FEDORA-2016-d2828a4793

security update in Fedora 23 for firewalld

Status: obsolete

Support Recognition of Automatic Helper Assignment Setting

Automatic helper assignment has been disabled in kernel 4.7. firewalld version 0.4.4 is now able to recognize this and to create rules if automatic helper assignment has been turned off to make conntrack helpers work again. If automatic helper assignment is turned on, then firewalld will behave as before.

For more information about the use of netfilter conntrack helper, please have a look at http://www.firewalld.org/2016/10/automatic-helper-assignment

Firewall-applet is now using Qt5

The firewall applet has been ported from Qt4 to Qt5.

Fixes LogDenied for zone reject targets

The logging rules for LogDenied have been placed after the reject rules for zones using the reject targets. The logging rules are now placed before these reject rules to fix logging.

Does not abort transaction on failed ipv6_rpfilter rules

The existing transaction will be executed before trying to add the rules for ipv6_rpfilter and a new transaction will be used to apply the ipv6_rpfiler rules. If this transaction fails, a warning is printed out and the remaining rules are applied with the next transaction.

Enhancements for the command line tools

The command line tools are now more consistent with errors and error codes in sequence options. The NOT_AUTHORIZED error is now also working.

New services

The services cfengine, condor-collector and smtp-submission have been added.

firewall-config: Use proper source check in sourceDialog (issue #162)

firewallctl: Use sys.excepthook to force exception_handler usage always

firewallctl: Support helpers

Several other enhancements and fixes


  • Fix CVE-2016-5410: Firewall configuration can be modified by any logged in user
  • firewall/server/firewalld: Make getXSettings and getLogDenied CONFIG_INFO
  • Update AppData configuration file.
  • tests/firewalld_rich.py: Use new import structure and FirewallClient classes
  • tests/firewalld_direct.py: Use new import structure
  • tests: firewalld_direct: Fix assert to check for True instead of False
  • tests: firewalld_config: Fix expected value when querying the zone target
  • tests: firewalld_config: Use real nf_conntrack modules
  • firewalld.spec: Added comment about make call for %build
  • firewall-config: Use also width_request and height_request with default size
  • Updated firewall-config screenshot
  • firewall-cmd: Fixed typo in help output (#1367171)
  • test-suite: Ignore stderr to get default zone also for missing firewalld.conf
  • firewall.core.logger: Warnings should be printed to stderr per default
  • firewall.core.fw_nm: Ignore NetworkManager if NM.Client connect fails
  • firewall-cmd, firewallctl: Gracefully fail if SystemBus can not be aquired
  • firewall.client: Generate new DBUS_ERROR if SystemBus can not be aquired
  • test-suite: Do not fail on ALREADY_ENABLED --add-destination tests
  • firewall.command: ALREADY_ENABLED, NOT_ENABLED, ZONE_ALREADY_SET are warnings
  • doc/xml/firewalld.dbus.xml: Removed undefined reference
  • doc/xml/transform-html.xsl.in: Fixed references in the document
  • doc/xml/firewalld.{dbus,zone}.xml: Embed programlisting in para
  • doc/xml/transform-html.xsl.in: Enhanced html formatting closer to the man page
  • firewall: core: fw_nm: Instantiate the NM client only once
  • firewall/core/io/*.py: Do not traceback on a general sax parsing issue
  • firewall-offline-cmd: Fix --{add,remove}-entries-from-file
  • firewall-cmd: Add missing action to fix --{add,remove}-entries-from-file
  • firewall.core.prog: Do not output stderr, but return it in the error case
  • firewall.core.io.ifcfg.py: Fix ifcfg file reader and writer (#1362171)
  • config/firewall.service.in: use KillMode=mixed
  • config/firewalld.service.in: use network-pre.target
  • firewall-config: Add missing gettext.textdomain call to fix translations
  • Add UDP to transmission-client.xml service
  • tests/firewall-[offline-]cmd_test.sh: Hide errors and warnings
  • firewall.client: Fix ALREADY_ENABLED errors in icmptype destination calls
  • firewall.client: Fix NOT_ENABLED errors in icmptype destination calls
  • firewall.client: Use {ALREADY,NOT}_ENABLED errors in icmptype destination calls
  • firewall.command: Add the removed FirewallError handling to the action (a17ce50)
  • firewall.command: Do not use query methods for sequences and also single options
  • Add missing information about MAC and ipset sources to man pages and help output
  • firewalld.spec: Add BuildRequires for libxslt to enable rebuild of man pages
  • firewall[-offline]-cmd, firewallctl, firewall.command: Use sys.{stdout,stderr}
  • firewallctl: Fix traceback if not connected to firewalld
  • firewall-config: Initialize value in on_richRuleDialogElementChooser_clicked
  • firewall.command: Convert errors to string for Python3
  • firewall.command: Get proper firewall error code from D-BusExceptions
  • firewall-cmd: Fixed traceback without args
  • Add missing service files to Makefile.am
  • shell-completion: Add shell completion support for --{get,set}--{description,short}

Comments 7

This update has been submitted for testing by twoerner.

This update has obsoleted firewalld-0.4.3.3-1.fc23, and has inherited its bugs and notes.

This update has been pushed to testing.

no regressions noted

karma: +1

seems fine

karma: +1

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

This update has been obsoleted by firewalld-0.4.4.2-1.fc23.

Add Comment & Feedback

Please login to add feedback.

Content Type
RPM
Status
obsolete
Test Gating
Submitted by
Update Type
security
Update Severity
medium
Karma
+2
stable threshold: 3
unstable threshold: -3
Autopush (karma)
Enabled
Autopush (time)
Disabled
Dates
submitted 2 years ago
in testing 2 years ago

Related Bugs 7

00 #1297235 samba browsing blocked even with the samba-client service enabled, works with connection/interface in 'trusted' zone
00 #1358380 firewall-cmd crashes if /run/dbus/system_bus_socket does not exist
00 #1361589 firewall-config error when using pt-BR language
00 #1363741 firewall-cmd ipset --add-entries-from-file regression
00 #1367381 CVE-2016-5410 firewalld: Firewall configuration can be modified by any logged in user [fedora-all]
00 #1380168 Firewalld cause any ftp client to get "host unknown" when go in passive mode connecting with ip address
00 #1390961 firewalld does not allow connections to VPN PPTP server

Automated Test Results