diff --git a/Shorewall-Website/News.htm b/Shorewall-Website/News.htm
index 283b2b514..0b7d30772 100644
--- a/Shorewall-Website/News.htm
+++ b/Shorewall-Website/News.htm
@@ -19,8 +19,82 @@ Texts. A copy of the license is included in the section entitled “GNU Free
Documentation License”.
2005-07-14
+
2005-07-17
+A security vulnerability has been discovered which affects all supported +stable versions of Shorewall. This vulnerability enables a client +accepted by MAC address filtering to bypass any other rule. If +MACLIST_TTL is set to a value greater than 0 or MACLIST_DISPOSITION is set +to "ACCEPT" in /etc/shorewall/shorewall.conf (default is MACLIST_TTL=0 and +MACLIST_DISPOSITION=REJECT), and a client is positively identified through +its MAC address, it bypasses all other policies/rules in place, thus +gaining access to all open services on the firewall. +
+ ++For Shorewall 2.2.x or 2.4.x, set MACLIST_TTL=0 or MACLIST_DISPOSITION=REJECT +in /etc/shorewall/shorewall.conf. For Shorewall 2.0.x, set +MACLIST_DISPOSITION=REJECT in /etc/shorewall/shorewall.conf. MACLIST +filtering is of limited on Internet-connected hosts, and the Shorewall team +recommends this approach to be used if possible. +
+ ++For Shorewall 2.4.x, a fixed version of the 'firewall' script is available at: +http://shorewall.net/pub/shorewall/2.4/shorewall-2.4.1/errata/firewall +and its mirrors, +http://www.shorewall.net/pub/shorewall/2.4/shorewall-2.4.1/errata/firewall +and +http://slovakia.shorewall.net/pub/shorewall/2.4/shorewall-2.4.1/errata/firewall. +
+ ++For Shorewall 2.2.x, a fixed version of the 'firewall' script is available at: +http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall +and its mirrors, +http://www.shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall +and +http://slovakia.shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall. +
+ ++For Shorewall 2.0.x, a fixed version of the 'firewall' script is available at: +http://shorewall.net/pub/shorewall/errata/2.0.17/firewall +and its mirrors, +http://www.shorewall.net/pub/shorewall/errata/2.0.17/firewall +and +http://slovakia.shorewall.net/pub/shorewall/errata/2.0.17/firewall. +
+ ++Users of any version before 2.0.17 are urged to upgrade to a supported +version of Shorewall (preferably 2.4.1) before using the fixed +files. Only the most recent version of the 2.0.x and 2.2.x +streams will be supported by the development team, and the 1.x branches +are no longer maintained at all. Future releases of Shorewall will +include this fix. +
+ +This information was based on +Patrick +Blitz's post to the Full Disclosure mailing list. Thanks to +Supernaut (supernaut at ns dot sympatico dot ca) for reporting this bug. +
+