Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 202718

Summary: app-admin/syslog-ng <2.0.6 Timestamps Denial of Service Vulnerability (CVE-2007-6437)
Product: Gentoo Security Reporter: Lars Hartmann <lars>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: fmccor, kaazoo, mr_bones_, pacho, ssuominen
Priority: High Keywords: STABLEREQ
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Lars Hartmann 2007-12-18 19:54:10 UTC
A vulnerability has been reported in syslog-ng, which can be exploited by malicious people to cause a DoS (Denial of Service).
This vulnerability is reported in syslog-ng versions prior to 2.0.6 and syslog-ng Premium Edition versions prior to 2.1.8.

Update to syslog-ng 2.0.6

Reproducible: Always
Comment 1 Lars Hartmann 2007-12-18 19:57:41 UTC
maintainers - please advice
Comment 2 Mr. Bones. (RETIRED) gentoo-dev 2007-12-18 20:20:04 UTC
should be good to stablize.  Adding arches.
Comment 3 Lars Hartmann 2007-12-18 20:47:10 UTC
arches - please test and mark stable
target ebuild: app-admin/syslog-ng-2.0.6
target keywords: x86,ppc,sparc,amd64,alpha,ppc64,hppa
Comment 4 Ferris McCormick (RETIRED) gentoo-dev 2007-12-18 21:21:00 UTC
Sparc stable.  Note also sparc stable for dev-libs/eventlog-0.2.5 as it is now required for syslog-ng.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2007-12-18 21:26:14 UTC
Stable for HPPA.
Comment 6 Brent Baude (RETIRED) gentoo-dev 2007-12-19 03:09:03 UTC
ppc and ppc64 stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2007-12-19 16:16:30 UTC
alpha/ia64 stable
Comment 8 Samuli Suominen (RETIRED) gentoo-dev 2007-12-21 17:42:23 UTC
amd64 stable, still runs and logs
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2007-12-21 22:58:05 UTC
All supported arches done here, entering [glsa?] state.. Wait, I'd say this is A3 as syslog-ng is a common package and the vulnerability doesn't affect specific configurations only. Also, the Gentoo handbook installs syslog-ng by default. Rerate, otherwise vote.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2007-12-22 13:17:46 UTC
Rerating A3, request filed.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2007-12-29 16:06:18 UTC
GLSA 200712-19, thanks everyone.
Comment 12 Jakub Moc (RETIRED) gentoo-dev 2008-01-03 03:01:30 UTC
*** Bug 204142 has been marked as a duplicate of this bug. ***
Comment 13 Peter Volkov (RETIRED) gentoo-dev 2008-03-06 10:00:04 UTC
Does not affect current (2008.0) release. Removing release.