Changelog for 5.10.0 (v5-stable)
Version 5.10.0 [V5-STABLE], 2012-08-23
NOTE: this is the new rsyslog v5-stable, incorporating all changes from the 5.9.x series. In addition to that, it contains the fixes and enhancements listed below in this entry.
- bugfix: delayble source could block action queue, even if there was a disk queue associated with it. The root cause of this problem was that it makes no sense to delay messages once they arrive in the action queue – the “input” that is being held in that case is the main queue worker, what makes no sense.
Thanks to Marcin for alerting us on this problem and providing instructions to reproduce it. - bugfix: disk queue was not persisted on shutdown, regression of fix to
http://bugzilla.adiscon.com/show_bug.cgi?id=299
The new code also handles the case of shutdown of blocking light and full delayable sources somewhat smarter and permits, assuming sufficient timouts, to persist message up to the max queue capacity. Also some nits in debug instrumentation have been fixed. - add small delay (50ms) after sending shutdown message
There seem to be cases where the shutdown message is otherwise not processed, not even on an idle system.
Thanks to Marcin for bringing this problem up. - support for resolving huge groups
closes: http://bugzilla.adiscon.com/show_bug.cgi?id=310
Thanks to Alec Warner for the patch - bugfix: potential hang due to mutex deadlock
closes: http://bugzilla.adiscon.com/show_bug.cgi?id=316
Thanks to Andreas Piesk for reporting&analyzing this bug as well as providing patches and other help in resolving it. - bugfix: property PROCID empty instead of proper nilvalue if not present
If it is not present, it must have the nilvalue “-” as of RFC5424
closes: http://bugzilla.adiscon.com/show_bug.cgi?id=332
Thanks to John N for reporting this issue. - bugfix: “last message repeated n times” message was missing hostname
Thanks to Zdenek Salvet for finding this bug and to Bodik for reporting - bugfix: multiple main queues with same queue file name was not detected
This lead to queue file corruption. While the root cause is a config error, it is a bug that this important and hard to find config error was not detected by rsyslog.
Changelog for 6.3.7 (v6-devel)
Version 6.3.7 [DEVEL] 2012-02-02
- imported refactored v5.9.6 imklog linux driver, now combined with BSD driver
- removed imtemplate/omtemplate template modules, as this was waste of time
The actual input/output modules are better copy templates. Instead, the now-removed modules cost time for maintenance AND often caused confusion on what their role was. - added new stats objects
- improved support for new v6 config system. The build-in output modules now all support the new config language
- bugfix: facility local<x> was not correctly interpreted in legacy filters
Was only accepted if it was the first PRI in a multi-filter PRI. Thanks to forum user Mark for bringing this to our attention. - bugfix: potential abort after reading invalid X.509 certificate
closes: http://bugzilla.adiscon.com/show_bug.cgi?id=290
Thanks to Tomas Heinrich for the patch - bufgix: legacy parsing of some filters did not work correctly
- bugfix: rsyslog aborted during startup if there is an error in loading an action and legacy configuration mode is used
- bugfix: bsd klog driver did no longer compile
- relicensed larger parts of the code under Apache (ASL) 2.0
Changelog for 6.2.0 (v6-stable)
ChangeLog (from 6.1.12 to 6.2.0):
- bugfix (kind of): removed numerical part from pri-text see v6 compatibility document for reasons
- bugfix: race condition when extracting program name, APPNAME, structured data and PROCID (RFC5424 fields) could lead to invalid characters e.g. in dynamic file names or during forwarding (general malfunction of these fields in templates, mostly under heavy load)
- bugfix: imuxsock did no longer ignore message-provided timestamp, if so configured (the *default*). Lead to no longer sub-second timestamps.
closes: http://bugzilla.adiscon.com/show_bug.cgi?id=281 - bugfix: omfile returns fatal error code for things that go really wrong previously, RS_RET_RESUME was returned, which lead to a loop inside the rule engine as omfile could not really recover.
- bugfix: rsyslogd -v always said 64 atomics were not present
thanks to mono_matsuko for the patch - bugfix: potential abort after reading invalid X.509 certificate closes:
http://bugzilla.adiscon.com/show_bug.cgi?id=290
Thanks to Tomas Heinrich for the patch - $Begin, $End, $StrictScoping directives have been removed as v6.4 will provide the same functionality in a far better way. So we do not want to clutter the code.
Changelog for 5.9.4 (v5-devel)
Version 5.9.4 [V5-DEVEL], 2011-11-29
- imuxsock: added capability to “annotate” messages with “trusted information”, which contains some properties obtained from the system and as such is sure to not be faked. This is inspired by the similiar idea introduced in systemd. removed dependency on gcrypt for recently-enough GnuTLS
see: http://bugzilla.adiscon.com/show_bug.cgi?id=289 - bugfix: imuxsock did no longer ignore message-provided timestamp, if so configured (the *default*). Lead to no longer sub-second timestamps.
closes: http://bugzilla.adiscon.com/show_bug.cgi?id=281 - bugfix: omfile returns fatal error code for things that go really wrong previously, RS_RET_RESUME was returned, which lead to a loop inside the rule engine as omfile could not really recover.
- bugfix: rsyslogd -v always said 64 atomics were not present
thanks to mono_matsuko for the patch
Changelog for 5.8.6 (v5-stable)
Version 5.8.6 [V5-stable] 2011-10-21
- bugfix: missing whitespace after property-based filter was not detected
- bugfix: $OMFileFlushInterval period was doubled – now using correct value
- bugfix: ActionQueue could malfunction due to index error
Thanks to Vlad Grigorescu for the patch - bugfix: $ActionExecOnlyOnce interval did not work properly
Thanks to Tomas Heinrich for the patch - bugfix: race condition when extracting program name, APPNAME, structured data and PROCID (RFC5424 fields) could lead to invalid characters e.g. in dynamic file names or during forwarding (general malfunction of these fields in templates, mostly under heavy load)
- bugfix: imuxsock did no longer ignore message-provided timestamp, if so configured (the *default*). Lead to no longer sub-second timestamps.
closes: http://bugzilla.adiscon.com/show_bug.cgi?id=281 - bugfix: omfile returns fatal error code for things that go really wrong previously, RS_RET_RESUME was returned, which lead to a loop inside the rule engine as omfile could not really recover.
- bugfix: imfile did invalid system call under some circumstances when a file that was to be monitored did not exist BUT the state file actually existed. Mostly a cosmetic issue. Root cause was incomplete error checking in stream.c; so patch may affect other code areas.
- bugfix: rsyslogd -v always said 64 atomics were not present
Thanks to mono_matsuko for the patch
Changelog for 6.3.5 (v6-devel)
Version 6.3.5 [DEVEL] (rgerhards/al), 2011-09-01
- bugfix/security: off-by-two bug in legacy syslog parser, CVE-2011-3200
- bugfix: mark message processing did not work correctly
- imudp&imtcp now report error if no listener at all was defined
Thanks to Marcin for suggesting this error message. - bugfix: potential misadressing in property replacer
Changelog for 5.9.3 (v5-devel)
Version 5.9.3 [V5-DEVEL], 2011-09-01
- bugfix/security: off-by-two bug in legacy syslog parser, CVE-2011-3200
- bugfix: mark message processing did not work correctly
- added capability to emit config error location info for warnings otherwise, omusrmsg’s warning about new config format was not accompanied by problem location.
- bugfix: potential misadressing in property replacer
- bugfix: MSGID corruption in RFC5424 parser under some circumstances
closes: http://bugzilla.adiscon.com/show_bug.cgi?id=275 - bugfix: The NUL-Byte for the syslogtag was not copied in MsgDup (msg.c)
Potential DoS with malformed TAG
If a malformed, severely too long TAG is used in legacy (RFC3164) syslog messages, rsyslog can abort based on the conditions described in this security advisory.
CVE: CVE-2011-3200
Affected Stable Versions:
v4.6.0 to 4.6.7 (inclusive)
v5.2.0 to 5.8.4 (inclusive)
Devel and Beta versions are probably also affected, but are not suitable for production and thus not analyzed in detail. Version 3 is not affeceted. Versions prior to 3 have not been analyzed.
Fix:
Update to 4.6.8 or 5.8.5. The fix is also included in the following non-beta versions: 4.7.5, 5.9.3, 6.1.12, 6.3.5.
For non current affected versions, the following patches can most probably be applied: v4, v5. Note that due to the myriad of different versions we can not provide individual patches for all outdated versions (and in general it is less secure to run outdated versions).
Short Description:
An excessively long TAG inside a legacy syslog message can lead to a two-byte stack buffer overflow. If rsyslog has been compiled with stack guard, this can lead to an abort. This has been seen on 32bit platforms, but not on 64 bit ones (though not outruled there). If not compiled with stack guard, no fatal problem occurs and the tag character is usually just truncated. Exact behaviour depends on the platform and may be slightly different on compilers different from gcc and/or non-Intel architecture machines.
rsyslog 6.3.3 config format improvements
In rsyslog 6.3.3, the config processor has finally changed. The old legacy processor (and with it the early RainerScript implementation) is thrown out and has been replaced by the so-called RainerScript processor (why that crazy name?). This is an extremely important step for rsyslog, as it now has the foundation for a much better and intuitive rsyslog.conf format. However, most of that can not be seen in 6.3.3, as it requires more work, especially in the plugin arena. Still, there are a couple of smaller improvements available.
Most importantly, the performance of script based filters has been considerably enhanced. Preliminary testing shows a three times speedup (we’ll do more benchmarking at a later stage; there is also still lots of room for optimization ;-)).
The ugliness of continuation lines has been removed. They may still be used, and this may make a lot of sense with some actions, but you are usually no longer forced to use continuation lines. Take this config snippet from a leading distro:
if ( \ /* kernel up to warning except of firewall */ \ ($syslogfacility-text == 'kern') and \ ($syslogseverity <= 4 /* warning */ ) and not \ ($msg contains 'IN=' and $msg contains 'OUT=') \ ) or ( \ /* up to errors except of facility authpriv */ \ ($syslogseverity <= 3 /* errors */ ) and not \ ($syslogfacility-text == 'authpriv') \ ) \ then /dev/tty10 & |/dev/xconsole
This can now be written as follows:
if ( /* kernel up to warning except of firewall */ ($syslogfacility-text == 'kern') and ($syslogseverity <= 4 /* warning */ ) and not ($msg contains 'IN=' and $msg contains 'OUT=') ) or ( /* up to errors except of facility authpriv */ ($syslogseverity <= 3 /* errors */ ) and not ($syslogfacility-text == 'authpriv') ) then /dev/tty10 & |/dev/xconsole
Changelog for 4.7.4 (v4-beta)
Version 4.7.4 [v4-beta] (rgerhards), 2011-07-11
- added support for the “:omusrmsg:” syntax in configuring user messages
- added support for the “:omfile:” syntax in configuring user messages
- added $LocalHostName config directive
- bugfix: PRI was invalid on Solaris for message from local log socket
- bugfix: local hostname was pulled too-early, so that some config
directives (namely FQDN settings) did not have any effect - bugfix: atomic increment for msg object may not work correct on all
platforms. Thanks to Chris Metcalf for the patch - bugfix: a slightly more informative error message when a TCP
connections is aborted