Potential DoS with malformed TAG
If a malformed, severely too long TAG is used in legacy (RFC3164) syslog messages, rsyslog can abort based on the conditions described in this security advisory.
CVE: CVE-2011-3200
Affected Stable Versions:
v4.6.0 to 4.6.7 (inclusive)
v5.2.0 to 5.8.4 (inclusive)
Devel and Beta versions are probably also affected, but are not suitable for production and thus not analyzed in detail. Version 3 is not affeceted. Versions prior to 3 have not been analyzed.
Fix:
Update to 4.6.8 or 5.8.5. The fix is also included in the following non-beta versions: 4.7.5, 5.9.3, 6.1.12, 6.3.5.
For non current affected versions, the following patches can most probably be applied: v4, v5. Note that due to the myriad of different versions we can not provide individual patches for all outdated versions (and in general it is less secure to run outdated versions).
Short Description:
An excessively long TAG inside a legacy syslog message can lead to a two-byte stack buffer overflow. If rsyslog has been compiled with stack guard, this can lead to an abort. This has been seen on 32bit platforms, but not on 64 bit ones (though not outruled there). If not compiled with stack guard, no fatal problem occurs and the tag character is usually just truncated. Exact behaviour depends on the platform and may be slightly different on compilers different from gcc and/or non-Intel architecture machines.
rsyslog 5.8.4 (v5-stable) released
This release contains several bugfixes for potential misadressing in the property replacer, memcpy overflow in allowed sender checking and more. For more detailed information, please read the changelog.
ChangeLog:
http://www.rsyslog.com/changelog-for-5-8-4-v5-stable/
Download:
http://www.rsyslog.com/rsyslog-5-8-4-v5-stable/
As always, feedback is appreciated.
Best regards,
Florian Riedl
rsyslog 5.8.4 (v5-stable)
Download file name: rsyslog 5.8.4 (stable)
rsyslog 5.8.4 (stable)
md5sum: a2c2a65ac84d9a895c52a754aff61986
Author: Rainer Gerhards (rgerhards@adiscon.com)
Version: 5.8.4 File size: 2.357 MB
Changelog for 5.8.4 (v5-stable)
Version 5.8.4 [V5-stable] (al), 2011-08-10
- bugfix: potential misadressing in property replacer
- bugfix: memcpy overflow can occur in allowed sender checking if a name is resolved to IPv4-mapped-on-IPv6 address
Found by Ismail Dömez at Suse - bugfix: MSGID corruption in RFC5424 parser under some circumstances
closes: http://bugzilla.adiscon.com/show_bug.cgi?id=275
rsyslog 6.3.4 (devel)
Download file name: rsyslog 6.3.4 (devel)
rsyslog 6.3.4 (devel)
md5sum: ff995409137125bf9fcc8b74196c35bc
Author: Rainer Gerhards (rgerhards@adiscon.com)
Version: 6.3.4 File size: 2.473 MB
rsyslog 6.3.4 (devel) released
This release brings bugfixes and further improvements to the rule engine. Most importantly, the (scoped, RainerScript-based) action object is now available. This enables users to get some early experience with the new system’s advanced features. Note that output plugins must support the new system. With this release, omfile and omusrmsg have been upgraded to support it. The next minor releases will bring more output module support for scoped actions.
Documentation for the new capabilities is upcoming at http://www.rsyslog.com/doc/node1.html
ChangeLog:
http://www.rsyslog.com/changelog-for-6-3-4-v6-devel/
Download:
http://www.rsyslog.com/rsyslog-6-3-4-devel/
As always, feedback is appreciated.
Best regards,
Florian Riedl
Changelog for 6.3.4 (v6-devel)
Version 6.3.4 [DEVEL] (rgerhards), 2011-08-02
- added support for action() config object
- in rsyslog core engine
- in omfile
- in omusrmsg
- bugfix: omusrmsg format usr1,usr2 was no longer supported
- bugfix: misaddressing in config handler. In theory, can cause segfault, in practice this is extremely unlikely. Thanks to Marcin for alertig me.
rsyslog 6.3.3 (devel) released
This is a very important milestone release. It features the new config parser and thus provides the basis for a more intuitive config format. With 6.3.3 there are already some enhancements to the format. However, more changes will come up with the next minor releases. For details, please check this link:
http://www.rsyslog.com/rsyslog-6-3-3-config-format-improvements/
It is worth noting that the performance of script-based filters (“if … then”) has notable been improved. Preliminary benchmarks show an improvement of at least a factor of three (more detailed benchmarks will be done after the new scoped object statements have been introduced).
We would appreciate early adoption of this release. One goal in releasing it is to see if the new parser actually is able to handle all legacy configurations found in practice (note that the parser was written from scratch).
ChangeLog:
http://www.rsyslog.com/changelog-for-6-3-3-v6-devel/
Download:
http://www.rsyslog.com/rsyslog-6-3-3-devel/
As always, feedback is appreciated.
Best regards,
Tom Bergfeld
rsyslog 6.3.3 (devel)
Download file name: rsyslog 6.3.3 (devel)
rsyslog 6.3.3 (devel)
md5sum: f0ef4a1760eaf4498fba3f5bdc969d8e
Author: Rainer Gerhards (rgerhards@adiscon.com)
Version: 6.3.3 File size: 2.4 MB
Changelog for 6.3.3 (v6-devel)
Version 6.3.3 [DEVEL] (rgerhards), 2011-07-13
- rsyslog.conf format: now parsed by RainerScript parser
this provides the necessary base for future enhancements as well as some
minor immediate ones. For details see: http://blog.gerhards.net/2011/07/rsyslog-633-config-format-improvements.html - performance of script-based filters notably increased
- removed compatibility mode as we expect people have adjusted their
confs by now - added support for the “:omfile:” syntax for actions