Shorewall 4.5.21 is now available for testing. Please note that the
release was uploaded twice so be sure that you are getting the latest
versions:
MD5s:
1fcc48a083f55116ca3ddf1a3f9339c5 shorewall-core-4.5.21-Beta1.tar.bz2
2543d3fc838645eddff5c470a58d1036 shorewall-core-4.5.21-Beta1.tgz
66d7f0db9d0637de65579470ef7de9ed shorewall-core-4.5.21-0Beta1.noarch.rpm
59d86312dbc22b27c5dcb68b15cfd8d6 shorewall6-4.5.21-Beta1.tar.bz2
9dec98fc3157ebadfd1e5043c8f028c8 shorewall6-4.5.21-Beta1.tgz
e14d68bec0860f09fcdad8966d4d26c0 shorewall6-4.5.21-0Beta1.noarch.rpm
46dd629f63c7d194848e5194d9862b4c shorewall-4.5.21-Beta1.tar.bz2
e8bf3e20529fedf505823c32ad21dcb5 shorewall-4.5.21-Beta1.tgz
029567f6830a34463fd0d0311bbd55c6 shorewall-4.5.21-0Beta1.noarch.rpm
544f890647097d1b44d762f1860df88d shorewall-lite-4.5.21-Beta1.tar.bz2
4bcefebaaef5e9a459e8775c563f649e shorewall-lite-4.5.21-Beta1.tgz
e8dfad71d1f6025e805d9c80c56e2a8d shorewall-lite-4.5.21-0Beta1.noarch.rpm
5996a98e6b9593e45594175722e0881e shorewall-init-4.5.21-Beta1.tar.bz2
403ecc7cc1438518c9078f7a84793a83 shorewall-init-4.5.21-Beta1.tgz
6585b50657bbede70606071af6de3034 shorewall-init-4.5.21-0Beta1.noarch.rpm
74d6a1674166ad7c371e6017330249ef shorewall6-lite-4.5.21-Beta1.tar.bz2
cc74cab4346bc5595fc5a724de15eb22 shorewall6-lite-4.5.21-Beta1.tgz
5e0f6b934d16580381ce407c9c1a16d6 shorewall6-lite-4.5.21-0Beta1.noarch.rpm
ce7bede0b8c2e6c8703706d3be897ab5 shorewall-docs-xml-4.5.21-Beta1.tar.bz2
9694d0068029224daa0414be0f0a740e shorewall-docs-xml-4.5.21-Beta1.tgz
8cc74de9faaf211afdc86a9e7f03704a shorewall-docs-html-4.5.21-Beta1.tar.bz2
bf98c5122a33fe562d3fd8f998656194 shorewall-docs-html-4.5.21-Beta1.tgz
Problems corrected:
1) ip[6]tables 4.5.20 introduced an incompatible change that causes
the program to fail if there is another instance of either iptables
or ip6tables already running. This behavior can be avoided if the
new -w option is specified.
To work around this problem, the compiler now uses the -w option
(when available) during capabilities determination so that
shorewall and shorewall6 compilations can proceed in parallel.
New Features:
1) When a REJECT target is specified, Shorewall normally handles the
packet as follows:
- If the destination address is a broadcast or multicast address,
the packet is dropped.
- If the protocol is IGMP (1), then the packet is dropped.
- If the protocol is TCP (6) then the packet is rejected with an
RST.
- If the protocol is UDP (17) then the packet is rejected with
a ''port-unreachable'' ICMP (ICMP6).
- If the protocol is ICMP (ICMP6), then the packet is rejected
with a ''host-unreachable''
(''addr-unreachable'') ICMP (ICMP6).
- Otherwise, the packet is rejected with a
''host-prohibited''
(adm-prohibited) ICMP (ICMP6).
Beginning with this release, this behavior may be modified using
the new REJECT_ACTION option in shorewall.conf (shorewall6.conf).
REJECT_ACTION=<action>
where <action> is the name of an action that implements your
alternative handling. The ''nolog'' option is automatically
assumed
for the named <action> and it is recommended that the
''inline''
option be specified for the action in /etc/shorewall/actions.
The following action implements the standard behavior described
above:
?format 2
#TARGET SOURCE DEST PROTO
Broadcast(DROP) - - -
DROP - - 2
INLINE - - 6 ; -j REJECT --reject-with tcp-reset
?if __ENHANCED_REJECT
INLINE - - 17 ; -j REJECT
?if __IPV4
INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable
INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited
?else
INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable
INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited
?endif
?else
INLINE - - - ; -j REJECT
?endif
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
The Shorewall team is pleased to announce the availability of Shorewall
4.5.21.
----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) ip[6]tables 1.4.20 introduced an incompatible change that causes
the program to fail if there is another instance of either iptables
or ip6tables already running. This behavior can be avoided if the
new -w option is specified.
To work around this problem, the compiler now uses the -w option
(when available) during capabilities determination so that
shorewall and shorewall6 compilations can proceed in parallel.
2) Previously, the Shorewall-init installer unconditionally installed
the sysconfig file even when a different SYSCONFFILE was specified.
(Thomas D).
3) /sbin/shorewall-init now includes the correct SYSCONFDIR name in
its error message that reports the absense of
${SYSCONFDIR}/shorewall-init. (Thomas D).
4) /sbin/shorewall-init and the Shorewall-init SysV init scripts now
honor the setting of $OPTIONS.
5) The -lite installers now look in ${SHAREDIR} for the coreversion
file rather than in /usr/share/.
6) If a Shorewall-lite installation used an /etc/shorewall-lite/vardir
file to set a non-standard state directory, the administrative
system would send the firewall and firewall.conf files to the wrong
directory on the firewall system.
7) Previously, the compiler verified ''monthdays''
specifications in the
rules TIME column, but failed to include --monthdays in the
generated rule. That omission has been corrected.
8) The installers now use ''insserv'' on Debian systems to
update the
SysV init symlinks. Previously, update-rc.d was used but that
approach fails on Debian 7.
9) The Multicast DNS macros (mDNS and mDNSbi) now allow the entire
non-priv port range (1024-65535) for the the dynamic unicast
port. Previously, only the Linux 2.6+ dynamic port range
(32768-65535) were allowed.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) When a REJECT target is specified, Shorewall normally handles the
packet as follows:
- If the destination address is a broadcast or multicast address,
the packet is dropped.
- If the protocol is IGMP (1), then the packet is dropped.
- If the protocol is TCP (6) then the packet is rejected with an
RST.
- If the protocol is UDP (17) then the packet is rejected with
a ''port-unreachable'' ICMP (ICMP6).
- If the protocol is ICMP (ICMP6), then the packet is rejected
with a ''host-unreachable''
(''addr-unreachable'') ICMP (ICMP6).
- Otherwise, the packet is rejected with a
''host-prohibited''
(adm-prohibited) ICMP (ICMP6).
Beginning with this release, this behavior may be modified using
the new REJECT_ACTION option in shorewall.conf (shorewall6.conf).
REJECT_ACTION=<action>
where <action> is the name of an action that implements your
alternative handling. The ''nolog'' and
''inline'' options are
automatically assumed for the named <action>.
The following action implements the standard behavior described
above:
?format 2
#TARGET SOURCE DEST PROTO
Broadcast(DROP) - - -
DROP - - 2
INLINE - - 6 ; -j REJECT --reject-with tcp-reset
?if __ENHANCED_REJECT
INLINE - - 17 ; -j REJECT
?if __IPV4
INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable
INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited
?else
INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable
INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited
?endif
?else
INLINE - - - ; -j REJECT
?endif
2) In earlier versions, default log levels in shorewall.conf
(shorewall6.conf) were not validated, making it difficult to
determine what setting was causing the following error message:
ERROR: Log level INFO requires LOG Target support in your kernel
and iptables
This change will make log level errors from shorewall.conf and
shorewall6.conf easier to isolate by including the option name.
Example:
ERROR: Log level INFO for option SFILTER_LOG_LEVEL requires LOG
Target support in your kernel and iptables
3) The ''shorewall dump'' command now uses
''ss'' rather than ''netstat'' to
produce socket-related information. By Martin Gignac.
4) Thomas D has provided installer support for Gentoo. Thank you
Thomas!
5) The generated firewall script inserts a host route for each
provider gateway into both the main routing table and into the
provider''s routing table. This is necessary on older kernels to
avoid failure of default route insertion into the tables.
It has been discovered, however, that these host routes prevent
Zebra from being able to add routes on some distributions, most
notably Debian 7.0. To work around this issue, two new provider
options are now available:
hostroute This is the default and causes the host routes
described above to be inserted.
nohostroute Prevents the host routes from being inserted.
6) It was previously not possible for Perl code in an action file to
change the rule comment as is done using the ?COMMENT directive
outside of Perl.
To allow actions to manipulate the current comment, two functions
are made available:
push_comment() Clears the current rule comment and returns
that comment to the caller.
set_comment($) Sets the current rule comment to the passed
string.
Typical usage would be:
?BEGIN PERL
use Shorewall::Config;
...
my $oldcomment = push_comment(); #Save and clear current
#current rule comment
...
set_comment(''This is a comment'');
add_ijump(....); #This rule will have comment
# /* This is a comment */
set_comment(''''); #Clear current rule
comment
add_ijump(....); #This rule has no comment
...
set_comment($oldcomment) #Restore caller''s comment
#if any.
?END PERL
7) The compiler version used to create the current firewall script is
now displayed in the output of the ''status'' and
''version -a''
commands.
Thank you for using Shorewall,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
Hi Tom, Tom Eastep wrote:> The Shorewall team is pleased to announce the availability of Shorewall > 4.5.21. > > [...]Did you miss my mail in shorewall-devel [1] or was it too late for 4.5.21? See also: ========[1] http://thread.gmane.org/gmane.comp.security.shorewall.devel/3970/focus=3973 -Thomas ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
On 10/3/2013 11:19 AM, Thomas D. wrote:> Hi Tom, > > Tom Eastep wrote: >> The Shorewall team is pleased to announce the availability of Shorewall >> 4.5.21. >> >> [...] > > Did you miss my mail in shorewall-devel [1] or was it too late for 4.5.21?My bad -- I thought that I had applied the patch but I had only placed it in my patch directory :-( -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
Hi tom,
Regarding the insserv changes made to
shorewall-init-4.5.21/install.sh script do not seem to work on
debian7!
Installing Debian-specific configuration...
Installing Shorewall Init Version 4.5.21
SysV init script init.debian.sh installed in
/etc/init.d/shorewall-init
Logrotate file installed as /etc/logrotate.d/shorewall-init
/sbin/insserv
insserv: enable: No such file or directory
WARNING: Unable to configure shorewall init to start automatically at
boot
shorewall Init Version 4.5.21 Installed
But if I modify the line in /shorewall-4.5.21/install.sh if insserv
enable; then by
if insserv ${CONFDIR}/init.d/$PRODUCT ; then insserv does not
complain!
Logrotate file installed as /etc/logrotate.d/shorewall-init
/sbin/insserv
Shorewall Init will start automatically at boot
Matt
On 3 Oct 2013 at 9:46, Tom Eastep wrote:
Date sent: Thu, 03 Oct 2013 09:46:48 -0700
From: Tom Eastep <teastep@shorewall.net>
To: Shorewall Announcements <shorewall-announce@lists.sourceforge.net>,
Shorewall Users <shorewall-users@lists.sourceforge.net>
Subject: [Shorewall-users] Shorewall 4.5.21
Send reply to: Shorewall Users <shorewall-users@lists.sourceforge.net>
<mailto:shorewall-users-request@lists.sourceforge.net?subject=unsubscribe>
<mailto:shorewall-users-request@lists.sourceforge.net?subject=subscribe>
> The Shorewall team is pleased to announce the availability of
> Shorewall 4.5.21.
>
> ----------------------------------------------------------------------
> ------
> I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S
> E
> ----------------------------------------------------------------------
> ------
>
> 1) ip[6]tables 1.4.20 introduced an incompatible change that causes
> the program to fail if there is another instance of either
> iptables or ip6tables already running. This behavior can be
> avoided if the new -w option is specified.
>
> To work around this problem, the compiler now uses the -w option
> (when available) during capabilities determination so that
> shorewall and shorewall6 compilations can proceed in parallel.
>
> 2) Previously, the Shorewall-init installer unconditionally installed
> the sysconfig file even when a different SYSCONFFILE was
> specified. (Thomas D).
>
> 3) /sbin/shorewall-init now includes the correct SYSCONFDIR name in
> its error message that reports the absense of
> ${SYSCONFDIR}/shorewall-init. (Thomas D).
>
> 4) /sbin/shorewall-init and the Shorewall-init SysV init scripts now
> honor the setting of $OPTIONS.
>
> 5) The -lite installers now look in ${SHAREDIR} for the coreversion
> file rather than in /usr/share/.
>
> 6) If a Shorewall-lite installation used an
> /etc/shorewall-lite/vardir
> file to set a non-standard state directory, the administrative
> system would send the firewall and firewall.conf files to the
> wrong directory on the firewall system.
>
> 7) Previously, the compiler verified ''monthdays''
specifications in
> the
> rules TIME column, but failed to include --monthdays in the
> generated rule. That omission has been corrected.
>
> 8) The installers now use ''insserv'' on Debian systems to
update the
> SysV init symlinks. Previously, update-rc.d was used but that
> approach fails on Debian 7.
>
> 9) The Multicast DNS macros (mDNS and mDNSbi) now allow the entire
> non-priv port range (1024-65535) for the the dynamic unicast
> port. Previously, only the Linux 2.6+ dynamic port range
> (32768-65535) were allowed.
>
> ----------------------------------------------------------------------
> ------
> I I. K N O W N P R O B L E M S R E M A I N I N G
> ----------------------------------------------------------------------
> ------
>
> 1) On systems running Upstart, shorewall-init cannot reliably secure
> the firewall before interfaces are brought up.
>
> ----------------------------------------------------------------------
> ------
> I I I. N E W F E A T U R E S I N T H I S R E L E A S E
> ----------------------------------------------------------------------
> ------
>
> 1) When a REJECT target is specified, Shorewall normally handles the
> packet as follows:
>
> - If the destination address is a broadcast or multicast address,
> the packet is dropped.
>
> - If the protocol is IGMP (1), then the packet is dropped.
>
> - If the protocol is TCP (6) then the packet is rejected with an
> RST.
>
> - If the protocol is UDP (17) then the packet is rejected with
> a ''port-unreachable'' ICMP (ICMP6).
>
> - If the protocol is ICMP (ICMP6), then the packet is rejected
> with a ''host-unreachable''
(''addr-unreachable'') ICMP (ICMP6).
>
> - Otherwise, the packet is rejected with a
''host-prohibited''
> (adm-prohibited) ICMP (ICMP6).
>
> Beginning with this release, this behavior may be modified using
> the new REJECT_ACTION option in shorewall.conf (shorewall6.conf).
>
> REJECT_ACTION=<action>
>
> where <action> is the name of an action that implements your
> alternative handling. The ''nolog'' and
''inline'' options are
> automatically assumed for the named <action>.
>
> The following action implements the standard behavior described
> above:
>
> ?format 2
> #TARGET SOURCE DEST PROTO
> Broadcast(DROP) - - -
> DROP - - 2
> INLINE - - 6 ; -j REJECT --reject-with tcp-reset
> ?if __ENHANCED_REJECT
> INLINE - - 17 ; -j REJECT
> ?if __IPV4
> INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable
> INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited ?else
> INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable
> INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited
> ?endif ?else INLINE - - - ; -j REJECT ?endif
>
> 2) In earlier versions, default log levels in shorewall.conf
> (shorewall6.conf) were not validated, making it difficult to
> determine what setting was causing the following error message:
>
> ERROR: Log level INFO requires LOG Target support in your
> kernel
> and iptables
>
> This change will make log level errors from shorewall.conf and
> shorewall6.conf easier to isolate by including the option name.
>
> Example:
>
> ERROR: Log level INFO for option SFILTER_LOG_LEVEL requires LOG
> Target support in your kernel and iptables
>
> 3) The ''shorewall dump'' command now uses
''ss'' rather than ''netstat''
> to
> produce socket-related information. By Martin Gignac.
>
> 4) Thomas D has provided installer support for Gentoo. Thank you
> Thomas!
>
> 5) The generated firewall script inserts a host route for each
> provider gateway into both the main routing table and into the
> provider''s routing table. This is necessary on older kernels
to
> avoid failure of default route insertion into the tables.
>
> It has been discovered, however, that these host routes prevent
> Zebra from being able to add routes on some distributions, most
> notably Debian 7.0. To work around this issue, two new provider
> options are now available:
>
> hostroute This is the default and causes the host routes
> described above to be inserted.
>
> nohostroute Prevents the host routes from being inserted.
>
> 6) It was previously not possible for Perl code in an action file to
> change the rule comment as is done using the ?COMMENT directive
> outside of Perl.
>
> To allow actions to manipulate the current comment, two functions
> are made available:
>
> push_comment() Clears the current rule comment and returns
> that comment to the caller.
>
> set_comment($) Sets the current rule comment to the passed
> string.
>
> Typical usage would be:
>
> ?BEGIN PERL
> use Shorewall::Config;
> ...
> my $oldcomment = push_comment(); #Save and clear current
> #current rule comment
> ...
> set_comment(''This is a comment'');
> add_ijump(....); #This rule will have comment
> # /* This is a comment */
> set_comment(''''); #Clear current
rule comment
> add_ijump(....); #This rule has no comment
> ...
> set_comment($oldcomment) #Restore caller''s comment
> #if any.
> ?END PERL
>
> 7) The compiler version used to create the current firewall script is
> now displayed in the output of the ''status'' and
''version -a''
> commands.
>
> Thank you for using Shorewall,
> -Tom
> --
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
On Fri, Oct 04, 2013 at 01:39:32PM +0200, matt darfeuille wrote:> Hi tom, > > Regarding the insserv changes made to > shorewall-init-4.5.21/install.sh script do not seem to work on > debian7! > > Installing Debian-specific configuration... > Installing Shorewall Init Version 4.5.21 > SysV init script init.debian.sh installed in > /etc/init.d/shorewall-init > Logrotate file installed as /etc/logrotate.d/shorewall-init > /sbin/insserv > insserv: enable: No such file or directory >Hi Matt, It looks like you are using upstream tarballs. Can you please try the official Debian ypackages and see if you have the same issue? I installed from the Debian packages I created on two of my servers which I recently updated to Wheezy and I have not encountered the issue you observed. I just uploaded the packages for 4.5.21-1 late last night/early this morning. You can get them http://packages.debian.org, or I have also set up a wheezy repository at my website: http://people.connexer.com/~roberto/debian/ The packages from my website are signed with my GPG key that is in the Debian keyring and they are identical to those found in Sid. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
Hi Roberto, yes I am using upstream tarballs! I should backup a little, I recently send a private e-mail to Tom asking him why the install.sh scripts(shorewall-4.5.21-RC1 and shorewall-init-4.5.21-RC1) were not using insserv as an alternative way to make shorewall start at boot on debian! I saw that Tom had made the changes regarding insserv in shorewall-4.5.21 but while installing shorewall-init-4.5.21 insserv was complaining! As Tom asked me I sent to the list the error and a solution to fix it! I have no doubt that the .deb packages you are providing are error free on debian I was just trying to provide for those of us who want to do it from source the same error free experience!!!:) matt P.S. Before switching to tarballs I was using your repository and I never had any problem installing shorewall on debian! On 4 Oct 2013 at 16:37, Roberto C. Sánchez wrote: Date sent: Fri, 4 Oct 2013 16:37:45 -0400 From: Roberto C. Sánchez <roberto@connexer.com> To: matt darfeuille <matdarf@gmail.com> Copies to: Shorewall Users <shorewall-users@lists.sourceforge.net> Subject: Re: [Shorewall-users] Shorewall 4.5.21> On Fri, Oct 04, 2013 at 01:39:32PM +0200, matt darfeuille wrote: > > Hi tom, > > > > Regarding the insserv changes made to > > shorewall-init-4.5.21/install.sh script do not seem to work on > > debian7! > > > > Installing Debian-specific configuration... > > Installing Shorewall Init Version 4.5.21 > > SysV init script init.debian.sh installed in > > /etc/init.d/shorewall-init > > Logrotate file installed as /etc/logrotate.d/shorewall-init > > /sbin/insserv > > insserv: enable: No such file or directory > > > Hi Matt, > > It looks like you are using upstream tarballs. Can you please try the > official Debian ypackages and see if you have the same issue? I > installed from the Debian packages I created on two of my servers > which I recently updated to Wheezy and I have not encountered the > issue you observed. > > I just uploaded the packages for 4.5.21-1 late last night/early this > morning. You can get them http://packages.debian.org, or I have also > set up a wheezy repository at my website: > http://people.connexer.com/~roberto/debian/ > > The packages from my website are signed with my GPG key that is in the > Debian keyring and they are identical to those found in Sid. > > Regards, > > -Roberto > > -- > Roberto C. Sánchez > http://people.connexer.com/~roberto > http://www.connexer.com >------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk