Bug#658830: libpam-shield: doesn't block any IP when allow_missing_dns=no

[Laurentiu Pancescu]

Package: libpam-shield
Version: 0.9.2-3.2 
Severity: grave
Tags: security
With allow_missing_dns and allow_missing_reverse set to "no" (default 
configuration in Squeeze), pam_shield doesn't take any action 
whatsoever, besides logging the IP. If I set both variables to "yes", 
the IPs are null-routed as expected. I tested by connecting via SSH from 
a system without DNS records.

This seems to be a bug fixed upstream in September 2010 [1]. Is this 
package still actively maintained in Debian? Upstream seems to be quite 
active, but the Debian changelog doesn't seem to suggest any code 
changes since December 2007.

-- System Information:
Debian Release: 6.0.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686-bigmem (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=locale: Cannot set 
LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory 
ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages libpam-shield depends on:
ii  libc6                 2.11.3-2           Embedded GNU C Library: 
Shared lib
ii  libgdbm3              1.8.3-9            GNU dbm database routines 
(runtime
ii  libpam0g              1.1.1-6.1+squeeze1 Pluggable Authentication 
Modules l

libpam-shield recommends no packages.

Versions of packages libpam-shield suggests:
ii  iproute                       20100519-3 networking and traffic 
control too
ii  iptables                      1.4.8-3    administration tools for 
packet fi

-- Configuration Files:
/etc/security/shield.conf changed:
debug on
block all-users
allow_missing_dns yes
allow_missing_reverse yes
allow localhost
db /var/lib/pam_shield/db
trigger_cmd /usr/sbin/shield-trigger
max_conns 3
interval 1h
retention 1w

-- debconf information:
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
        LANGUAGE = "en_US:en",
        LC_ALL = (unset),
        LC_CTYPE = "UTF-8",
        LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory




--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org