[rsyslog] security issue in rsyslog

david at lang.hm david at lang.hm
Mon Dec 1 18:23:47 CET 2008 

On Mon, 1 Dec 2008, Rainer Gerhards wrote:

> The issue also exists in TCP mode, but analysis shows this is not a
> trial fix. The design overlooked the situation. In theory, a whole new
> access control feature would be needed. I am checking out if it is
> possible to "just" enhance the interface. With the current netstreams
> defined that should be possible. I am tempted to release the UDP-fixed
> version and release the next version with the TCP fix. Feedback from
> packagers is appreciated. The TCP fix may take a day or two, depending
> on how smart a way I find.

for UDP it's trivial to forge the source IP address anyway, so the 
'security' gained by this feature in that mode is questionable to start 
with.

that being said, I'm very pleased to see how you are handling this.

David Lang

> Rainer
>
>> -----Original Message-----
>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
>> Sent: Monday, December 01, 2008 4:37 PM
>> To: rsyslog-users
>> Subject: Re: [rsyslog] security issue in rsyslog
>>
>> ... and the patch will not work on all of these version, due to the
>> introduction of the netstream driver functionality. Please note that
>> anything older than current v3-stable is outdated, so the proper way
> to
>> replace the faulty code is to upgrade to the current v3-stable and
>> apply
>> the patch. I will also release a new v3-stable soon, hopefully today
>> (but I'd like to conduct some more tests).
>>
>> Rainer
>>
>>> -----Original Message-----
>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>>> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
>>> Sent: Monday, December 01, 2008 4:31 PM
>>> To: rsyslog-users
>>> Subject: Re: [rsyslog] security issue in rsyslog
>>>
>>> I now clarified the affected versions. Affected are 3.12.2 and
> above.
>>>
>>> Rainer
>>>
>>>> -----Original Message-----
>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>>>> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
>>>> Sent: Monday, December 01, 2008 3:32 PM
>>>> To: rsyslog-users
>>>> Subject: Re: [rsyslog] security issue in rsyslog
>>>>
>>>> Hi all,
>>>>
>>>> this is patch for v3-stable:
>>>>
>>>>
>>>
>>
> http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=f0ddbed44c332391ae
>>>> 6
>>>> d9bbf6b07e2f06c4dd676
>>>>
>>>> I have not tried yet, but I think it will work on almost all other
>>>> versions, too. I keep you posted on the progress.
>>>>
>>>> Rainer
>>>>
>>>>> -----Original Message-----
>>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>>>>> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
>>>>> Sent: Monday, December 01, 2008 11:27 AM
>>>>> To: rsyslog-users
>>>>> Subject: Re: [rsyslog] security issue in rsyslog
>>>>>
>>>>> Version v2-stable is NOT vulnerable.
>>>>>
>>>>> Rainer
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>>>>>> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
>>>>>> Sent: Monday, December 01, 2008 10:55 AM
>>>>>> To: rsyslog-users
>>>>>> Subject: [rsyslog] security issue in rsyslog
>>>>>>
>>>>>> Hi folks,
>>>>>>
>>>>>> thanks to a bug report, I found out that the $AllowedSender
>>>> directive
>>>>>> does not work in all releases. The bug in question is:
>>>>>>
>>>>>> http://bugzilla.adiscon.com/show_bug.cgi?id=111
>>>>>>
>>>>>> Im am currently working on the bug. Obviously, this can lead
> to
>>>>>> messages
>>>>>> being received from systems that are not permitted so. As a
>> work-
>>>>>> around,
>>>>>> proper firewalling should be set up on the vulnerable hosts.
>>> Until
>>>>>> further note, I would assume that all versions of rsyslog are
>>>>> affected
>>>>>> (I will provide more detail during my analysis).
>>>>>>
>>>>>> Thanks,
>>>>>> Rainer
>>>>>> _______________________________________________
>>>>>> rsyslog mailing list
>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>> http://www.rsyslog.com
>>>>> _______________________________________________
>>>>> rsyslog mailing list
>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> http://www.rsyslog.com
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

More information about the rsyslog mailing list