202718 – app-admin/syslog-ng <2.0.6 Timestamps Denial of Service Vulnerability (CVE-2007-6437)

Bug 202718 - app-admin/syslog-ng <2.0.6 Timestamps Denial of Service Vulnerability (CVE-2007-6437)

Summary: app-admin/syslog-ng <2.0.6 Timestamps Denial of Service Vulnerability (CVE-20...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/28118/
Whiteboard:	A3 [glsa]
Keywords:	STABLEREQ

Duplicates (1):	204142 (view as bug list)
Depends on:
Blocks:

Reported:	2007-12-18 19:54 UTC by Lars Hartmann
Modified:	2020-04-04 10:13 UTC (History)
CC List:	5 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Lars Hartmann 2007-12-18 19:54:10 UTC

A vulnerability has been reported in syslog-ng, which can be exploited by malicious people to cause a DoS (Denial of Service).
This vulnerability is reported in syslog-ng versions prior to 2.0.6 and syslog-ng Premium Edition versions prior to 2.1.8.

Solution:
Update to syslog-ng 2.0.6

Reproducible: Always

Comment 1 Lars Hartmann 2007-12-18 19:57:41 UTC

maintainers - please advice

Comment 2 Mr. Bones. (RETIRED) gentoo-dev

2007-12-18 20:20:04 UTC

should be good to stablize.  Adding arches.

Comment 3 Lars Hartmann 2007-12-18 20:47:10 UTC

arches - please test and mark stable
target ebuild: app-admin/syslog-ng-2.0.6
target keywords: x86,ppc,sparc,amd64,alpha,ppc64,hppa

Comment 4 Ferris McCormick (RETIRED) gentoo-dev

2007-12-18 21:21:00 UTC

Sparc stable.  Note also sparc stable for dev-libs/eventlog-0.2.5 as it is now required for syslog-ng.

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2007-12-18 21:26:14 UTC

Stable for HPPA.

Comment 6 Brent Baude (RETIRED) gentoo-dev

2007-12-19 03:09:03 UTC

ppc and ppc64 stable

Comment 7 Raúl Porcel (RETIRED) gentoo-dev

2007-12-19 16:16:30 UTC

alpha/ia64 stable

Comment 8 Samuli Suominen (RETIRED) gentoo-dev

2007-12-21 17:42:23 UTC

amd64 stable, still runs and logs

Comment 9 Tobias Heinlein (RETIRED) gentoo-dev

2007-12-21 22:58:05 UTC

All supported arches done here, entering [glsa?] state.. Wait, I'd say this is A3 as syslog-ng is a common package and the vulnerability doesn't affect specific configurations only. Also, the Gentoo handbook installs syslog-ng by default. Rerate, otherwise vote.

Comment 10 Robert Buchholz (RETIRED) gentoo-dev

2007-12-22 13:17:46 UTC

Rerating A3, request filed.

Comment 11 Robert Buchholz (RETIRED) gentoo-dev

2007-12-29 16:06:18 UTC

GLSA 200712-19, thanks everyone.

Comment 12 Jakub Moc (RETIRED) gentoo-dev

2008-01-03 03:01:30 UTC

*** Bug 204142 has been marked as a duplicate of this bug. ***

Comment 13 Peter Volkov (RETIRED) gentoo-dev

2008-03-06 10:00:04 UTC

Does not affect current (2008.0) release. Removing release.