From 296ea4d3bd1221cad4ac9a59df807ed68673250c Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Tue, 16 Aug 2016 22:21:51 +0200 Subject: [PATCH] New version 0.4.3.3 - Fix CVE-2016-5410: Firewall configuration can be modified by any logged in user - firewall/server/firewalld: Make getXSettings and getLogDenied CONFIG_INFO - Update AppData configuration file. - tests/firewalld_rich.py: Use new import structure and FirewallClient classes - tests/firewalld_direct.py: Use new import structure - tests: firewalld_direct: Fix assert to check for True instead of False - tests: firewalld_config: Fix expected value when querying the zone target - tests: firewalld_config: Use real nf_conntrack modules - firewalld.spec: Added comment about make call for %build - firewall-config: Use also width_request and height_request with default size - Updated firewall-config screenshot - firewall-cmd: Fixed typo in help output (RHBZ#1367171) - test-suite: Ignore stderr to get default zone also for missing firewalld.conf - firewall.core.logger: Warnings should be printed to stderr per default - firewall.core.fw_nm: Ignore NetworkManager if NM.Client connect fails - firewall-cmd, firewallctl: Gracefully fail if SystemBus can not be aquired - firewall.client: Generate new DBUS_ERROR if SystemBus can not be aquired - test-suite: Do not fail on ALREADY_ENABLED --add-destination tests - firewall.command: ALREADY_ENABLED, NOT_ENABLED, ZONE_ALREADY_SET are warnings - doc/xml/firewalld.dbus.xml: Removed undefined reference - doc/xml/transform-html.xsl.in: Fixed references in the document - doc/xml/firewalld.{dbus,zone}.xml: Embed programlisting in para - doc/xml/transform-html.xsl.in: Enhanced html formatting closer to the man page - firewall: core: fw_nm: Instantiate the NM client only once - firewall/core/io/*.py: Do not traceback on a general sax parsing issue - firewall-offline-cmd: Fix --{add,remove}-entries-from-file - firewall-cmd: Add missing action to fix --{add,remove}-entries-from-file - firewall.core.prog: Do not output stderr, but return it in the error case - firewall.core.io.ifcfg.py: Fix ifcfg file reader and writer (RHBZ#1362171) - config/firewall.service.in: use KillMode=mixed - config/firewalld.service.in: use network-pre.target - firewall-config: Add missing gettext.textdomain call to fix translations - Add UDP to transmission-client.xml service - tests/firewall-[offline-]cmd_test.sh: Hide errors and warnings - firewall.client: Fix ALREADY_ENABLED errors in icmptype destination calls - firewall.client: Fix NOT_ENABLED errors in icmptype destination calls - firewall.client: Use {ALREADY,NOT}_ENABLED errors in icmptype destination calls - firewall.command: Add the removed FirewallError handling to the action (a17ce50) - firewall.command: Do not use query methods for sequences and also single options - Add missing information about MAC and ipset sources to man pages and help output - firewalld.spec: Add BuildRequires for libxslt to enable rebuild of man pages - firewall[-offline]-cmd, firewallctl, firewall.command: Use sys.{stdout,stderr} - firewallctl: Fix traceback if not connected to firewalld - firewall-config: Initialize value in on_richRuleDialogElementChooser_clicked - firewall.command: Convert errors to string for Python3 - firewall.command: Get proper firewall error code from D-BusExceptions - firewall-cmd: Fixed traceback without args - Add missing service files to Makefile.am - shell-completion: Add shell completion support for --{get,set}--{description,short} - Updated RHEL-7 selinux-policy and squid conflict --- .gitignore | 1 + firewalld.spec | 69 +++++++++++++++++++++++++++++++++++++++++++++++--- sources | 2 +- 3 files changed, 68 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 3f80fc6..6e4dd15 100644 --- a/.gitignore +++ b/.gitignore @@ -40,3 +40,4 @@ /firewalld-0.4.2.tar.bz2 /firewalld-0.4.3.1.tar.bz2 /firewalld-0.4.3.2.tar.bz2 +/firewalld-0.4.3.3.tar.bz2 diff --git a/firewalld.spec b/firewalld.spec index ae74cb1..c641ba8 100644 --- a/firewalld.spec +++ b/firewalld.spec @@ -7,8 +7,8 @@ Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Name: firewalld -Version: 0.4.3.2 -Release: 2%{?dist} +Version: 0.4.3.3 +Release: 1%{?dist} URL: http://www.firewalld.org License: GPLv2+ Source0: https://fedorahosted.org/released/firewalld/%{name}-%{version}.tar.bz2 @@ -27,6 +27,7 @@ BuildRequires: intltool BuildRequires: glib2, glib2-devel BuildRequires: systemd-units BuildRequires: docbook-style-xsl +BuildRequires: libxslt BuildRequires: python2-devel BuildRequires: iptables, ebtables, ipset %if 0%{?with_python3} @@ -52,7 +53,8 @@ Conflicts: selinux-policy < 3.13.1-191.fc24.3 Conflicts: selinux-policy < 3.13.1-199 %endif %if 0%{?rhel} >= 7 -Conflicts: selinux-policy < 3.13.1-84 +Conflicts: selinux-policy < 3.13.1-89 +Conflicts: squid < 7:3.5.10-1 %endif %if 0%{?fedora} > 21 @@ -159,6 +161,9 @@ sed -i 's|/usr/bin/python|%{__python3}|' %{py3dir}/config/lockdown-whitelist.xml %build %configure --enable-sysconfig --enable-rpmmacros +# Enable the make line if there are patches affecting man pages to +# regenerate them +# make %{?_smp_mflags} %if 0%{?with_python3} pushd %{py3dir} @@ -397,6 +402,64 @@ fi %{_mandir}/man1/firewall-config*.1* %changelog +* Tue Aug 16 2016 Thomas Woerner - 0.4.3.3-1 +- Fix CVE-2016-5410: Firewall configuration can be modified by any logged in + user +- firewall/server/firewalld: Make getXSettings and getLogDenied CONFIG_INFO +- Update AppData configuration file. +- tests/firewalld_rich.py: Use new import structure and FirewallClient classes +- tests/firewalld_direct.py: Use new import structure +- tests: firewalld_direct: Fix assert to check for True instead of False +- tests: firewalld_config: Fix expected value when querying the zone target +- tests: firewalld_config: Use real nf_conntrack modules +- firewalld.spec: Added comment about make call for %build +- firewall-config: Use also width_request and height_request with default size +- Updated firewall-config screenshot +- firewall-cmd: Fixed typo in help output (RHBZ#1367171) +- test-suite: Ignore stderr to get default zone also for missing firewalld.conf +- firewall.core.logger: Warnings should be printed to stderr per default +- firewall.core.fw_nm: Ignore NetworkManager if NM.Client connect fails +- firewall-cmd, firewallctl: Gracefully fail if SystemBus can not be aquired +- firewall.client: Generate new DBUS_ERROR if SystemBus can not be aquired +- test-suite: Do not fail on ALREADY_ENABLED --add-destination tests +- firewall.command: ALREADY_ENABLED, NOT_ENABLED, ZONE_ALREADY_SET are warnings +- doc/xml/firewalld.dbus.xml: Removed undefined reference +- doc/xml/transform-html.xsl.in: Fixed references in the document +- doc/xml/firewalld.{dbus,zone}.xml: Embed programlisting in para +- doc/xml/transform-html.xsl.in: Enhanced html formatting closer to the man page +- firewall: core: fw_nm: Instantiate the NM client only once +- firewall/core/io/*.py: Do not traceback on a general sax parsing issue +- firewall-offline-cmd: Fix --{add,remove}-entries-from-file +- firewall-cmd: Add missing action to fix --{add,remove}-entries-from-file +- firewall.core.prog: Do not output stderr, but return it in the error case +- firewall.core.io.ifcfg.py: Fix ifcfg file reader and writer (RHBZ#1362171) +- config/firewall.service.in: use KillMode=mixed +- config/firewalld.service.in: use network-pre.target +- firewall-config: Add missing gettext.textdomain call to fix translations +- Add UDP to transmission-client.xml service +- tests/firewall-[offline-]cmd_test.sh: Hide errors and warnings +- firewall.client: Fix ALREADY_ENABLED errors in icmptype destination calls +- firewall.client: Fix NOT_ENABLED errors in icmptype destination calls +- firewall.client: Use {ALREADY,NOT}_ENABLED errors in icmptype destination + calls +- firewall.command: Add the removed FirewallError handling to the action + (a17ce50) +- firewall.command: Do not use query methods for sequences and also single + options +- Add missing information about MAC and ipset sources to man pages and help + output +- firewalld.spec: Add BuildRequires for libxslt to enable rebuild of man pages +- firewall[-offline]-cmd, firewallctl, firewall.command: Use sys.{stdout,stderr} +- firewallctl: Fix traceback if not connected to firewalld +- firewall-config: Initialize value in on_richRuleDialogElementChooser_clicked +- firewall.command: Convert errors to string for Python3 +- firewall.command: Get proper firewall error code from D-BusExceptions +- firewall-cmd: Fixed traceback without args +- Add missing service files to Makefile.am +- shell-completion: Add shell completion support for + --{get,set}--{description,short} +- Updated RHEL-7 selinux-policy and squid conflict + * Tue Jul 19 2016 Fedora Release Engineering - 0.4.3.2-2 - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages diff --git a/sources b/sources index e3c973f..0e2a058 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -048e618eced9bde697ccff9de98d2230 firewalld-0.4.3.2.tar.bz2 +ecf7f90f765d662073088b7ac8346e5d firewalld-0.4.3.3.tar.bz2