security problem for the fix to get into stable?
Who decides?
Reply to: