Summary: | app-admin/rsyslog < 3.20.2 and < 3.21.9 "AllowedSender" Security Bypass Vulnerability and DoS (CVE-2008-{5617,5618}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Bruno Buss <bruno.buss> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | dev-zero |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.rsyslog.com/Article324.phtml | ||
Whiteboard: | ~3 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 246290 |
Description
Bruno Buss
2008-12-05 00:34:02 UTC
Added that this blocks bug 246290. This vulnerability affects 3.12.1 through 3.20.0, so only rsyslog-3.18.4 from the tree is affected (suggest removal). (In reply to comment #2) > This vulnerability affects 3.12.1 through 3.20.0, so only rsyslog-3.18.4 from > the tree is affected (suggest removal). > Maybe not. 3.20.x is the v3-stable branch. 3.21.x is the v3-beta branch. They also released 3.21.8 and 3.21.9 that fixes the same vulns that 3.20.1/3.20.2 fixes: http://www.rsyslog.com/Article327.phtml (Sorry, i just see this now, if i saw this before it will be in the bug summary/description). So, both versions in portage tree are vulnerable. We should update the bug summary? I'd say we remove 3.18.4 and push an ebuild for 3.21.9 into the tree. Maybe 3.20.2 could be added, too as that's the stable line (I'll leave that to the maintainer). Ok, new versions in the tree, affected versions dropped and stabilization request for 3.18.x withdrawn. Thanks for letting me now. Security, your turn. Thanks, closing noglsa. CVE-2008-5617 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5617): The ACL handling in rsyslog 3.12.1 to 3.20.0, 4.1.0, and 4.1.1 does not follow $AllowedSender directive, which allows remote attackers to bypass intended access restrictions and spoof log messages or create a large number of spurious messages. CVE-2008-5618 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5618): imudp in rsyslog 4.x before 4.1.2, 3.21 before 3.21.9 beta, and 3.20 before 3.20.2 generates a message even when it is sent by an unauthorized sender, which allows remote attackers to cause a denial of service (disk consumption) via a large number of spurious messages. |