[Bug 1617617] Re: Firewall configuration can be modified by any logged in user
Thanks Lucas, I made some small fixes to the changelog for the -security pocket and to pick a version number that would more accurately reflect the changes (there's more examples at https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging ). The update should be on the mirrors soon. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1617617 Title: Firewall configuration can be modified by any logged in user To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firewalld/+bug/1617617/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1617617] Re: Firewall configuration can be modified by any logged in user
This bug was fixed in the package firewalld - 0.4.0-1ubuntu0.1 --- firewalld (0.4.0-1ubuntu0.1) xenial-security; urgency=medium * SECURITY UPDATE: Any logged in user could modify passthrough rules and set ipset entries (LP: #1617617) - debian/patches/CVE-2016-5410.patch: Enforce appropriate PolicyKit authentication requirements, based on upstream 0.4.3.3 commit - CVE-2016-5410 -- Lucas Kocia Wed, 25 Oct 2017 21:03:52 -0400 ** Changed in: firewalld (Ubuntu Xenial) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1617617 Title: Firewall configuration can be modified by any logged in user To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firewalld/+bug/1617617/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1617617] Re: Firewall configuration can be modified by any logged in user
@Lucas: you marked the bug as "Fix Released", so it's not appearing on any lists. I'll set it back to Confirmed. ** Changed in: firewalld (Ubuntu Xenial) Status: Fix Released => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1617617 Title: Firewall configuration can be modified by any logged in user To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firewalld/+bug/1617617/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1617617] Re: Firewall configuration can be modified by any logged in user
Thanks Jeremy. Is there any movement on this from ubuntu-security-sponsors for SRU? I don't see this on their open bug subscriptions etc. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1617617 Title: Firewall configuration can be modified by any logged in user To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firewalld/+bug/1617617/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1617617] Re: Firewall configuration can be modified by any logged in user
Thank you for helping to make Ubuntu better! Since this is a proposed security update, I subscribed ubuntu-security- sponsors instead of ubuntu-sponsors. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1617617 Title: Firewall configuration can be modified by any logged in user To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firewalld/+bug/1617617/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1617617] Re: Firewall configuration can be modified by any logged in user
I've subscribed ubuntu_sponsors in an effort to get this fix to the next xenial SRU release. Until then you can find the patched version on my ppa: deb http://ppa.launchpad.net/lkocia/firewalld/ubuntu xenial main deb-src http://ppa.launchpad.net/lkocia/firewalld/ubuntu xenial main (Add above two lines to your /etc/apt/sources.list) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1617617 Title: Firewall configuration can be modified by any logged in user To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firewalld/+bug/1617617/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1617617] Re: Firewall configuration can be modified by any logged in user
Almost the same patch as jbicha's, except with an additional line added to handle direct.removePassthrough as seth-arnold requested. ipset.setEntries does not appear to exist in this version. ** Patch added: "firewalld_0.4.0-2.debdiff" https://bugs.launchpad.net/ubuntu/xenial/+source/firewalld/+bug/1617617/+attachment/4995813/+files/firewalld_0.4.0-2.debdiff ** Changed in: firewalld (Ubuntu Xenial) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1617617 Title: Firewall configuration can be modified by any logged in user To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firewalld/+bug/1617617/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1617617] Re: Firewall configuration can be modified by any logged in user
Still not fixed in Xenial. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1617617 Title: Firewall configuration can be modified by any logged in user To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firewalld/+bug/1617617/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1617617] Re: Firewall configuration can be modified by any logged in user
Still not fixed in Xenial! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1617617 Title: Firewall configuration can be modified by any logged in user To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firewalld/+bug/1617617/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1617617] Re: Firewall configuration can be modified by any logged in user
Any news? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1617617 Title: Firewall configuration can be modified by any logged in user To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firewalld/+bug/1617617/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1617617] Re: Firewall configuration can be modified by any logged in user
I believe this patch is incomplete; the debdiff appears to cover: direct.addPassthrough ipset.addEntry ipset.removeEntry direct.removePassthrough looks to be overlooked. (ipset.setEntries is also missing, but I think that feature may not exist in this version.) Can you please investigate and re-generate the patch if needed? Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1617617 Title: Firewall configuration can be modified by any logged in user To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firewalld/+bug/1617617/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1617617] Re: Firewall configuration can be modified by any logged in user
** Changed in: firewalld (Ubuntu) Importance: Undecided => High ** Changed in: firewalld (Ubuntu Xenial) Importance: Undecided => High ** Changed in: firewalld (Ubuntu) Importance: High => Low ** Changed in: firewalld (Ubuntu Xenial) Importance: High => Low -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1617617 Title: Firewall configuration can be modified by any logged in user To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firewalld/+bug/1617617/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1617617] Re: Firewall configuration can be modified by any logged in user
This bug was fixed in the package firewalld - 0.4.3.3-1 --- firewalld (0.4.3.3-1) unstable; urgency=medium * New upstream release. - Fixes CVE-2016-5410: Firewall configuration can be modified by any logged in user. (Closes: #834529) -- Michael Biebl Sat, 27 Aug 2016 16:00:36 +0200 ** Changed in: firewalld (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1617617 Title: Firewall configuration can be modified by any logged in user To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firewalld/+bug/1617617/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1617617] Re: Firewall configuration can be modified by any logged in user
** Changed in: firewalld (Debian) Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1617617 Title: Firewall configuration can be modified by any logged in user To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firewalld/+bug/1617617/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1617617] Re: Firewall configuration can be modified by any logged in user
** Patch removed: "firewalld-xenial-security.debdiff" https://bugs.launchpad.net/ubuntu/+source/firewalld/+bug/1617617/+attachment/4728933/+files/firewalld-xenial-security.debdiff ** Patch added: "firewalld-xenial-security.debdiff" https://bugs.launchpad.net/ubuntu/+source/firewalld/+bug/1617617/+attachment/4728975/+files/firewalld-xenial-security.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1617617 Title: Firewall configuration can be modified by any logged in user To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firewalld/+bug/1617617/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1617617] Re: Firewall configuration can be modified by any logged in user
The only testing I did was ensure the package still builds on xenial. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1617617 Title: Firewall configuration can be modified by any logged in user To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firewalld/+bug/1617617/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1617617] Re: Firewall configuration can be modified by any logged in user
** Patch added: "firewalld-xenial-security.debdiff" https://bugs.launchpad.net/ubuntu/+source/firewalld/+bug/1617617/+attachment/4728933/+files/firewalld-xenial-security.debdiff ** Changed in: firewalld (Ubuntu Xenial) Status: New => Confirmed ** Changed in: firewalld (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1617617 Title: Firewall configuration can be modified by any logged in user To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firewalld/+bug/1617617/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs