Your message dated Tue, 21 May 2024 08:35:23 +0000
with message-id <e1s9kxv-008cps...@fasolo.debian.org>
and subject line Bug#1071247: fixed in golang-github-google-nftables 0.1.0-4
has caused the Debian Bug report #1071247,
regarding golang-github-google-nftables-dev: broken AddSet() on all
little-endian systems
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1071247: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071247
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: golang-github-google-nftables-dev
Version: 0.1.0-4
Severity: serious
Tags: upstream security patch
Justification: broken feature, security implications
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>,
debian.pack...@crowdsec.net
Hi,
I was contacted by CrowdSec upstream about a bug report filed against
the firewall bouncer, which is in charge of applying rules at the
firewall level based on decisions passed on by the crowdsec engine:
https://github.com/crowdsecurity/cs-firewall-bouncer/issues/368
I've been able to verify that despite correct IPv4 and IPv6 addresses
getting logged by the bouncer (e.g. at debug level), all of them get
added in reverse byte order at the nftables level. :(
Upstream bug:
https://github.com/google/nftables/issues/225
Upstream fix:
https://github.com/google/nftables/pull/226
I confirmed that affects LE systems (e.g. amd64), both in stable and in
unstable (same versions, modulo binNMUs). That doesn't affect BE systems
(i.e. s390x, verified via debvm).
I also verified that applying the golang-github-google-nftables patch
and rebuilding crowdsec-firewall-bouncer against it fixes the problem on
LE systems, and doesn't regress on BE systems.
Security team, I've added the security tag (and you to Cc) because the
consequence is that admins who installed crowdsec-firewall-bouncer have
been thinking they were applying restrictions gathered by crowdsec,
while they've actually been (1) not blocking offending addresses and (2)
blocking possibly harmless ones.
I was tempted to open a second bug on crowdsec-firewall-bouncer,
referencing this one, and to upload both packages to unstable (this one
with the upstream patch, the other one with a bumped build-dep to make
sure it cannot be rebuilt against the broken package; there are a lot of
binNMUs flying around already). Then to submit p-u requests to get the
same updates into bookworm. But does that issue warrant a DSA?
Cheers,
--
Cyril Brulebois (k...@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant
--- End Message ---
--- Begin Message ---
Source: golang-github-google-nftables
Source-Version: 0.1.0-4
Done: Cyril Brulebois <cy...@debamax.com>
We believe that the bug you reported is fixed in the latest version of
golang-github-google-nftables, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1071...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Cyril Brulebois <cy...@debamax.com> (supplier of updated
golang-github-google-nftables package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 21 May 2024 09:42:17 +0200
Source: golang-github-google-nftables
Architecture: source
Version: 0.1.0-4
Distribution: unstable
Urgency: high
Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org>
Changed-By: Cyril Brulebois <cy...@debamax.com>
Closes: 1071247
Changes:
golang-github-google-nftables (0.1.0-4) unstable; urgency=high
.
* Backport upstream fix for the AddSet() function that's been reversing
byte order on all little-endian architectures (Closes: #1071247),
breaking crowdsec-firewall-bouncer (See: #1071248):
- 0002-Implement-set-KeyByteOrder-226.patch
Checksums-Sha1:
53abab784951635d6c6674b4a39f5685bc264467 2369
golang-github-google-nftables_0.1.0-4.dsc
b468498f72badc8361586b0e5ebb7d967f7eaa16 4652
golang-github-google-nftables_0.1.0-4.debian.tar.xz
8bac2cd0bd8faf82a6906e6c4c68eee976a31661 7337
golang-github-google-nftables_0.1.0-4_source.buildinfo
Checksums-Sha256:
01eb638fc77d21a86044fd4667ba2d21f6b40482e2501fe1a0d269455cad624e 2369
golang-github-google-nftables_0.1.0-4.dsc
88d448e2fb9b32ce5658615269e64b2e53610f72424c9f8c37ef975b6714849c 4652
golang-github-google-nftables_0.1.0-4.debian.tar.xz
f6d7e6b3b1a19cb00f6bf17d67a007b3368786042f3e3fee4aa523cc4e4432d5 7337
golang-github-google-nftables_0.1.0-4_source.buildinfo
Files:
3867901c87d09e9b11a502eb426c4953 2369 golang optional
golang-github-google-nftables_0.1.0-4.dsc
f80b5396280a2b30818303bc14f59cee 4652 golang optional
golang-github-google-nftables_0.1.0-4.debian.tar.xz
4751ba97d3d82889e289e2bfec6e42c5 7337 golang optional
golang-github-google-nftables_0.1.0-4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCgAuFiEEtg6/KYRFPHDXTPR4/5FK8MKzVSAFAmZMWjUQHGtpYmlAZGVi
aWFuLm9yZwAKCRD/kUrwwrNVIKzXD/wKYFokJjvFw37YsEWATcFd3LmoKWXey7HI
3dCrP0DihRXDZcGSAKO/+iaZVhrGmAeOn0RZpXwiPZLr/Jv1/DVAGN8DqPkV24TD
FP7+4v7giDU13iw/tZYLu+OeS6rGxiI/jwdZMGikBqzZRF83Jw5nfEQnuvObipsA
TqcNV6c/B6M+w9+bNscnMJDpxAnGmPvm2YKKFVaj2QIhFOKfOkKalqnQtqEO62d3
YN5nsnGU5ytzh3Cgq7Q6W04qkk9RCII1t+H0zT/B7jNxSYAU2Nr7Q9ZP6pJMQLR8
/pkeGFeICzLcE8ORC/Guw0REWe3c1xoZD/r/hyxVXLROxAaVeQ6xsy6R/SRvkq7Q
BBmKy4prGF2CXBvXKm45Y1U057egdZkZHry9XM26RfCKr2vlhEOURf4nmIlgl7aM
x/ux+esndrqIWk5QD2tGTH/YrVA8gAFJhJ93M0FfjKSVJ55jK+gVtB5rZgjpmpKo
Ju34VcBl9EBU8yDqi3gDTjUQi6xrMHggJgae6IxjHxpgpwVO5ISCeMDQAtfwcwgK
kLoHdPJE30tFQF7HE8Avx8o4J/VXhjiMVbGMjIEbZd8wHCTRezVQy468cIC+GZfC
B7FdhHZtZhhYuyZzlG03veB3A8nZ/BkOCvz7GA/jxDkQZmiAgLYtag7REPo6Afwu
7m5khDkjKA==
=TYST
-----END PGP SIGNATURE-----
pgpT36AfAHSsd.pgp
Description: PGP signature
--- End Message ---
