rsyslog

The rocket-fast system for log processing

Changelog for 5.8.5 (v5-stable)

By Adiscon SupportPosted on Posted in ChangelogTagged , , , , , ,

Version 5.8.5  [V5-stable] (rgerhards/al), 2011-09-01

  • bugfix: security: off-by-two bug in legacy syslog parser, CVE-2011-3200
  • bugfix: mark message processing did not work correctly
  • bugfix: potential hang condition during tag emulation
  • bugfix: too-early string termination during tag emulation
  • bugfix: The NUL-Byte for the syslogtag was not copied in MsgDup (msg.c)
  • bugfix: fixed incorrect state handling for Discard Action (transactions)
    Note: This caused all messages in a batch to be set to COMMITTED, even if they were discarded.

Changelog for 4.6.8 (v4-stable)

By Adiscon SupportPosted on Posted in ChangelogTagged , , , , , , ,

Version 4.6.8  [v4-stable] (rgerhards), 2011-09-01

  • bugfix/security: off-by-two bug in legacy syslog parser, CVE-2011-3200
  • bugfix: potential misadressing in property replacer
  • bugfix: memcpy overflow can occur in allowed sender checking if a name is resolved to IPv4-mapped-on-IPv6 address
    Found by Ismail Dönmez at suse
  • bugfix: The NUL-Byte for the syslogtag was not copied in MsgDup (msg.c)

Potential DoS with malformed TAG

By Adiscon SupportPosted on Posted in Security Advisories

If a malformed, severely too long TAG is used in legacy (RFC3164) syslog messages, rsyslog can abort based on the conditions described in this security advisory.

CVE: CVE-2011-3200

Affected Stable Versions:
v4.6.0 to 4.6.7 (inclusive)
v5.2.0 to 5.8.4 (inclusive)

Devel and Beta versions are probably also affected, but are not suitable for production and thus not analyzed in detail. Version 3 is not affeceted. Versions prior to 3 have not been analyzed.

Fix:
Update to 4.6.8 or 5.8.5.  The fix is also included in the following non-beta versions: 4.7.5, 5.9.3, 6.1.12, 6.3.5.
For non current affected versions, the following patches can most probably be applied: v4, v5. Note that due to the myriad of different versions we can not provide individual patches for all outdated versions (and in general it is less secure to run outdated versions).

Short Description:
An excessively long TAG inside a legacy syslog message can lead to a two-byte stack buffer overflow. If rsyslog has been compiled with stack guard, this can lead to an abort. This has been seen on 32bit platforms, but not on 64 bit ones (though not outruled there). If not compiled with stack guard, no fatal problem occurs and the tag character is usually just truncated. Exact behaviour depends on the platform and may be slightly different on compilers different from gcc and/or non-Intel architecture machines.

Continue reading “Potential DoS with malformed TAG”

rsyslog 5.8.4 (v5-stable) released

By Adiscon SupportPosted on Posted in News, Release AnnouncementTagged , , , , ,

This release contains several bugfixes for potential misadressing in the property replacer, memcpy overflow in allowed sender checking and more. For more detailed information, please read the changelog.

ChangeLog:

http://www.rsyslog.com/changelog-for-5-8-4-v5-stable/

Download:

http://www.rsyslog.com/rsyslog-5-8-4-v5-stable/

As always, feedback is appreciated.

Best regards,
Florian Riedl

rsyslog 6.3.4 (devel) released

By Adiscon SupportPosted on Posted in News, Release AnnouncementTagged , , , , ,

This release brings bugfixes and further improvements to the rule engine. Most importantly, the (scoped, RainerScript-based) action object is now available. This enables users to get some early experience with the new system’s advanced features. Note that output plugins must support the new system. With this release, omfile and omusrmsg have been upgraded to support it. The next minor releases will bring more output module support for scoped actions.

Documentation for the new capabilities is upcoming at http://www.rsyslog.com/doc/node1.html

ChangeLog:

http://www.rsyslog.com/changelog-for-6-3-4-v6-devel/

Download:

http://www.rsyslog.com/rsyslog-6-3-4-devel/

As always, feedback is appreciated.

Best regards,

Florian Riedl

Scroll to top