[Shorewall-announce] URGENT: Shorewall Security Vulnerability

Tom Eastep teastep at shorewall.net
Mon Jun 28 13:02:24 PDT 2004


Javier Fernández-Sanguino Peña has discovered an exploitable 
vulnerability in the way that Shorewall handles temporary files and 
directories. The vulnerability can allow a non-root user to cause 
arbitrary files on the system to be overwritten. LEAF Bering and Bering 
uClibc users are generally not at risk due to the fact that LEAF boxes 
do not typically allow logins by non-root users.

For 2.0 users, the problem is corrected in version 2.0.3a:

	http://shorewall.net/pub/shorewall/shorewall-2.0.3a
	ftp://shorewall.net/pub/shorewall/shorewall-2.0.3a

For 1.4 users, the correct version is:

	http://shorewall.net/pub/shorewall/shorewall-1.4.10f
	ftp://shorewall.net/pub/shorewall/shorewall-1.4.10f

I would appreciate immediate feedback on the 1.4.10f version; given that 
I don't have any 1.4 systems remaining, I couldn't fully test that code.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-announce mailing list