They released 3.20.1 but take that down, to put another one - 3.20.2 - that also fix a DoS. Here is the Secunia link for the vuln that 3.20.1 fix: http://secunia.com/advisories/32857/
Added that this blocks bug 246290.
This vulnerability affects 3.12.1 through 3.20.0, so only rsyslog-3.18.4 from the tree is affected (suggest removal).
(In reply to comment #2) > This vulnerability affects 3.12.1 through 3.20.0, so only rsyslog-3.18.4 from > the tree is affected (suggest removal). > Maybe not. 3.20.x is the v3-stable branch. 3.21.x is the v3-beta branch. They also released 3.21.8 and 3.21.9 that fixes the same vulns that 3.20.1/3.20.2 fixes: http://www.rsyslog.com/Article327.phtml (Sorry, i just see this now, if i saw this before it will be in the bug summary/description). So, both versions in portage tree are vulnerable. We should update the bug summary?
I'd say we remove 3.18.4 and push an ebuild for 3.21.9 into the tree. Maybe 3.20.2 could be added, too as that's the stable line (I'll leave that to the maintainer).
Ok, new versions in the tree, affected versions dropped and stabilization request for 3.18.x withdrawn. Thanks for letting me now. Security, your turn.
Thanks, closing noglsa.
CVE-2008-5617 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5617): The ACL handling in rsyslog 3.12.1 to 3.20.0, 4.1.0, and 4.1.1 does not follow $AllowedSender directive, which allows remote attackers to bypass intended access restrictions and spoof log messages or create a large number of spurious messages. CVE-2008-5618 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5618): imudp in rsyslog 4.x before 4.1.2, 3.21 before 3.21.9 beta, and 3.20 before 3.20.2 generates a message even when it is sent by an unauthorized sender, which allows remote attackers to cause a denial of service (disk consumption) via a large number of spurious messages.