Debian Bug report logs - #508027
RSyslog "AllowedSender" Security Bypass Vulnerability

version graph

Package: rsyslog; Maintainer for rsyslog is Michael Biebl <biebl@debian.org>; Source for rsyslog is src:rsyslog.

Reported by: Raphael Geissert <atomo64@gmail.com>

Date: Sun, 7 Dec 2008 03:00:02 UTC

Severity: important

Tags: patch, security

Found in version rsyslog/3.14.1-1

Fixed in version rsyslog/3.18.6-1

Done: Michael Biebl <biebl@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Michael Biebl <biebl@debian.org>:
Bug#508027; Package rsyslog. (Sun, 07 Dec 2008 03:00:04 GMT) Full text and rfc822 format available.

Message #3 received at submit@bugs.debian.org (full text, mbox):

From: Raphael Geissert <atomo64@gmail.com>
To: submit@bugs.debian.org
Subject: RSyslog "AllowedSender" Security Bypass Vulnerability
Date: Sat, 6 Dec 2008 20:56:45 -0600
[Message part 1 (text/plain, inline)]
Package: rsyslog
Version: 3.14.1-1
Severity: important
Tags: security patch

Hi,

The following Secunia Advisory (SA) has been published for rsyslog.

SA32857[1]:
> A vulnerability has been reported in RSyslog, which can be exploited by
> malicious people to bypass certain security restrictions.
>
> The problem is that the "AllowedSender" configuration directive is not
> respected, allowing unrestricted network access to the application.
>
> The vulnerability is reported in versions 3.12.1 through 3.20.0.

A patch can be found at [2].

If you fix the vulnerability please also make sure to include the CVE id in 
the changelog entry, when one is assigned.

[1]http://secunia.com/Advisories/32857/
[2]http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=f0ddbed44c332391ae6d9bbf6b07e2f06c4dd676

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
[signature.asc (application/pgp-signature, inline)]

Reply sent to Michael Biebl <biebl@debian.org>:
You have taken responsibility. (Fri, 12 Dec 2008 17:18:04 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <atomo64@gmail.com>:
Bug acknowledged by developer. (Fri, 12 Dec 2008 17:18:04 GMT) Full text and rfc822 format available.

Message #8 received at 508027-close@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: 508027-close@bugs.debian.org
Subject: Bug#508027: fixed in rsyslog 3.18.6-1
Date: Fri, 12 Dec 2008 16:47:05 +0000
Source: rsyslog
Source-Version: 3.18.6-1

We believe that the bug you reported is fixed in the latest version of
rsyslog, which is due to be installed in the Debian FTP archive:

rsyslog-doc_3.18.6-1_all.deb
  to pool/main/r/rsyslog/rsyslog-doc_3.18.6-1_all.deb
rsyslog-mysql_3.18.6-1_i386.deb
  to pool/main/r/rsyslog/rsyslog-mysql_3.18.6-1_i386.deb
rsyslog-pgsql_3.18.6-1_i386.deb
  to pool/main/r/rsyslog/rsyslog-pgsql_3.18.6-1_i386.deb
rsyslog_3.18.6-1.diff.gz
  to pool/main/r/rsyslog/rsyslog_3.18.6-1.diff.gz
rsyslog_3.18.6-1.dsc
  to pool/main/r/rsyslog/rsyslog_3.18.6-1.dsc
rsyslog_3.18.6-1_i386.deb
  to pool/main/r/rsyslog/rsyslog_3.18.6-1_i386.deb
rsyslog_3.18.6.orig.tar.gz
  to pool/main/r/rsyslog/rsyslog_3.18.6.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 508027@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated rsyslog package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 12 Dec 2008 17:36:02 +0100
Source: rsyslog
Binary: rsyslog rsyslog-doc rsyslog-mysql rsyslog-pgsql
Architecture: source all i386
Version: 3.18.6-1
Distribution: unstable
Urgency: high
Maintainer: Michael Biebl <biebl@debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description: 
 rsyslog    - enhanced multi-threaded syslogd
 rsyslog-doc - documentation for rsyslog
 rsyslog-mysql - MySQL output plugin for rsyslog
 rsyslog-pgsql - PostgreSQL output plugin for rsyslog
Closes: 506925 508027
Changes: 
 rsyslog (3.18.6-1) unstable; urgency=high
 .
   * New upstream bugfix release.
     - Fix "$AllowedSender" security bypass vulnerability. The "$AllowedSender"
       configuration directive was not respected, allowing unrestricted network
       access to the application. Closes: #508027
       No CVE id yet.
   * Urgency high for the security fix.
   * debian/patches/manpage_fixes.patch
     - Fix typos in rsyslogd man page. Closes: #506925
       Thanks to Geoff Simmons for the patch.
Checksums-Sha1: 
 337c80616bf1b233c61cf8721b52645324094f2c 1227 rsyslog_3.18.6-1.dsc
 e5ad7b0c11b6d434b207bf6ef08a27dc7bb237e7 1115925 rsyslog_3.18.6.orig.tar.gz
 c1666087e02650aebcc93f88e3090296674cdf62 17981 rsyslog_3.18.6-1.diff.gz
 1ea2181602af7047c50164e1386a2d3ac0a17f7e 228988 rsyslog-doc_3.18.6-1_all.deb
 2551ee4bb2a8d38a582b67e3a975f170473dcb98 166334 rsyslog_3.18.6-1_i386.deb
 9374c3a66026cc703c37ddf4c441a42811f28e16 11672 rsyslog-mysql_3.18.6-1_i386.deb
 35fb633a3dd9662767da7e62dde20f2d78e90606 11428 rsyslog-pgsql_3.18.6-1_i386.deb
Checksums-Sha256: 
 dd216309a277b2f0da864126a06f24b1103b8dab22e2e6df429a07ebe35be606 1227 rsyslog_3.18.6-1.dsc
 9818f1586b24bc146fb2022f037ec7180756b82618961021a387bd709a06a5aa 1115925 rsyslog_3.18.6.orig.tar.gz
 bf362c0477a98ae133b226132df0dbb9a54305ef4edee5abc99b88ef7f241e8e 17981 rsyslog_3.18.6-1.diff.gz
 b0f3f5911f269147c8c1751f79e75a6f0a78208d1284c8d18751bad88febee2f 228988 rsyslog-doc_3.18.6-1_all.deb
 ed400201deb3d8eea7d9ee724daf4cf414ce9a8f1efe30a597e503678a1d7335 166334 rsyslog_3.18.6-1_i386.deb
 9e5dea0a278d6d140c241df6ac27ab75805a1f6591a6815b2310c8d2bad45ddd 11672 rsyslog-mysql_3.18.6-1_i386.deb
 9f566d8899e3f56f5aa8cc770288ac5989a230d3360ff5edc4e89df2f1d862ab 11428 rsyslog-pgsql_3.18.6-1_i386.deb
Files: 
 35334ee620292dee7ddfce4b4cd6f718 1227 admin important rsyslog_3.18.6-1.dsc
 9878198690ddc8ade0bcf278a2188fb7 1115925 admin important rsyslog_3.18.6.orig.tar.gz
 2b4f26420f2283e1bc9d1bb1a4c7d467 17981 admin important rsyslog_3.18.6-1.diff.gz
 52f20676baf004c627e41076b1a7fb3e 228988 doc extra rsyslog-doc_3.18.6-1_all.deb
 f6b4d1d9db2e8ca701e3b02ff4787a19 166334 admin important rsyslog_3.18.6-1_i386.deb
 5294b5054f428bf14fb6f8301d9eace3 11672 admin extra rsyslog-mysql_3.18.6-1_i386.deb
 4868cf11bce7c404f88ed3a2fa1ede54 11428 admin extra rsyslog-pgsql_3.18.6-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklClI8ACgkQh7PER70FhVRRfACcCo6AQ2RGA4rhZVT2ol2RL52Q
P8EAoIi+XUGKTva+7xppjf2uH8x5/qK5
=Vj+L
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 14 Jan 2009 07:26:50 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 17:48:30 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.