Version in base suite: 1.3.3-1~deb12u1 Base version: firewalld_1.3.3-1~deb12u1 Target version: firewalld_1.3.3-1~deb12u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/f/firewalld/firewalld_1.3.3-1~deb12u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/f/firewalld/firewalld_1.3.3-1~deb12u2.dsc changelog | 7 +++++++ patches/CVE-2026-4948.patch | 33 +++++++++++++++++++++++++++++++++ patches/series | 1 + 3 files changed, 41 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpbg3ldkfo/firewalld_1.3.3-1~deb12u1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpbg3ldkfo/firewalld_1.3.3-1~deb12u2.dsc: no acceptable signature found diff -Nru firewalld-1.3.3/debian/changelog firewalld-1.3.3/debian/changelog --- firewalld-1.3.3/debian/changelog 2023-08-02 14:36:07.000000000 +0000 +++ firewalld-1.3.3/debian/changelog 2026-05-20 08:02:28.000000000 +0000 @@ -1,3 +1,10 @@ +firewalld (1.3.3-1~deb12u2) bookworm; urgency=high + + * Non-maintainer upload by the LTS Team. + * CVE-2026-4948: fix dbus policy for set{ZoneSettings2,PolicySettings} + + -- Andreas Henriksson Wed, 20 May 2026 10:02:28 +0200 + firewalld (1.3.3-1~deb12u1) bookworm; urgency=medium * Upload to bookworm. diff -Nru firewalld-1.3.3/debian/patches/CVE-2026-4948.patch firewalld-1.3.3/debian/patches/CVE-2026-4948.patch --- firewalld-1.3.3/debian/patches/CVE-2026-4948.patch 1970-01-01 00:00:00.000000000 +0000 +++ firewalld-1.3.3/debian/patches/CVE-2026-4948.patch 2026-05-20 08:02:28.000000000 +0000 @@ -0,0 +1,33 @@ +From: Sizhe Zhao +Date: Tue, 31 Mar 2026 20:46:50 +0800 +Subject: fix(policy): use PK_ACTION_CONFIG for + set{ZoneSettings2,PolicySettings} + +Reference: https://access.redhat.com/security/cve/cve-2026-4948 +(cherry picked from commit 5fb3914ad830feff6cb2b0670457c60a323c6c6c) +--- + src/firewall/server/firewalld.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py +index 895e963..6142a8d 100644 +--- a/src/firewall/server/firewalld.py ++++ b/src/firewall/server/firewalld.py +@@ -925,7 +925,7 @@ class FirewallD(slip.dbus.service.Object): + log.debug1("getZoneSettings2(%s)", zone) + return self.fw.zone.get_config_with_settings_dict(zone) + +- @dbus_polkit_require_auth(config.dbus.PK_ACTION_CONFIG_INFO) ++ @dbus_polkit_require_auth(config.dbus.PK_ACTION_CONFIG) + @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='sa{sv}') + @dbus_handle_exceptions + def setZoneSettings2(self, zone, settings, sender=None): +@@ -949,7 +949,7 @@ class FirewallD(slip.dbus.service.Object): + log.debug1("policy.getPolicySettings(%s)", policy) + return self.fw.policy.get_config_with_settings_dict(policy) + +- @dbus_polkit_require_auth(config.dbus.PK_ACTION_CONFIG_INFO) ++ @dbus_polkit_require_auth(config.dbus.PK_ACTION_CONFIG) + @dbus_service_method(config.dbus.DBUS_INTERFACE_POLICY, in_signature='sa{sv}') + @dbus_handle_exceptions + def setPolicySettings(self, policy, settings, sender=None): diff -Nru firewalld-1.3.3/debian/patches/series firewalld-1.3.3/debian/patches/series --- firewalld-1.3.3/debian/patches/series 2023-08-02 14:36:07.000000000 +0000 +++ firewalld-1.3.3/debian/patches/series 2026-05-20 08:02:22.000000000 +0000 @@ -1,2 +1,3 @@ Remove-etc-sysconfig-firewalld-support.patch Switch-to-python3.patch +CVE-2026-4948.patch