5.8.5 Archives - rsyslog

rsyslog multiple buxfixes released

By Adiscon SupportPosted on September 1, 2011Posted in News, Release AnnouncementTagged 4.6.8, 4.7.5, 5.8.5, 5.9.3, 6.1.12, 6.3.5, beta, bugfix, devel, release, rsyslog, stable, v4, v5, v6

Hi all,

There has a security issue been identified that can potentially lead to DoS. It is triggered by malformed RFC3164 messages. An abort only happens under very specific environmental trigger factors. Full details can be found in our security advisory here:

http://www.rsyslog.com/potential-dos-with-malformed-tag/

We would like to thank the Red Hat security team for finding this issue and working with us to resolve it.

As a consequence, we have updated all currently active versions. Please note that they do not only contain the fix for the security issue mentioned above but also other stability updates. For obvious reasons, updating to these versions is recommended. For details, please see the relevant ChangeLog.

v4-stable: 4.6.8
v4-beta: 4.7.5
v5-stable: 5.8.5
v5-devel: 5.9.3
v6-beta: 6.1.12
v6-devel: 6.3.5

All versions are available right now. If you do not want to update, you should consider applying an update to older versions. The fix is trivial, so it should apply to all vulnerable versions without problems (but we have not checked the myriad of versions out there). The security advisory contains the details.

The Changelogs and Download Links can be found below:

v4-stable: 4.6.8
ChangeLog: http://www.rsyslog.com/changelog-for-4-6-8-v4-stable/
Download: http://www.rsyslog.com/rsyslog-4-6-8-v4-stable/
v4-beta: 4.7.5
ChangeLog: http://www.rsyslog.com/changelog-for-4-7-5-v4-beta/
Download: http://www.rsyslog.com/rsyslog-4-7-5-v4-beta/
v5-stable: 5.8.5
ChangeLog: http://www.rsyslog.com/changelog-for-5-8-5-v5-stable/
Download: http://www.rsyslog.com/rsyslog-5-8-5-v5-stable/
v5-devel: 5.9.3
ChangeLog: http://www.rsyslog.com/changelog-for-5-9-3-v5-devel/
Download: http://www.rsyslog.com/rsyslog-5-9-3-v5-devel/
v6-beta: 6.1.12
ChangeLog: http://www.rsyslog.com/changelog-for-6-1-12-v6-beta/
Download: http://www.rsyslog.com/rsyslog-6-1-12-v6-beta/
v6-devel: 6.3.5
ChangeLog: http://www.rsyslog.com/changelog-for-6-3-5-v6-devel/
Download: http://www.rsyslog.com/rsyslog-6-3-5-v6-devel/

As always, feedback is appreciated.

Best regards,
Florian Riedl

rsyslog 5.8.5 (v5-stable)

By Adiscon SupportPosted on September 1, 2011Posted in Download, stableTagged 5.8.5, bugfix, Download, security, stable, v5

Download file name: rsyslog 5.8.5 (stable)

rsyslog 5.8.5 (stable)
md5sum: a73cb577cb4bc5b9c8f0d217eb054ad2

Author: Rainer Gerhards (rgerhards@adiscon.com)
Version: 5.8.5 File size: 2.365 MB

Download this file now!

Changelog for 5.8.5 (v5-stable)

By Adiscon SupportPosted on September 1, 2011Posted in ChangelogTagged 5.8.5, bugfix, Changelog, rsyslog, security, stable, v5

Version 5.8.5 [V5-stable] (rgerhards/al), 2011-09-01

bugfix: security: off-by-two bug in legacy syslog parser, CVE-2011-3200
bugfix: mark message processing did not work correctly
bugfix: potential hang condition during tag emulation
bugfix: too-early string termination during tag emulation
bugfix: The NUL-Byte for the syslogtag was not copied in MsgDup (msg.c)
bugfix: fixed incorrect state handling for Discard Action (transactions)
Note: This caused all messages in a batch to be set to COMMITTED, even if they were discarded.