Summary: | <app-admin/rsyslog-8.4.1, <app-admin/sysklogd-1.5.1: Remote syslog PRI vulnerability (CVE-2014-3634) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Thomas Deutschmann (RETIRED) <whissi> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | base-system, polynomial-c | ||||
Priority: | Normal | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://www.rsyslog.com/remote-syslog-pri-vulnerability/ | ||||||
Whiteboard: | B3 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Bug Depends on: | 524290 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Thomas Deutschmann (RETIRED)
2014-09-29 20:12:28 UTC
@ Security: I already prepared ebuilds for v8.4.1. Lars (polynomial-c) will commit the ebuild to portage when the advisory will be published (2014-09-30 12:00 CEDT). For people who may ask why we will replace v7 with a new major version: The versions in portage (v7.2) are heavily outdated. Version 7.6.x is EOL and has some quality issues. As proxy-maintainer I DO NOT RECOMMEND to patch v7.6. Version 8.4.x is the current stable version and best version to go. There wouldn't be such a jump if bug 520328 would have been already addressed. But UltraBug had no time within the last 30 days... +*rsyslog-8.4.1 (30 Sep 2014) + + 30 Sep 2014; Lars Wendler <polynomial-c@gentoo.org> -rsyslog-7.2.7.ebuild, + -rsyslog-7.4.10.ebuild, -rsyslog-7.6.3-r1.ebuild, +rsyslog-8.4.1.ebuild, + -files/6-stable/rsyslog-6.6.0-fix-runtime.patch, + +files/8-stable/README.gentoo, +files/8-stable/rsyslog.confd, + -files/rsyslog-7.2.5-json-c-pkgconfig.patch, +files/8-stable/50-default.conf, + +files/8-stable/rsyslog.conf, +files/8-stable/rsyslog.initd, + +files/8-stable/rsyslog.logrotate, metadata.xml: + Security bump (bug #524058). Removed old. Remote syslog PRI vulnerability + (CVE-2014-3634). + How is further procedure now? Do we CC arches for stabilization while keeping the bug restricted or does someone from security team unrestrict the bug? AFAIK disclosure deadline has been expired. Yep, the bug is now public, see http://thread.gmane.org/gmane.comp.security.oss.general/14065 Restriction can be removed. @ Security: I am not sure if you will handle app-admin/sysklogd which is affected by the same bug in this bug or if somebody should fill an own bug for sysklogd. However, this is openSUSE's patch for sysklogd: https://build.opensuse.org/package/view_file/Base:System/syslogd/sysklogd-1.4.1-CVE-2014-3634.patch PS: Red Hat and Novell both have raised severity. =app-admin/rsyslog-8.4.1 should get stabilized very soon. Also, an GLSA should be issued. This bug affects systems relying on PCI-compliant logging. Please tell us how to proceed! Arches, please test and mark stable: =app-admin/rsyslog-8.4.1 Target keywords : "amd64 hppa x86" (In reply to Agostino Sarubbo from comment #5) > Arches, please test and mark stable: > > =app-admin/rsyslog-8.4.1 > > Target keywords : "amd64 hppa x86" We have some deps, the full list is: =app-admin/rsyslog-8.4.1 =dev-libs/liblogging-1.0.4 =dev-libs/libmongo-client-0.1.7 =dev-libs/liblognorm-1.0.1 =net-libs/rabbitmq-c-0.5.0 =dev-libs/librelp-1.2.7-r1 Stable for HPPA. FYI: app-admin/rsyslog-8.4.1 fix for CVE-2014-3634 was incomplete. Therefore upstream released rsyslog-8.4.2, see bug #524290 (CVE-2014-3683). Closing this... superseded by bug #524290, app-admin/rsyslog-8.4.2 is now available in portage (thank you Lars!). Please don't close security bugs just because there's another one for the same package. mancha released a patch for app-admin/sysklogd: http://seclists.org/oss-sec/2014/q4/79 Added app-admin/sysklogd to summary and CC'ed base-system due to sysklogd's metadata.xml. Created attachment 386014 [details, diff]
app-admin/sysklogd-1.5-r4 ebuild
Adding ebuild for sysklogd-1.5-r4 which includes the patch from mancha for CVE-2014-3634.
Please review and add it to portage.
+*sysklogd-1.5-r4 (04 Oct 2014) + + 04 Oct 2014; Lars Wendler <polynomial-c@gentoo.org> -sysklogd-1.5.ebuild, + -sysklogd-1.5-r1.ebuild, +sysklogd-1.5-r4.ebuild, + +files/sysklogd-1.5_CVE-2014-3634.diff: + Security bump (bug #524058). Remote syslog PRI vulnerability (CVE-2014-3634). + Removed old. + Arches, please test and mark stable: =app-admin/sysklogd-1.5-r4 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" *** Bug 524508 has been marked as a duplicate of this bug. *** FYI, sysklogd 1.5.1 was just released which includes this fix: http://www.infodrom.org/projects/sysklogd/download/sysklogd-1.5.1.tar.gz --mancha +*sysklogd-1.5.1 (06 Oct 2014) + + 06 Oct 2014; Lars Wendler <polynomial-c@gentoo.org> -sysklogd-1.5-r4.ebuild, + +sysklogd-1.5.1.ebuild, -files/sysklogd-1.5_CVE-2014-3634.diff: + Version bump which adds official upstream security release for CVE-2014-3634 + (bug #524058). + Arches pelase proceed but with =app-admin/sysklogd-1.5.1 instead of -1.5-r4. + 15 Oct 2014; Lars Wendler <polynomial-c@gentoo.org> -rsyslog-7.4.4.ebuild, + -rsyslog-8.4.1.ebuild, -files/7-stable/50-default.conf, + -files/7-stable/rsyslog.conf, + -files/7-stable/rsyslog-7.4.3-fix-runtime.patch, + -files/7-stable/README.gentoo, -files/7-stable/rsyslog.confd, + -files/7-stable/rsyslog-7.4.3-json-c-pkgconfig.patch, + -files/7-stable/bugfix_52.patch, -files/7-stable/rsyslog.confd-r1, + -files/7-stable/rsyslog-7.x-mmjsonparse.patch, + -files/7-stable/bugfix_73.patch, + -files/7-stable/fix-omruleset-default-value.patch, + -files/7-stable/rsyslog.initd, -files/7-stable/rsyslog.initd-r1, + -files/7-stable/rsyslog.logrotate, -files/7-stable/rsyslog.logrotate-r1, + -files/7-stable/rsyslog-gentoo.conf, metadata.xml: + Removed old vulnerable versions. + Readded arches for sysklogd stabilization. Stable on alpha. Stable for HPPA. amd64 stable x86 stable ppc stable ppc64 stable ia64 stable sparc stable s390 stable ARM, SH: ping arm stable sh will not go stable Setting to GLSA, version is no longer in tree. This issue was resolved and addressed in GLSA 201412-35 at http://security.gentoo.org/glsa/glsa-201412-35.xml by GLSA coordinator Yury German (BlueKnight). |