[Secure-testing-team] Bug#862485: fwsnort mustn't set iptables rules when purged
Adrian Bunk
bunk at debian.org
Sat May 13 14:03:14 UTC 2017
Package: fwsnort
Version: 1.6.5-3
Severity: critical
Tags: security
The #861999 fix adds the following on purging:
grep -v FWSNORT /var/lib/fwsnort/fwsnort.save | iptables-restore
Imagine the following:
1. today I install fwsnort and try it
2. later today I uninstall it
3. 2 years later I purge all long-removed packages
This would in 2 years set the iptables rules to what they
were today before I shortly played with fwsnort.
A case could be made for "fwsnort --ipt-flush" in prerm.
Or considering that activating any fwsnort rules is not done
automatically and that the package should not interfere with
what the the admin has done.
More information about the Secure-testing-team
mailing list