Changelog for 6.3.7 (v6-devel)
Version 6.3.7 [DEVEL] 2012-02-02
- imported refactored v5.9.6 imklog linux driver, now combined with BSD driver
- removed imtemplate/omtemplate template modules, as this was waste of time
The actual input/output modules are better copy templates. Instead, the now-removed modules cost time for maintenance AND often caused confusion on what their role was. - added new stats objects
- improved support for new v6 config system. The build-in output modules now all support the new config language
- bugfix: facility local<x> was not correctly interpreted in legacy filters
Was only accepted if it was the first PRI in a multi-filter PRI. Thanks to forum user Mark for bringing this to our attention. - bugfix: potential abort after reading invalid X.509 certificate
closes: http://bugzilla.adiscon.com/show_bug.cgi?id=290
Thanks to Tomas Heinrich for the patch - bufgix: legacy parsing of some filters did not work correctly
- bugfix: rsyslog aborted during startup if there is an error in loading an action and legacy configuration mode is used
- bugfix: bsd klog driver did no longer compile
- relicensed larger parts of the code under Apache (ASL) 2.0
Changelog for 6.2.0 (v6-stable)
ChangeLog (from 6.1.12 to 6.2.0):
- bugfix (kind of): removed numerical part from pri-text see v6 compatibility document for reasons
- bugfix: race condition when extracting program name, APPNAME, structured data and PROCID (RFC5424 fields) could lead to invalid characters e.g. in dynamic file names or during forwarding (general malfunction of these fields in templates, mostly under heavy load)
- bugfix: imuxsock did no longer ignore message-provided timestamp, if so configured (the *default*). Lead to no longer sub-second timestamps.
closes: http://bugzilla.adiscon.com/show_bug.cgi?id=281 - bugfix: omfile returns fatal error code for things that go really wrong previously, RS_RET_RESUME was returned, which lead to a loop inside the rule engine as omfile could not really recover.
- bugfix: rsyslogd -v always said 64 atomics were not present
thanks to mono_matsuko for the patch - bugfix: potential abort after reading invalid X.509 certificate closes:
http://bugzilla.adiscon.com/show_bug.cgi?id=290
Thanks to Tomas Heinrich for the patch - $Begin, $End, $StrictScoping directives have been removed as v6.4 will provide the same functionality in a far better way. So we do not want to clutter the code.
Changelog for 5.9.4 (v5-devel)
Version 5.9.4 [V5-DEVEL], 2011-11-29
- imuxsock: added capability to “annotate” messages with “trusted information”, which contains some properties obtained from the system and as such is sure to not be faked. This is inspired by the similiar idea introduced in systemd. removed dependency on gcrypt for recently-enough GnuTLS
see: http://bugzilla.adiscon.com/show_bug.cgi?id=289 - bugfix: imuxsock did no longer ignore message-provided timestamp, if so configured (the *default*). Lead to no longer sub-second timestamps.
closes: http://bugzilla.adiscon.com/show_bug.cgi?id=281 - bugfix: omfile returns fatal error code for things that go really wrong previously, RS_RET_RESUME was returned, which lead to a loop inside the rule engine as omfile could not really recover.
- bugfix: rsyslogd -v always said 64 atomics were not present
thanks to mono_matsuko for the patch
Changelog for 5.8.6 (v5-stable)
Version 5.8.6 [V5-stable] 2011-10-21
- bugfix: missing whitespace after property-based filter was not detected
- bugfix: $OMFileFlushInterval period was doubled – now using correct value
- bugfix: ActionQueue could malfunction due to index error
Thanks to Vlad Grigorescu for the patch - bugfix: $ActionExecOnlyOnce interval did not work properly
Thanks to Tomas Heinrich for the patch - bugfix: race condition when extracting program name, APPNAME, structured data and PROCID (RFC5424 fields) could lead to invalid characters e.g. in dynamic file names or during forwarding (general malfunction of these fields in templates, mostly under heavy load)
- bugfix: imuxsock did no longer ignore message-provided timestamp, if so configured (the *default*). Lead to no longer sub-second timestamps.
closes: http://bugzilla.adiscon.com/show_bug.cgi?id=281 - bugfix: omfile returns fatal error code for things that go really wrong previously, RS_RET_RESUME was returned, which lead to a loop inside the rule engine as omfile could not really recover.
- bugfix: imfile did invalid system call under some circumstances when a file that was to be monitored did not exist BUT the state file actually existed. Mostly a cosmetic issue. Root cause was incomplete error checking in stream.c; so patch may affect other code areas.
- bugfix: rsyslogd -v always said 64 atomics were not present
Thanks to mono_matsuko for the patch
Changelog for 6.3.5 (v6-devel)
Version 6.3.5 [DEVEL] (rgerhards/al), 2011-09-01
- bugfix/security: off-by-two bug in legacy syslog parser, CVE-2011-3200
- bugfix: mark message processing did not work correctly
- imudp&imtcp now report error if no listener at all was defined
Thanks to Marcin for suggesting this error message. - bugfix: potential misadressing in property replacer
Changelog for 5.9.3 (v5-devel)
Version 5.9.3 [V5-DEVEL], 2011-09-01
- bugfix/security: off-by-two bug in legacy syslog parser, CVE-2011-3200
- bugfix: mark message processing did not work correctly
- added capability to emit config error location info for warnings otherwise, omusrmsg’s warning about new config format was not accompanied by problem location.
- bugfix: potential misadressing in property replacer
- bugfix: MSGID corruption in RFC5424 parser under some circumstances
closes: http://bugzilla.adiscon.com/show_bug.cgi?id=275 - bugfix: The NUL-Byte for the syslogtag was not copied in MsgDup (msg.c)
Potential DoS with malformed TAG
If a malformed, severely too long TAG is used in legacy (RFC3164) syslog messages, rsyslog can abort based on the conditions described in this security advisory.
CVE: CVE-2011-3200
Affected Stable Versions:
v4.6.0 to 4.6.7 (inclusive)
v5.2.0 to 5.8.4 (inclusive)
Devel and Beta versions are probably also affected, but are not suitable for production and thus not analyzed in detail. Version 3 is not affeceted. Versions prior to 3 have not been analyzed.
Fix:
Update to 4.6.8 or 5.8.5. The fix is also included in the following non-beta versions: 4.7.5, 5.9.3, 6.1.12, 6.3.5.
For non current affected versions, the following patches can most probably be applied: v4, v5. Note that due to the myriad of different versions we can not provide individual patches for all outdated versions (and in general it is less secure to run outdated versions).
Short Description:
An excessively long TAG inside a legacy syslog message can lead to a two-byte stack buffer overflow. If rsyslog has been compiled with stack guard, this can lead to an abort. This has been seen on 32bit platforms, but not on 64 bit ones (though not outruled there). If not compiled with stack guard, no fatal problem occurs and the tag character is usually just truncated. Exact behaviour depends on the platform and may be slightly different on compilers different from gcc and/or non-Intel architecture machines.
rsyslog 6.3.3 config format improvements
In rsyslog 6.3.3, the config processor has finally changed. The old legacy processor (and with it the early RainerScript implementation) is thrown out and has been replaced by the so-called RainerScript processor (why that crazy name?). This is an extremely important step for rsyslog, as it now has the foundation for a much better and intuitive rsyslog.conf format. However, most of that can not be seen in 6.3.3, as it requires more work, especially in the plugin arena. Still, there are a couple of smaller improvements available.
Most importantly, the performance of script based filters has been considerably enhanced. Preliminary testing shows a three times speedup (we’ll do more benchmarking at a later stage; there is also still lots of room for optimization ;-)).
The ugliness of continuation lines has been removed. They may still be used, and this may make a lot of sense with some actions, but you are usually no longer forced to use continuation lines. Take this config snippet from a leading distro:
if ( \ /* kernel up to warning except of firewall */ \ ($syslogfacility-text == 'kern') and \ ($syslogseverity <= 4 /* warning */ ) and not \ ($msg contains 'IN=' and $msg contains 'OUT=') \ ) or ( \ /* up to errors except of facility authpriv */ \ ($syslogseverity <= 3 /* errors */ ) and not \ ($syslogfacility-text == 'authpriv') \ ) \ then /dev/tty10 & |/dev/xconsole
This can now be written as follows:
if ( /* kernel up to warning except of firewall */ ($syslogfacility-text == 'kern') and ($syslogseverity <= 4 /* warning */ ) and not ($msg contains 'IN=' and $msg contains 'OUT=') ) or ( /* up to errors except of facility authpriv */ ($syslogseverity <= 3 /* errors */ ) and not ($syslogfacility-text == 'authpriv') ) then /dev/tty10 & |/dev/xconsole
Changelog for 4.7.4 (v4-beta)
Version 4.7.4 [v4-beta] (rgerhards), 2011-07-11
- added support for the “:omusrmsg:” syntax in configuring user messages
- added support for the “:omfile:” syntax in configuring user messages
- added $LocalHostName config directive
- bugfix: PRI was invalid on Solaris for message from local log socket
- bugfix: local hostname was pulled too-early, so that some config
directives (namely FQDN settings) did not have any effect - bugfix: atomic increment for msg object may not work correct on all
platforms. Thanks to Chris Metcalf for the patch - bugfix: a slightly more informative error message when a TCP
connections is aborted
Changelog for 6.3.2 (v6-devel)
Version 6.3.2 [DEVEL] (rgerhards), 2011-07-06
- added support for the “:omusrmsg:” syntax in configuring user messages
- systemd support: set stdout/stderr to null – thx to Lennart for the patch
- added support for obtaining timestamp for kernel message from message
If the kernel time-stamps messages, time is now take from that
timestamp instead of the system time when the message was read. This
provides much better accuracy. Thanks to Lennart Poettering for
suggesting this feature and his help during implementation. - added support for obtaining timestamp from system for imuxsock
This permits to read the time a message was submitted to the system
log socket. Most importantly, this is provided in microsecond resolution.
So we are able to obtain high precision timestampis even for messages
that were – as is usual – not formatted with them. This also simplifies
things in regard to local time calculation in chroot environments.
Many thanks to Lennart Poettering for suggesting this feature,
providing some guidance on implementing it and coordinating getting the
necessary support into the Linux kernel. - bugfix: timestamp was incorrectly calculated for timezones with minute
offset
closes: http://bugzilla.adiscon.com/show_bug.cgi?id=271 - bugfix: memory leak in imtcp & subsystems under some circumstances
This leak is tied to error conditions which lead to incorrect cleanup
of some data structures.