* Michael Stone: > Contact the security team. Describe the bug in such a way that the > security team understands its severity and impact. It is not sufficient > to say "just trust me and issue an advisory". From what I've seen so far > this is not the obvious buffer overflow sort of bug, it's a configured > behavior which deviates from some documented expectation. The question, > then, is how that deviation occurs, what the documented expectation is, > and (most importantly for stable) is there any chance that someone might > be relying on the implemented behavior rather than the documented > behavior.
It seems that shorewall generates an ACL that ACCEPTs all traffic once a MAC rule matches. Further rules are not considered. The explanations in version 2.2.3 seem to indicate that this was the intended behavior, but its implications surprised upstream, and a corrected version was released. IMHO, Debian should publish at least a DSA that explains this discrepancy, especially if the package maintainer also thinks that it's necessary. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
