Balabit syslog-ng Incomplete Priority String Remote DoS Vulnerability

Solution:
Balabit has released version 1.4.9, which adressed this issue but had a seperate bug. Users are encouraged to upgrade to 1.49a, which has both bugs resolved.
For more information, see the syslog-ng product page, at:
http://www.balabit.hu/products/syslog-ng/

For users who do not want to upgrade, Balabit has provided the following patch information:

diff -urN syslog-ng-1.4.8/src/log.c syslog-ng-1.4.9/src/log.c
--- syslog-ng-1.4.8/src/log.c Tue Oct 10 15:05:52 2000
+++ syslog-ng-1.4.9/src/log.c Wed Nov 22 16:45:11 2000
@@ -67,8 +67,10 @@
left--;
}
lm->pri =3D pri;
- src++;
- left--;
+ if (left) {
+ src++;
+ left--;
+ }
}
else {
lm->pri =3D LOG_USER | LOG_NOTICE;



 

Privacy Statement
Copyright 2010, SecurityFocus