Debian Bug report logs - #646112
Missing upstream's 'helper' file

version graph

Package: shorewall; Maintainer for shorewall is Roberto C. Sanchez <roberto@connexer.com>; Source for shorewall is src:shorewall.

Reported by: Alexander Turcic <alexander@mobileread.com>

Date: Fri, 21 Oct 2011 12:45:02 UTC

Severity: normal

Found in versions shorewall/4.4.7.4-1, shorewall/4.4.11.6-3

Fixed in versions shorewall/4.4.17-1, shorewall/4.4.11.6-3+squeeze1

Done: roberto@connexer.com (Roberto C. Sanchez)

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Roberto C. Sanchez <roberto@connexer.com>:
Bug#646112; Package shorewall. (Fri, 21 Oct 2011 12:45:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alexander Turcic <alexander@mobileread.com>:
New Bug report received and forwarded. Copy sent to Roberto C. Sanchez <roberto@connexer.com>. (Fri, 21 Oct 2011 12:45:10 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Alexander Turcic <alexander@mobileread.com>
To: <submit@bugs.debian.org>
Subject: Missing upstream's 'helper' file
Date: Fri, 21 Oct 2011 14:32:11 +0200
Package: shorewall
Version: 4.4.11.6-3

Squeeze shorewall 4.4.11.6-3 does not ship with upstream's 
/usr/share/shorewall/helpers file.

The consequence is that if the user sets LOAD_HELPERS_ONLY=Yes in the 
/etc/shorewall/shorewall.conf configuration, some essential helper 
modules won't be loaded (e.g. nf_conntrack_ftp, nf_nat_ftp, 
nf_conntrack_sip). This leads to broken and unexpected behavior.

Not checked: the shorewall6 package could be missing the file, too.




Information forwarded to debian-bugs-dist@lists.debian.org, Roberto C. Sanchez <roberto@connexer.com>:
Bug#646112; Package shorewall. (Fri, 21 Oct 2011 19:21:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Roberto C. Sánchez <roberto@connexer.com>:
Extra info received and forwarded to list. Copy sent to Roberto C. Sanchez <roberto@connexer.com>. (Fri, 21 Oct 2011 19:21:06 GMT) Full text and rfc822 format available.

Message #10 received at 646112@bugs.debian.org (full text, mbox):

From: Roberto C. Sánchez <roberto@connexer.com>
To: Alexander Turcic <alexander@mobileread.com>, 646112@bugs.debian.org
Subject: Re: Bug#646112: Missing upstream's 'helper' file
Date: Fri, 21 Oct 2011 15:18:34 -0400
[Message part 1 (text/plain, inline)]
On Fri, Oct 21, 2011 at 02:32:11PM +0200, Alexander Turcic wrote:
> Package: shorewall
> Version: 4.4.11.6-3
> 
> Squeeze shorewall 4.4.11.6-3 does not ship with upstream's
> /usr/share/shorewall/helpers file.
> 
> The consequence is that if the user sets LOAD_HELPERS_ONLY=Yes in
> the /etc/shorewall/shorewall.conf configuration, some essential
> helper modules won't be loaded (e.g. nf_conntrack_ftp, nf_nat_ftp,
> nf_conntrack_sip). This leads to broken and unexpected behavior.
> 
Would any of this brokenness constitute a security problem?  I ask
because the version that is affected is the version Debian stable.  An
update will require justification to the release managers as to why it
should be included in the next point release.  That justification needs
to be based on severity of the problem and possibly any security-related
impacts that the issue may have.

> Not checked: the shorewall6 package could be missing the file, too.
> 
You are correct that this affects shorewall6 as well.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Roberto C. Sanchez <roberto@connexer.com>:
Bug#646112; Package shorewall. (Sat, 22 Oct 2011 17:12:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alexander Turcic <alexander@mobileread.com>:
Extra info received and forwarded to list. Copy sent to Roberto C. Sanchez <roberto@connexer.com>. (Sat, 22 Oct 2011 17:12:03 GMT) Full text and rfc822 format available.

Message #15 received at 646112@bugs.debian.org (full text, mbox):

From: Alexander Turcic <alexander@mobileread.com>
To: Roberto C. Sánchez <roberto@connexer.com>
Subject: Re: Bug#646112: Missing upstream's 'helper' file
Date: Sat, 22 Oct 2011 19:01:00 +0200
On 21.10.2011 21:18, Roberto C. Sánchez wrote:
> Would any of this brokenness constitute a security problem?  I ask
> because the version that is affected is the version Debian stable.  
> An

Assuming you have LOAD_HELPERS_ONLY=Yes (which isn't the default), you 
could run into issues. Certainly Shorewall support for SIP, FTP, Amanda 
and others relies on the loading of these helper modules and not having 
them loaded will lead to unintended consequences.

To answer your question, I cannot see an immediate security threat, but 
I am probably the wrong person to ask as I am not a firewall expert.




Information forwarded to debian-bugs-dist@lists.debian.org, Roberto C. Sanchez <roberto@connexer.com>:
Bug#646112; Package shorewall. (Sat, 22 Oct 2011 18:39:41 GMT) Full text and rfc822 format available.

Acknowledgement sent to Roberto C. Sánchez <roberto@connexer.com>:
Extra info received and forwarded to list. Copy sent to Roberto C. Sanchez <roberto@connexer.com>. (Sat, 22 Oct 2011 18:39:41 GMT) Full text and rfc822 format available.

Message #20 received at 646112@bugs.debian.org (full text, mbox):

From: Roberto C. Sánchez <roberto@connexer.com>
To: Alexander Turcic <alexander@mobileread.com>, 646112@bugs.debian.org
Subject: Re: Bug#646112: Missing upstream's 'helper' file
Date: Sat, 22 Oct 2011 14:32:43 -0400
[Message part 1 (text/plain, inline)]
On Sat, Oct 22, 2011 at 07:01:00PM +0200, Alexander Turcic wrote:
> 
> To answer your question, I cannot see an immediate security threat,
> but I am probably the wrong person to ask as I am not a firewall
> expert.
> 
I have consulted with upstream, there is not a security issue here, but
it is still broken behavior.  I am going to inquire to the stable
release managers about including this in the next point release.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
[signature.asc (application/pgp-signature, inline)]

Bug 646112 cloned as bugs 646280, 646281, 646282. Request was from Roberto C. Sanchez <roberto@connexer.com> to control@bugs.debian.org. (Sat, 22 Oct 2011 20:51:05 GMT) Full text and rfc822 format available.

Bug Marked as fixed in versions shorewall/4.4.17-1. Request was from Roberto C. Sanchez <roberto@connexer.com> to control@bugs.debian.org. (Sat, 22 Oct 2011 20:51:16 GMT) Full text and rfc822 format available.

Bug Marked as found in versions shorewall/4.4.7.4-1. Request was from Roberto C. Sanchez <roberto@connexer.com> to control@bugs.debian.org. (Sat, 22 Oct 2011 21:00:07 GMT) Full text and rfc822 format available.

Reply sent to Roberto C. Sánchez <roberto@connexer.com>:
You have taken responsibility. (Tue, 01 Nov 2011 23:39:06 GMT) Full text and rfc822 format available.

Notification sent to Alexander Turcic <alexander@mobileread.com>:
Bug acknowledged by developer. (Tue, 01 Nov 2011 23:39:06 GMT) Full text and rfc822 format available.

Message #31 received at 646112-done@bugs.debian.org (full text, mbox):

From: Roberto C. Sánchez <roberto@connexer.com>
To: 646112-done@bugs.debian.org, 646280-done@bugs.debian.org
Subject: Closing
Date: Tue, 1 Nov 2011 19:36:15 -0400
[Message part 1 (text/plain, inline)]
-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
[signature.asc (application/pgp-signature, inline)]

Reply sent to roberto@connexer.com (Roberto C. Sanchez):
You have taken responsibility. (Thu, 03 Nov 2011 20:03:09 GMT) Full text and rfc822 format available.

Notification sent to Alexander Turcic <alexander@mobileread.com>:
Bug acknowledged by developer. (Thu, 03 Nov 2011 20:03:09 GMT) Full text and rfc822 format available.

Message #36 received at 646112-close@bugs.debian.org (full text, mbox):

From: roberto@connexer.com (Roberto C. Sanchez)
To: 646112-close@bugs.debian.org
Subject: Bug#646112: fixed in shorewall 4.4.11.6-3+squeeze1
Date: Thu, 03 Nov 2011 20:00:59 +0000
Source: shorewall
Source-Version: 4.4.11.6-3+squeeze1

We believe that the bug you reported is fixed in the latest version of
shorewall, which is due to be installed in the Debian FTP archive:

shorewall-common_4.4.11.6-3+squeeze1_all.deb
  to main/s/shorewall/shorewall-common_4.4.11.6-3+squeeze1_all.deb
shorewall-perl_4.4.11.6-3+squeeze1_all.deb
  to main/s/shorewall/shorewall-perl_4.4.11.6-3+squeeze1_all.deb
shorewall-shell_4.4.11.6-3+squeeze1_all.deb
  to main/s/shorewall/shorewall-shell_4.4.11.6-3+squeeze1_all.deb
shorewall_4.4.11.6-3+squeeze1.debian.tar.gz
  to main/s/shorewall/shorewall_4.4.11.6-3+squeeze1.debian.tar.gz
shorewall_4.4.11.6-3+squeeze1.dsc
  to main/s/shorewall/shorewall_4.4.11.6-3+squeeze1.dsc
shorewall_4.4.11.6-3+squeeze1_all.deb
  to main/s/shorewall/shorewall_4.4.11.6-3+squeeze1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 646112@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Roberto C. Sanchez <roberto@connexer.com> (supplier of updated shorewall package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 29 Oct 2011 14:14:21 -0400
Source: shorewall
Binary: shorewall shorewall-shell shorewall-perl shorewall-common
Architecture: source all
Version: 4.4.11.6-3+squeeze1
Distribution: stable-proposed-updates
Urgency: low
Maintainer: Roberto C. Sanchez <roberto@connexer.com>
Changed-By: Roberto C. Sanchez <roberto@connexer.com>
Description: 
 shorewall  - Shoreline Firewall, netfilter configurator
 shorewall-common - Shoreline Firewall, netfilter configurator - transition package
 shorewall-perl - Shoreline Firewall, netfilter configurator - transition package
 shorewall-shell - Shoreline Firewall, netfilter configurator - transition package
Closes: 646112
Changes: 
 shorewall (4.4.11.6-3+squeeze1) stable-proposed-updates; urgency=low
 .
   * Install missing /usr/share/shorewall/helpers (Closes: #646112)
Checksums-Sha1: 
 fc0b77c7d900d04df71b292342ef2a19b6690ba2 1961 shorewall_4.4.11.6-3+squeeze1.dsc
 56df634b4cee77dd8347343f18bb270d05da4ec5 41231 shorewall_4.4.11.6-3+squeeze1.debian.tar.gz
 2af3dc935475c70a1ae8fd8a318e86d576b7843b 377594 shorewall_4.4.11.6-3+squeeze1_all.deb
 125fa3f51eaa2d10a66f89c96dc701601d2242ed 38830 shorewall-shell_4.4.11.6-3+squeeze1_all.deb
 be92c859f4d9f58111491e3a838b6cf94615f57d 38822 shorewall-perl_4.4.11.6-3+squeeze1_all.deb
 c04670b0ee966a68ceffdedff0f823725981a4ec 38824 shorewall-common_4.4.11.6-3+squeeze1_all.deb
Checksums-Sha256: 
 69a33dc9d2c8f3f7628feb460f81ab605e2306b5729e59911e7933d0568abc26 1961 shorewall_4.4.11.6-3+squeeze1.dsc
 6edd15e5a0f1b1d3dd6880f26d9273ab9685f27dbadc09d5c97e90499c4126f0 41231 shorewall_4.4.11.6-3+squeeze1.debian.tar.gz
 1b129a004727d62b4691790aa8e3e6fbf077f27f312233693929675ba490fcfc 377594 shorewall_4.4.11.6-3+squeeze1_all.deb
 8a3435fb69743087bbf37238a1ec08a8308e31353f3079bb2dbf51501b98c6ec 38830 shorewall-shell_4.4.11.6-3+squeeze1_all.deb
 f15f7274c74764438f8479351fc36a5850348a2cbd920f1a42fba5485c9e0275 38822 shorewall-perl_4.4.11.6-3+squeeze1_all.deb
 b574b10de06b557aa81520ffa34f0fde080ac9ec13f1e651e010abdae7b4455f 38824 shorewall-common_4.4.11.6-3+squeeze1_all.deb
Files: 
 9f74b9f78615a1b3ce9dfdd0a4f5615a 1961 net optional shorewall_4.4.11.6-3+squeeze1.dsc
 15bbe6daf6028a6fbef8ab70b055de29 41231 net optional shorewall_4.4.11.6-3+squeeze1.debian.tar.gz
 f81fe8fa0f4bf55743afefa718464047 377594 net optional shorewall_4.4.11.6-3+squeeze1_all.deb
 de4ae8c255a763582bc549eced073899 38830 net optional shorewall-shell_4.4.11.6-3+squeeze1_all.deb
 40b6cef094b413f905421130cf79c3c5 38822 net optional shorewall-perl_4.4.11.6-3+squeeze1_all.deb
 c78494ffb8073f5aa74f72b860436eb9 38824 net optional shorewall-common_4.4.11.6-3+squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJOrHtuAAoJECzXeF7dp7IP2e0P/jguMK+neDMCgrJ7cnIzye5J
eGYjDVLXqAhhdEoAogHS3SW/6QFqdyT/E5D0US4YWLeFD3ZiJzTXW0KqhfpaC3Kn
DWszbabrcg9QAOf4bJYhAEU9AR9G4HJWVfqPmmhVszWppSo2IEGtFTgRd2JKGRd4
CRlTMhgRuXi/typKeRsu679+Kh6zt7xIulLyKjEI6FInvRSI7uOr2p26vme8QMGL
KupkkGdi3vD5VWO0kTuzmybNyPGvwyeFirEMdjkggU0cBDtDO5tg66ue7fXPX5f0
jV/kk8E7VkNNPeANBBEARRaXqgxvlA3eMmLtyoTaajF33lHKtPpxvlOn9cHKjlZy
91nV7I54Am8yPhEMeQGvTmNOzIX9/OynimMqjzEVPliEuBWTGr5eSQVOT6AfOjrG
Nv0Fp7wf/6C+hAiluVx4Tg+jih2nVtRyyrCedSh0krs0JM+/jLPs62Z74G5Q6KdE
PcqDKBdUWB8VW3Y3Yc+n1fHoXe4FdoD/Sv/h4JlDrVCnhmNlOb/wyx+IVgtWaWcH
vRzS3gQt5YGw81rUK0REqQYXc/coWD8n/r1IS9T7+1QnDAsR+7wvZHm/esOV977v
0FRRW0VJO5BeeltkIDHq84/bxnoX53ghvgqlgl7XFt+AY55ruAUql53LWq05SwQp
IXs3eXqwWCydaB8uYhI4
=v9KS
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 02 Dec 2011 07:32:21 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 05:40:48 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.