LogAnalysis
[logs] FW: ZSA-2007-029: syslog-ng Denial of Service Dec 17 2007 08:24PM
Tina Bird (tbird precision-guesswork com)


-----Original Message-----
From: Balazs Scheidler [mailto:bazsi (at) balabit (dot) hu [email concealed]]
Sent: Monday, December 17, 2007 2:38 AM
To: bugtraq (at) securityfocus (dot) com [email concealed]
Cc: syslog-ng-announce (at) lists.balabit (dot) hu [email concealed]; syslog-ng (at) lists.balabit (dot) hu [email concealed]
Subject: ZSA-2007-029: syslog-ng Denial of Service

-------- Z o r p S e c u r i t y A d v i s o r y ( Z S A )
------------
PACKAGE : syslog-ng, syslog-ng-premium-edition
AFFECTED VERSION : <= 2.0.6, 2.1.8
FIXED : 2.0.6, 2.1.8
SUMMARY : Denial of Service
TYPE : remote
AFFECTED : all platforms
ZSA-ID : ZSA-2007-029
DATE : Dec 14, 2007
------------------------------------------------------------------------
----
-

DESCRIPTION:

Oriol Carreras has discovered a security vulnerability in syslog-ng, the
multi-platform syslog-replacement application developed by BalaBit IT
Security.

BACKGROUND:

Earlier versions of syslog-ng Open Source Edition and syslog-ng Premium
Edition were vulnerable to a possible Denial of Service. The latest
release (2.0.6 for syslog-ng, 2.1.8 for syslog-ng Premium Edition) fixes
a
segmentation fault which occurred when the timestamp of the incoming
messages did not end with a space character (NULL pointer dereference).
This is an easy Denial of Service possibility.

Apart from the Denial of Service, no further exploits are known to be
possible.

FURTHER INFORMATION

For further information on syslog-ng, visit
http://www.balabit.com/network-security/syslog-ng/
or download the documentation of syslog-ng from
http://www.balabit.com/support/documentation/

SOLUTION:

We recommend that you update the affected packages immediately, or apply
the patch referenced below:

http://git.balabit.hu/?p=bazsi/syslog-ng-2.0.git;a=commitdiff;h=3126ebad
217e
7fd6356f4733ca33f571aa87a170

DOWNLOAD:

If you are a syslog-ng Open Source Edition user, download the source of
the
latest release from:

http://www.balabit.com/downloads/files/syslog-ng/sources/2.0/src/

If you are a syslog-ng Premium Edition user, or have binary subscription
for
syslog-ng Open Source Edition, download the latest binaries from:

http://www.balabit.com/downloads/files/syslog-ng/binaries/premium-editio
n/

OR, if you have a platform that is supported by apt-get, use the
following
apt sources to fetch the latest releases:

Debian GNU/Linux
----------------

etch:

deb https://USERNAME:PASSWORD (at) apt.balabit (dot) com [email concealed]/syslog-ng/premium/
debian-etch/syslog-ng-2.1 syslog-ng-pe

RedHat Enterprise Linux
-----------------------

RHEL-4

rpm https://USERNAME:PASSWORD (at) apt.balabit (dot) com [email concealed]/syslog-ng/premium/
rhel-4/syslog-ng-2.1 syslog-ng-pe

SUSE 10
-------

SUSE 10.0

rpm https://USERNAME:PASSWORD (at) apt.balabit (dot) com [email concealed]/syslog-ng/premium/
suse-10.0/syslog-ng-2.1 syslog-ng-pe

SUSE 10.1

rpm https://USERNAME:PASSWORD (at) apt.balabit (dot) com [email concealed]/syslog-ng/premium/
suse-10.1/syslog-ng-2.1 syslog-ng-pe

HTTP can also be used in the place of HTTPS If your version of apt-get
does not support the HTTPS protocol. When using plain HTTP,
the username and password will not be encrypted.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQBHZlGNthNE0K3PQTgRAnxNAJ90rBSAu1NVar1NQnwFHq/cZlArCwCghZVy
x2IphYoQ1B7Y+dknzd1Qzrk=
=RnJN
-----END PGP SIGNATURE-----
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus