Mailing List Archive

Version v2-stable is NOT vulnerable.

Rainer

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Monday, December 01, 2008 10:55 AM
> To: rsyslog-users
> Subject: [rsyslog] security issue in rsyslog
>
> Hi folks,
>
> thanks to a bug report, I found out that the $AllowedSender directive
> does not work in all releases. The bug in question is:
>
> http://bugzilla.adiscon.com/show_bug.cgi?id=111
>
> Im am currently working on the bug. Obviously, this can lead to
> messages
> being received from systems that are not permitted so. As a work-
> around,
> proper firewalling should be set up on the vulnerable hosts. Until
> further note, I would assume that all versions of rsyslog are affected
> (I will provide more detail during my analysis).
>
> Thanks,
> Rainer
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

Hi all,

this is patch for v3-stable:

http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=f0ddbed44c332391ae6
d9bbf6b07e2f06c4dd676

I have not tried yet, but I think it will work on almost all other
versions, too. I keep you posted on the progress.

Rainer

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Monday, December 01, 2008 11:27 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] security issue in rsyslog
>
> Version v2-stable is NOT vulnerable.
>
> Rainer
>
> > -----Original Message-----
> > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > Sent: Monday, December 01, 2008 10:55 AM
> > To: rsyslog-users
> > Subject: [rsyslog] security issue in rsyslog
> >
> > Hi folks,
> >
> > thanks to a bug report, I found out that the $AllowedSender
directive
> > does not work in all releases. The bug in question is:
> >
> > http://bugzilla.adiscon.com/show_bug.cgi?id=111
> >
> > Im am currently working on the bug. Obviously, this can lead to
> > messages
> > being received from systems that are not permitted so. As a work-
> > around,
> > proper firewalling should be set up on the vulnerable hosts. Until
> > further note, I would assume that all versions of rsyslog are
> affected
> > (I will provide more detail during my analysis).
> >
> > Thanks,
> > Rainer
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

I now clarified the affected versions. Affected are 3.12.2 and above.

Rainer

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Monday, December 01, 2008 3:32 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] security issue in rsyslog
>
> Hi all,
>
> this is patch for v3-stable:
>
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=f0ddbed44c332391ae
> 6
> d9bbf6b07e2f06c4dd676
>
> I have not tried yet, but I think it will work on almost all other
> versions, too. I keep you posted on the progress.
>
> Rainer
>
> > -----Original Message-----
> > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > Sent: Monday, December 01, 2008 11:27 AM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] security issue in rsyslog
> >
> > Version v2-stable is NOT vulnerable.
> >
> > Rainer
> >
> > > -----Original Message-----
> > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > Sent: Monday, December 01, 2008 10:55 AM
> > > To: rsyslog-users
> > > Subject: [rsyslog] security issue in rsyslog
> > >
> > > Hi folks,
> > >
> > > thanks to a bug report, I found out that the $AllowedSender
> directive
> > > does not work in all releases. The bug in question is:
> > >
> > > http://bugzilla.adiscon.com/show_bug.cgi?id=111
> > >
> > > Im am currently working on the bug. Obviously, this can lead to
> > > messages
> > > being received from systems that are not permitted so. As a work-
> > > around,
> > > proper firewalling should be set up on the vulnerable hosts. Until
> > > further note, I would assume that all versions of rsyslog are
> > affected
> > > (I will provide more detail during my analysis).
> > >
> > > Thanks,
> > > Rainer
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

... and the patch will not work on all of these version, due to the
introduction of the netstream driver functionality. Please note that
anything older than current v3-stable is outdated, so the proper way to
replace the faulty code is to upgrade to the current v3-stable and apply
the patch. I will also release a new v3-stable soon, hopefully today
(but I'd like to conduct some more tests).

Rainer

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Monday, December 01, 2008 4:31 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] security issue in rsyslog
>
> I now clarified the affected versions. Affected are 3.12.2 and above.
>
> Rainer
>
> > -----Original Message-----
> > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > Sent: Monday, December 01, 2008 3:32 PM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] security issue in rsyslog
> >
> > Hi all,
> >
> > this is patch for v3-stable:
> >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=f0ddbed44c332391ae
> > 6
> > d9bbf6b07e2f06c4dd676
> >
> > I have not tried yet, but I think it will work on almost all other
> > versions, too. I keep you posted on the progress.
> >
> > Rainer
> >
> > > -----Original Message-----
> > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > Sent: Monday, December 01, 2008 11:27 AM
> > > To: rsyslog-users
> > > Subject: Re: [rsyslog] security issue in rsyslog
> > >
> > > Version v2-stable is NOT vulnerable.
> > >
> > > Rainer
> > >
> > > > -----Original Message-----
> > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > Sent: Monday, December 01, 2008 10:55 AM
> > > > To: rsyslog-users
> > > > Subject: [rsyslog] security issue in rsyslog
> > > >
> > > > Hi folks,
> > > >
> > > > thanks to a bug report, I found out that the $AllowedSender
> > directive
> > > > does not work in all releases. The bug in question is:
> > > >
> > > > http://bugzilla.adiscon.com/show_bug.cgi?id=111
> > > >
> > > > Im am currently working on the bug. Obviously, this can lead to
> > > > messages
> > > > being received from systems that are not permitted so. As a
work-
> > > > around,
> > > > proper firewalling should be set up on the vulnerable hosts.
> Until
> > > > further note, I would assume that all versions of rsyslog are
> > > affected
> > > > (I will provide more detail during my analysis).
> > > >
> > > > Thanks,
> > > > Rainer
> > > > _______________________________________________
> > > > rsyslog mailing list
> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > http://www.rsyslog.com
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

The issue also exists in TCP mode, but analysis shows this is not a
trial fix. The design overlooked the situation. In theory, a whole new
access control feature would be needed. I am checking out if it is
possible to "just" enhance the interface. With the current netstreams
defined that should be possible. I am tempted to release the UDP-fixed
version and release the next version with the TCP fix. Feedback from
packagers is appreciated. The TCP fix may take a day or two, depending
on how smart a way I find.

Rainer

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Monday, December 01, 2008 4:37 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] security issue in rsyslog
>
> ... and the patch will not work on all of these version, due to the
> introduction of the netstream driver functionality. Please note that
> anything older than current v3-stable is outdated, so the proper way
to
> replace the faulty code is to upgrade to the current v3-stable and
> apply
> the patch. I will also release a new v3-stable soon, hopefully today
> (but I'd like to conduct some more tests).
>
> Rainer
>
> > -----Original Message-----
> > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > Sent: Monday, December 01, 2008 4:31 PM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] security issue in rsyslog
> >
> > I now clarified the affected versions. Affected are 3.12.2 and
above.
> >
> > Rainer
> >
> > > -----Original Message-----
> > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > Sent: Monday, December 01, 2008 3:32 PM
> > > To: rsyslog-users
> > > Subject: Re: [rsyslog] security issue in rsyslog
> > >
> > > Hi all,
> > >
> > > this is patch for v3-stable:
> > >
> > >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=f0ddbed44c332391ae
> > > 6
> > > d9bbf6b07e2f06c4dd676
> > >
> > > I have not tried yet, but I think it will work on almost all other
> > > versions, too. I keep you posted on the progress.
> > >
> > > Rainer
> > >
> > > > -----Original Message-----
> > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > Sent: Monday, December 01, 2008 11:27 AM
> > > > To: rsyslog-users
> > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > >
> > > > Version v2-stable is NOT vulnerable.
> > > >
> > > > Rainer
> > > >
> > > > > -----Original Message-----
> > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > Sent: Monday, December 01, 2008 10:55 AM
> > > > > To: rsyslog-users
> > > > > Subject: [rsyslog] security issue in rsyslog
> > > > >
> > > > > Hi folks,
> > > > >
> > > > > thanks to a bug report, I found out that the $AllowedSender
> > > directive
> > > > > does not work in all releases. The bug in question is:
> > > > >
> > > > > http://bugzilla.adiscon.com/show_bug.cgi?id=111
> > > > >
> > > > > Im am currently working on the bug. Obviously, this can lead
to
> > > > > messages
> > > > > being received from systems that are not permitted so. As a
> work-
> > > > > around,
> > > > > proper firewalling should be set up on the vulnerable hosts.
> > Until
> > > > > further note, I would assume that all versions of rsyslog are
> > > > affected
> > > > > (I will provide more detail during my analysis).
> > > > >
> > > > > Thanks,
> > > > > Rainer
> > > > > _______________________________________________
> > > > > rsyslog mailing list
> > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > http://www.rsyslog.com
> > > > _______________________________________________
> > > > rsyslog mailing list
> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > http://www.rsyslog.com
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

Ok, looks like I found a work-around. Not that elegant, but seems to
work quite well. Patch for TCP is here:

http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=97b89435aad77bd6d9e
18747b55d701e360d5aac

Please note that this effectively disables GSS functionality. I'll
updated the GSS drivers in the next step.

Rainer

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Monday, December 01, 2008 5:08 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] security issue in rsyslog
>
> The issue also exists in TCP mode, but analysis shows this is not a
> trial fix. The design overlooked the situation. In theory, a whole new
> access control feature would be needed. I am checking out if it is
> possible to "just" enhance the interface. With the current netstreams
> defined that should be possible. I am tempted to release the UDP-fixed
> version and release the next version with the TCP fix. Feedback from
> packagers is appreciated. The TCP fix may take a day or two, depending
> on how smart a way I find.
>
> Rainer
>
> > -----Original Message-----
> > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > Sent: Monday, December 01, 2008 4:37 PM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] security issue in rsyslog
> >
> > ... and the patch will not work on all of these version, due to the
> > introduction of the netstream driver functionality. Please note that
> > anything older than current v3-stable is outdated, so the proper way
> to
> > replace the faulty code is to upgrade to the current v3-stable and
> > apply
> > the patch. I will also release a new v3-stable soon, hopefully today
> > (but I'd like to conduct some more tests).
> >
> > Rainer
> >
> > > -----Original Message-----
> > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > Sent: Monday, December 01, 2008 4:31 PM
> > > To: rsyslog-users
> > > Subject: Re: [rsyslog] security issue in rsyslog
> > >
> > > I now clarified the affected versions. Affected are 3.12.2 and
> above.
> > >
> > > Rainer
> > >
> > > > -----Original Message-----
> > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > Sent: Monday, December 01, 2008 3:32 PM
> > > > To: rsyslog-users
> > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > >
> > > > Hi all,
> > > >
> > > > this is patch for v3-stable:
> > > >
> > > >
> > >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=f0ddbed44c332391ae
> > > > 6
> > > > d9bbf6b07e2f06c4dd676
> > > >
> > > > I have not tried yet, but I think it will work on almost all
> other
> > > > versions, too. I keep you posted on the progress.
> > > >
> > > > Rainer
> > > >
> > > > > -----Original Message-----
> > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > Sent: Monday, December 01, 2008 11:27 AM
> > > > > To: rsyslog-users
> > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > >
> > > > > Version v2-stable is NOT vulnerable.
> > > > >
> > > > > Rainer
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > > Sent: Monday, December 01, 2008 10:55 AM
> > > > > > To: rsyslog-users
> > > > > > Subject: [rsyslog] security issue in rsyslog
> > > > > >
> > > > > > Hi folks,
> > > > > >
> > > > > > thanks to a bug report, I found out that the $AllowedSender
> > > > directive
> > > > > > does not work in all releases. The bug in question is:
> > > > > >
> > > > > > http://bugzilla.adiscon.com/show_bug.cgi?id=111
> > > > > >
> > > > > > Im am currently working on the bug. Obviously, this can lead
> to
> > > > > > messages
> > > > > > being received from systems that are not permitted so. As a
> > work-
> > > > > > around,
> > > > > > proper firewalling should be set up on the vulnerable hosts.
> > > Until
> > > > > > further note, I would assume that all versions of rsyslog
are
> > > > > affected
> > > > > > (I will provide more detail during my analysis).
> > > > > >
> > > > > > Thanks,
> > > > > > Rainer
> > > > > > _______________________________________________
> > > > > > rsyslog mailing list
> > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > http://www.rsyslog.com
> > > > > _______________________________________________
> > > > > rsyslog mailing list
> > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > http://www.rsyslog.com
> > > > _______________________________________________
> > > > rsyslog mailing list
> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > http://www.rsyslog.com
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

2008/12/1 Rainer Gerhards <rgerhards@hq.adiscon.com>:
> defined that should be possible. I am tempted to release the UDP-fixed
> version and release the next version with the TCP fix. Feedback from
> packagers is appreciated. The TCP fix may take a day or two, depending
> on how smart a way I find.

I'd say, take the time for proper fixing and testing, even if it takes
a day or two and release afterwards.

Michael

--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

On Mon, 1 Dec 2008, Rainer Gerhards wrote:

> The issue also exists in TCP mode, but analysis shows this is not a
> trial fix. The design overlooked the situation. In theory, a whole new
> access control feature would be needed. I am checking out if it is
> possible to "just" enhance the interface. With the current netstreams
> defined that should be possible. I am tempted to release the UDP-fixed
> version and release the next version with the TCP fix. Feedback from
> packagers is appreciated. The TCP fix may take a day or two, depending
> on how smart a way I find.

for UDP it's trivial to forge the source IP address anyway, so the
'security' gained by this feature in that mode is questionable to start
with.

that being said, I'm very pleased to see how you are handling this.

David Lang

> Rainer
>
>> -----Original Message-----
>> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
>> bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
>> Sent: Monday, December 01, 2008 4:37 PM
>> To: rsyslog-users
>> Subject: Re: [rsyslog] security issue in rsyslog
>>
>> ... and the patch will not work on all of these version, due to the
>> introduction of the netstream driver functionality. Please note that
>> anything older than current v3-stable is outdated, so the proper way
> to
>> replace the faulty code is to upgrade to the current v3-stable and
>> apply
>> the patch. I will also release a new v3-stable soon, hopefully today
>> (but I'd like to conduct some more tests).
>>
>> Rainer
>>
>>> -----Original Message-----
>>> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
>>> bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
>>> Sent: Monday, December 01, 2008 4:31 PM
>>> To: rsyslog-users
>>> Subject: Re: [rsyslog] security issue in rsyslog
>>>
>>> I now clarified the affected versions. Affected are 3.12.2 and
> above.
>>>
>>> Rainer
>>>
>>>> -----Original Message-----
>>>> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
>>>> bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
>>>> Sent: Monday, December 01, 2008 3:32 PM
>>>> To: rsyslog-users
>>>> Subject: Re: [rsyslog] security issue in rsyslog
>>>>
>>>> Hi all,
>>>>
>>>> this is patch for v3-stable:
>>>>
>>>>
>>>
>>
> http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=f0ddbed44c332391ae
>>>> 6
>>>> d9bbf6b07e2f06c4dd676
>>>>
>>>> I have not tried yet, but I think it will work on almost all other
>>>> versions, too. I keep you posted on the progress.
>>>>
>>>> Rainer
>>>>
>>>>> -----Original Message-----
>>>>> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
>>>>> bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
>>>>> Sent: Monday, December 01, 2008 11:27 AM
>>>>> To: rsyslog-users
>>>>> Subject: Re: [rsyslog] security issue in rsyslog
>>>>>
>>>>> Version v2-stable is NOT vulnerable.
>>>>>
>>>>> Rainer
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
>>>>>> bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
>>>>>> Sent: Monday, December 01, 2008 10:55 AM
>>>>>> To: rsyslog-users
>>>>>> Subject: [rsyslog] security issue in rsyslog
>>>>>>
>>>>>> Hi folks,
>>>>>>
>>>>>> thanks to a bug report, I found out that the $AllowedSender
>>>> directive
>>>>>> does not work in all releases. The bug in question is:
>>>>>>
>>>>>> http://bugzilla.adiscon.com/show_bug.cgi?id=111
>>>>>>
>>>>>> Im am currently working on the bug. Obviously, this can lead
> to
>>>>>> messages
>>>>>> being received from systems that are not permitted so. As a
>> work-
>>>>>> around,
>>>>>> proper firewalling should be set up on the vulnerable hosts.
>>> Until
>>>>>> further note, I would assume that all versions of rsyslog are
>>>>> affected
>>>>>> (I will provide more detail during my analysis).
>>>>>>
>>>>>> Thanks,
>>>>>> Rainer
>>>>>> _______________________________________________
>>>>>> rsyslog mailing list
>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>> http://www.rsyslog.com
>>>>> _______________________________________________
>>>>> rsyslog mailing list
>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> http://www.rsyslog.com
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

And now there is an *untested* fix for the TLS driver:

http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=61b59a78c6b558ec063
83fc5969178887d00abfc

Testing takes a bit more of time, I need to set up the test environment
for TLS again (looks like it would really pay to have a fixed test suite
for all those cases - also the issue here would have never occurred...).

Please note that I mistook GSSAPI with TLS in my previous mail. The TLS
part should not be really affected by the problem: there are so much
better access control features in TLS...

Rainer

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Monday, December 01, 2008 5:52 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] security issue in rsyslog
>
> Ok, looks like I found a work-around. Not that elegant, but seems to
> work quite well. Patch for TCP is here:
>
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=97b89435aad77bd6d9
> e
> 18747b55d701e360d5aac
>
> Please note that this effectively disables GSS functionality. I'll
> updated the GSS drivers in the next step.
>
> Rainer
>
> > -----Original Message-----
> > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > Sent: Monday, December 01, 2008 5:08 PM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] security issue in rsyslog
> >
> > The issue also exists in TCP mode, but analysis shows this is not a
> > trial fix. The design overlooked the situation. In theory, a whole
> new
> > access control feature would be needed. I am checking out if it is
> > possible to "just" enhance the interface. With the current
netstreams
> > defined that should be possible. I am tempted to release the UDP-
> fixed
> > version and release the next version with the TCP fix. Feedback from
> > packagers is appreciated. The TCP fix may take a day or two,
> depending
> > on how smart a way I find.
> >
> > Rainer
> >
> > > -----Original Message-----
> > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > Sent: Monday, December 01, 2008 4:37 PM
> > > To: rsyslog-users
> > > Subject: Re: [rsyslog] security issue in rsyslog
> > >
> > > ... and the patch will not work on all of these version, due to
the
> > > introduction of the netstream driver functionality. Please note
> that
> > > anything older than current v3-stable is outdated, so the proper
> way
> > to
> > > replace the faulty code is to upgrade to the current v3-stable and
> > > apply
> > > the patch. I will also release a new v3-stable soon, hopefully
> today
> > > (but I'd like to conduct some more tests).
> > >
> > > Rainer
> > >
> > > > -----Original Message-----
> > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > Sent: Monday, December 01, 2008 4:31 PM
> > > > To: rsyslog-users
> > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > >
> > > > I now clarified the affected versions. Affected are 3.12.2 and
> > above.
> > > >
> > > > Rainer
> > > >
> > > > > -----Original Message-----
> > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > Sent: Monday, December 01, 2008 3:32 PM
> > > > > To: rsyslog-users
> > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > >
> > > > > Hi all,
> > > > >
> > > > > this is patch for v3-stable:
> > > > >
> > > > >
> > > >
> > >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=f0ddbed44c332391ae
> > > > > 6
> > > > > d9bbf6b07e2f06c4dd676
> > > > >
> > > > > I have not tried yet, but I think it will work on almost all
> > other
> > > > > versions, too. I keep you posted on the progress.
> > > > >
> > > > > Rainer
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > > Sent: Monday, December 01, 2008 11:27 AM
> > > > > > To: rsyslog-users
> > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > >
> > > > > > Version v2-stable is NOT vulnerable.
> > > > > >
> > > > > > Rainer
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > > > Sent: Monday, December 01, 2008 10:55 AM
> > > > > > > To: rsyslog-users
> > > > > > > Subject: [rsyslog] security issue in rsyslog
> > > > > > >
> > > > > > > Hi folks,
> > > > > > >
> > > > > > > thanks to a bug report, I found out that the
$AllowedSender
> > > > > directive
> > > > > > > does not work in all releases. The bug in question is:
> > > > > > >
> > > > > > > http://bugzilla.adiscon.com/show_bug.cgi?id=111
> > > > > > >
> > > > > > > Im am currently working on the bug. Obviously, this can
> lead
> > to
> > > > > > > messages
> > > > > > > being received from systems that are not permitted so. As
a
> > > work-
> > > > > > > around,
> > > > > > > proper firewalling should be set up on the vulnerable
> hosts.
> > > > Until
> > > > > > > further note, I would assume that all versions of rsyslog
> are
> > > > > > affected
> > > > > > > (I will provide more detail during my analysis).
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Rainer
> > > > > > > _______________________________________________
> > > > > > > rsyslog mailing list
> > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > http://www.rsyslog.com
> > > > > > _______________________________________________
> > > > > > rsyslog mailing list
> > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > http://www.rsyslog.com
> > > > > _______________________________________________
> > > > > rsyslog mailing list
> > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > http://www.rsyslog.com
> > > > _______________________________________________
> > > > rsyslog mailing list
> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > http://www.rsyslog.com
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

Ok, I ran this fix through a couple of tests yesterday. It looks well
for TLS, too. Note that there is an implication that $AllowedSender
TCP,... applies to TLS to (because it is TCP). I'd consider this to be a
side-effect, but I do not think it is worth fixing. With TLS, there is
much finer and better control. An issue may only exists if someone
decides to run non-tls tcp and tls tcp together AND use $AllowedSender.
Workaround in that case is to use the firewall, so I don't consider it
is worth fixing now.

Please note that my testing revealed a potential memory leak as
side-effect of the fixes. This could be abused to a remote DoS, so I
will investigate that before releasing.

Rainer

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Monday, December 01, 2008 6:47 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] security issue in rsyslog
>
> And now there is an *untested* fix for the TLS driver:
>
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=61b59a78c6b558ec06
> 3
> 83fc5969178887d00abfc
>
> Testing takes a bit more of time, I need to set up the test
environment
> for TLS again (looks like it would really pay to have a fixed test
> suite
> for all those cases - also the issue here would have never
> occurred...).
>
> Please note that I mistook GSSAPI with TLS in my previous mail. The
TLS
> part should not be really affected by the problem: there are so much
> better access control features in TLS...
>
> Rainer
>
> > -----Original Message-----
> > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > Sent: Monday, December 01, 2008 5:52 PM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] security issue in rsyslog
> >
> > Ok, looks like I found a work-around. Not that elegant, but seems to
> > work quite well. Patch for TCP is here:
> >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=97b89435aad77bd6d9
> > e
> > 18747b55d701e360d5aac
> >
> > Please note that this effectively disables GSS functionality. I'll
> > updated the GSS drivers in the next step.
> >
> > Rainer
> >
> > > -----Original Message-----
> > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > Sent: Monday, December 01, 2008 5:08 PM
> > > To: rsyslog-users
> > > Subject: Re: [rsyslog] security issue in rsyslog
> > >
> > > The issue also exists in TCP mode, but analysis shows this is not
a
> > > trial fix. The design overlooked the situation. In theory, a whole
> > new
> > > access control feature would be needed. I am checking out if it is
> > > possible to "just" enhance the interface. With the current
> netstreams
> > > defined that should be possible. I am tempted to release the UDP-
> > fixed
> > > version and release the next version with the TCP fix. Feedback
> from
> > > packagers is appreciated. The TCP fix may take a day or two,
> > depending
> > > on how smart a way I find.
> > >
> > > Rainer
> > >
> > > > -----Original Message-----
> > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > Sent: Monday, December 01, 2008 4:37 PM
> > > > To: rsyslog-users
> > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > >
> > > > ... and the patch will not work on all of these version, due to
> the
> > > > introduction of the netstream driver functionality. Please note
> > that
> > > > anything older than current v3-stable is outdated, so the proper
> > way
> > > to
> > > > replace the faulty code is to upgrade to the current v3-stable
> and
> > > > apply
> > > > the patch. I will also release a new v3-stable soon, hopefully
> > today
> > > > (but I'd like to conduct some more tests).
> > > >
> > > > Rainer
> > > >
> > > > > -----Original Message-----
> > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > Sent: Monday, December 01, 2008 4:31 PM
> > > > > To: rsyslog-users
> > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > >
> > > > > I now clarified the affected versions. Affected are 3.12.2 and
> > > above.
> > > > >
> > > > > Rainer
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > > Sent: Monday, December 01, 2008 3:32 PM
> > > > > > To: rsyslog-users
> > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > >
> > > > > > Hi all,
> > > > > >
> > > > > > this is patch for v3-stable:
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=f0ddbed44c332391ae
> > > > > > 6
> > > > > > d9bbf6b07e2f06c4dd676
> > > > > >
> > > > > > I have not tried yet, but I think it will work on almost all
> > > other
> > > > > > versions, too. I keep you posted on the progress.
> > > > > >
> > > > > > Rainer
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > > > Sent: Monday, December 01, 2008 11:27 AM
> > > > > > > To: rsyslog-users
> > > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > > >
> > > > > > > Version v2-stable is NOT vulnerable.
> > > > > > >
> > > > > > > Rainer
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > > > > Sent: Monday, December 01, 2008 10:55 AM
> > > > > > > > To: rsyslog-users
> > > > > > > > Subject: [rsyslog] security issue in rsyslog
> > > > > > > >
> > > > > > > > Hi folks,
> > > > > > > >
> > > > > > > > thanks to a bug report, I found out that the
> $AllowedSender
> > > > > > directive
> > > > > > > > does not work in all releases. The bug in question is:
> > > > > > > >
> > > > > > > > http://bugzilla.adiscon.com/show_bug.cgi?id=111
> > > > > > > >
> > > > > > > > Im am currently working on the bug. Obviously, this can
> > lead
> > > to
> > > > > > > > messages
> > > > > > > > being received from systems that are not permitted so.
As
> a
> > > > work-
> > > > > > > > around,
> > > > > > > > proper firewalling should be set up on the vulnerable
> > hosts.
> > > > > Until
> > > > > > > > further note, I would assume that all versions of
rsyslog
> > are
> > > > > > > affected
> > > > > > > > (I will provide more detail during my analysis).
> > > > > > > >
> > > > > > > > Thanks,
> > > > > > > > Rainer
> > > > > > > > _______________________________________________
> > > > > > > > rsyslog mailing list
> > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > > http://www.rsyslog.com
> > > > > > > _______________________________________________
> > > > > > > rsyslog mailing list
> > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > http://www.rsyslog.com
> > > > > > _______________________________________________
> > > > > > rsyslog mailing list
> > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > http://www.rsyslog.com
> > > > > _______________________________________________
> > > > > rsyslog mailing list
> > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > http://www.rsyslog.com
> > > > _______________________________________________
> > > > rsyslog mailing list
> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > http://www.rsyslog.com
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

The memory leak is now also fixed, I just quickly re-run some TLS tests
to make sure nothing is broken and it works there, too.

Patch (on top of the others):

http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=b41bdeff56ad9d54ddd
cb8703560c750f04a6370

Rainer

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Wednesday, December 03, 2008 10:54 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] security issue in rsyslog
>
> Ok, I ran this fix through a couple of tests yesterday. It looks well
> for TLS, too. Note that there is an implication that $AllowedSender
> TCP,... applies to TLS to (because it is TCP). I'd consider this to be
> a
> side-effect, but I do not think it is worth fixing. With TLS, there is
> much finer and better control. An issue may only exists if someone
> decides to run non-tls tcp and tls tcp together AND use
$AllowedSender.
> Workaround in that case is to use the firewall, so I don't consider it
> is worth fixing now.
>
> Please note that my testing revealed a potential memory leak as
> side-effect of the fixes. This could be abused to a remote DoS, so I
> will investigate that before releasing.
>
> Rainer
>
> > -----Original Message-----
> > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > Sent: Monday, December 01, 2008 6:47 PM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] security issue in rsyslog
> >
> > And now there is an *untested* fix for the TLS driver:
> >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=61b59a78c6b558ec06
> > 3
> > 83fc5969178887d00abfc
> >
> > Testing takes a bit more of time, I need to set up the test
> environment
> > for TLS again (looks like it would really pay to have a fixed test
> > suite
> > for all those cases - also the issue here would have never
> > occurred...).
> >
> > Please note that I mistook GSSAPI with TLS in my previous mail. The
> TLS
> > part should not be really affected by the problem: there are so much
> > better access control features in TLS...
> >
> > Rainer
> >
> > > -----Original Message-----
> > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > Sent: Monday, December 01, 2008 5:52 PM
> > > To: rsyslog-users
> > > Subject: Re: [rsyslog] security issue in rsyslog
> > >
> > > Ok, looks like I found a work-around. Not that elegant, but seems
> to
> > > work quite well. Patch for TCP is here:
> > >
> > >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=97b89435aad77bd6d9
> > > e
> > > 18747b55d701e360d5aac
> > >
> > > Please note that this effectively disables GSS functionality. I'll
> > > updated the GSS drivers in the next step.
> > >
> > > Rainer
> > >
> > > > -----Original Message-----
> > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > Sent: Monday, December 01, 2008 5:08 PM
> > > > To: rsyslog-users
> > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > >
> > > > The issue also exists in TCP mode, but analysis shows this is
not
> a
> > > > trial fix. The design overlooked the situation. In theory, a
> whole
> > > new
> > > > access control feature would be needed. I am checking out if it
> is
> > > > possible to "just" enhance the interface. With the current
> > netstreams
> > > > defined that should be possible. I am tempted to release the
UDP-
> > > fixed
> > > > version and release the next version with the TCP fix. Feedback
> > from
> > > > packagers is appreciated. The TCP fix may take a day or two,
> > > depending
> > > > on how smart a way I find.
> > > >
> > > > Rainer
> > > >
> > > > > -----Original Message-----
> > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > Sent: Monday, December 01, 2008 4:37 PM
> > > > > To: rsyslog-users
> > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > >
> > > > > ... and the patch will not work on all of these version, due
to
> > the
> > > > > introduction of the netstream driver functionality. Please
note
> > > that
> > > > > anything older than current v3-stable is outdated, so the
> proper
> > > way
> > > > to
> > > > > replace the faulty code is to upgrade to the current v3-stable
> > and
> > > > > apply
> > > > > the patch. I will also release a new v3-stable soon, hopefully
> > > today
> > > > > (but I'd like to conduct some more tests).
> > > > >
> > > > > Rainer
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > > Sent: Monday, December 01, 2008 4:31 PM
> > > > > > To: rsyslog-users
> > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > >
> > > > > > I now clarified the affected versions. Affected are 3.12.2
> and
> > > > above.
> > > > > >
> > > > > > Rainer
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > > > Sent: Monday, December 01, 2008 3:32 PM
> > > > > > > To: rsyslog-users
> > > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > > >
> > > > > > > Hi all,
> > > > > > >
> > > > > > > this is patch for v3-stable:
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=f0ddbed44c332391ae
> > > > > > > 6
> > > > > > > d9bbf6b07e2f06c4dd676
> > > > > > >
> > > > > > > I have not tried yet, but I think it will work on almost
> all
> > > > other
> > > > > > > versions, too. I keep you posted on the progress.
> > > > > > >
> > > > > > > Rainer
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > > > > Sent: Monday, December 01, 2008 11:27 AM
> > > > > > > > To: rsyslog-users
> > > > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > > > >
> > > > > > > > Version v2-stable is NOT vulnerable.
> > > > > > > >
> > > > > > > > Rainer
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: rsyslog-bounces@lists.adiscon.com
> [mailto:rsyslog-
> > > > > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer
Gerhards
> > > > > > > > > Sent: Monday, December 01, 2008 10:55 AM
> > > > > > > > > To: rsyslog-users
> > > > > > > > > Subject: [rsyslog] security issue in rsyslog
> > > > > > > > >
> > > > > > > > > Hi folks,
> > > > > > > > >
> > > > > > > > > thanks to a bug report, I found out that the
> > $AllowedSender
> > > > > > > directive
> > > > > > > > > does not work in all releases. The bug in question is:
> > > > > > > > >
> > > > > > > > > http://bugzilla.adiscon.com/show_bug.cgi?id=111
> > > > > > > > >
> > > > > > > > > Im am currently working on the bug. Obviously, this
can
> > > lead
> > > > to
> > > > > > > > > messages
> > > > > > > > > being received from systems that are not permitted so.
> As
> > a
> > > > > work-
> > > > > > > > > around,
> > > > > > > > > proper firewalling should be set up on the vulnerable
> > > hosts.
> > > > > > Until
> > > > > > > > > further note, I would assume that all versions of
> rsyslog
> > > are
> > > > > > > > affected
> > > > > > > > > (I will provide more detail during my analysis).
> > > > > > > > >
> > > > > > > > > Thanks,
> > > > > > > > > Rainer
> > > > > > > > > _______________________________________________
> > > > > > > > > rsyslog mailing list
> > > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > > > http://www.rsyslog.com
> > > > > > > > _______________________________________________
> > > > > > > > rsyslog mailing list
> > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > > http://www.rsyslog.com
> > > > > > > _______________________________________________
> > > > > > > rsyslog mailing list
> > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > http://www.rsyslog.com
> > > > > > _______________________________________________
> > > > > > rsyslog mailing list
> > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > http://www.rsyslog.com
> > > > > _______________________________________________
> > > > > rsyslog mailing list
> > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > http://www.rsyslog.com
> > > > _______________________________________________
> > > > rsyslog mailing list
> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > http://www.rsyslog.com
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

...TLS testing always takes an awful lot of time... But I was also able
to identify another memory leak, which is nice.

I think I have now finished the release (less some doc update, maybe).
I'd appreciate if some of you could give it a try. I would then do the
actual release tomorrow.

Download is: http://download.rsyslog.com/rsyslog/rsyslog-3.20.1.tar.gz
md5sum: 2786d0d8de85fc9e6e83ff4ed9f468a7

If you try it out, please let me know the results. As I said, I don't
expect anything bad, so it should be suitable for production use.

Rainer

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Wednesday, December 03, 2008 11:30 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] security issue in rsyslog
>
> The memory leak is now also fixed, I just quickly re-run some TLS
tests
> to make sure nothing is broken and it works there, too.
>
> Patch (on top of the others):
>
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=b41bdeff56ad9d54dd
> d
> cb8703560c750f04a6370
>
> Rainer
>
> > -----Original Message-----
> > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > Sent: Wednesday, December 03, 2008 10:54 AM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] security issue in rsyslog
> >
> > Ok, I ran this fix through a couple of tests yesterday. It looks
well
> > for TLS, too. Note that there is an implication that $AllowedSender
> > TCP,... applies to TLS to (because it is TCP). I'd consider this to
> be
> > a
> > side-effect, but I do not think it is worth fixing. With TLS, there
> is
> > much finer and better control. An issue may only exists if someone
> > decides to run non-tls tcp and tls tcp together AND use
> $AllowedSender.
> > Workaround in that case is to use the firewall, so I don't consider
> it
> > is worth fixing now.
> >
> > Please note that my testing revealed a potential memory leak as
> > side-effect of the fixes. This could be abused to a remote DoS, so I
> > will investigate that before releasing.
> >
> > Rainer
> >
> > > -----Original Message-----
> > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > Sent: Monday, December 01, 2008 6:47 PM
> > > To: rsyslog-users
> > > Subject: Re: [rsyslog] security issue in rsyslog
> > >
> > > And now there is an *untested* fix for the TLS driver:
> > >
> > >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=61b59a78c6b558ec06
> > > 3
> > > 83fc5969178887d00abfc
> > >
> > > Testing takes a bit more of time, I need to set up the test
> > environment
> > > for TLS again (looks like it would really pay to have a fixed test
> > > suite
> > > for all those cases - also the issue here would have never
> > > occurred...).
> > >
> > > Please note that I mistook GSSAPI with TLS in my previous mail.
The
> > TLS
> > > part should not be really affected by the problem: there are so
> much
> > > better access control features in TLS...
> > >
> > > Rainer
> > >
> > > > -----Original Message-----
> > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > Sent: Monday, December 01, 2008 5:52 PM
> > > > To: rsyslog-users
> > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > >
> > > > Ok, looks like I found a work-around. Not that elegant, but
seems
> > to
> > > > work quite well. Patch for TCP is here:
> > > >
> > > >
> > >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=97b89435aad77bd6d9
> > > > e
> > > > 18747b55d701e360d5aac
> > > >
> > > > Please note that this effectively disables GSS functionality.
> I'll
> > > > updated the GSS drivers in the next step.
> > > >
> > > > Rainer
> > > >
> > > > > -----Original Message-----
> > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > Sent: Monday, December 01, 2008 5:08 PM
> > > > > To: rsyslog-users
> > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > >
> > > > > The issue also exists in TCP mode, but analysis shows this is
> not
> > a
> > > > > trial fix. The design overlooked the situation. In theory, a
> > whole
> > > > new
> > > > > access control feature would be needed. I am checking out if
it
> > is
> > > > > possible to "just" enhance the interface. With the current
> > > netstreams
> > > > > defined that should be possible. I am tempted to release the
> UDP-
> > > > fixed
> > > > > version and release the next version with the TCP fix.
Feedback
> > > from
> > > > > packagers is appreciated. The TCP fix may take a day or two,
> > > > depending
> > > > > on how smart a way I find.
> > > > >
> > > > > Rainer
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > > Sent: Monday, December 01, 2008 4:37 PM
> > > > > > To: rsyslog-users
> > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > >
> > > > > > ... and the patch will not work on all of these version, due
> to
> > > the
> > > > > > introduction of the netstream driver functionality. Please
> note
> > > > that
> > > > > > anything older than current v3-stable is outdated, so the
> > proper
> > > > way
> > > > > to
> > > > > > replace the faulty code is to upgrade to the current v3-
> stable
> > > and
> > > > > > apply
> > > > > > the patch. I will also release a new v3-stable soon,
> hopefully
> > > > today
> > > > > > (but I'd like to conduct some more tests).
> > > > > >
> > > > > > Rainer
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > > > Sent: Monday, December 01, 2008 4:31 PM
> > > > > > > To: rsyslog-users
> > > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > > >
> > > > > > > I now clarified the affected versions. Affected are 3.12.2
> > and
> > > > > above.
> > > > > > >
> > > > > > > Rainer
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > > > > Sent: Monday, December 01, 2008 3:32 PM
> > > > > > > > To: rsyslog-users
> > > > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > > > >
> > > > > > > > Hi all,
> > > > > > > >
> > > > > > > > this is patch for v3-stable:
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=f0ddbed44c332391ae
> > > > > > > > 6
> > > > > > > > d9bbf6b07e2f06c4dd676
> > > > > > > >
> > > > > > > > I have not tried yet, but I think it will work on almost
> > all
> > > > > other
> > > > > > > > versions, too. I keep you posted on the progress.
> > > > > > > >
> > > > > > > > Rainer
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: rsyslog-bounces@lists.adiscon.com
> [mailto:rsyslog-
> > > > > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer
Gerhards
> > > > > > > > > Sent: Monday, December 01, 2008 11:27 AM
> > > > > > > > > To: rsyslog-users
> > > > > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > > > > >
> > > > > > > > > Version v2-stable is NOT vulnerable.
> > > > > > > > >
> > > > > > > > > Rainer
> > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: rsyslog-bounces@lists.adiscon.com
> > [mailto:rsyslog-
> > > > > > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer
> Gerhards
> > > > > > > > > > Sent: Monday, December 01, 2008 10:55 AM
> > > > > > > > > > To: rsyslog-users
> > > > > > > > > > Subject: [rsyslog] security issue in rsyslog
> > > > > > > > > >
> > > > > > > > > > Hi folks,
> > > > > > > > > >
> > > > > > > > > > thanks to a bug report, I found out that the
> > > $AllowedSender
> > > > > > > > directive
> > > > > > > > > > does not work in all releases. The bug in question
> is:
> > > > > > > > > >
> > > > > > > > > > http://bugzilla.adiscon.com/show_bug.cgi?id=111
> > > > > > > > > >
> > > > > > > > > > Im am currently working on the bug. Obviously, this
> can
> > > > lead
> > > > > to
> > > > > > > > > > messages
> > > > > > > > > > being received from systems that are not permitted
> so.
> > As
> > > a
> > > > > > work-
> > > > > > > > > > around,
> > > > > > > > > > proper firewalling should be set up on the
vulnerable
> > > > hosts.
> > > > > > > Until
> > > > > > > > > > further note, I would assume that all versions of
> > rsyslog
> > > > are
> > > > > > > > > affected
> > > > > > > > > > (I will provide more detail during my analysis).
> > > > > > > > > >
> > > > > > > > > > Thanks,
> > > > > > > > > > Rainer
> > > > > > > > > > _______________________________________________
> > > > > > > > > > rsyslog mailing list
> > > > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > > > > http://www.rsyslog.com
> > > > > > > > > _______________________________________________
> > > > > > > > > rsyslog mailing list
> > > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > > > http://www.rsyslog.com
> > > > > > > > _______________________________________________
> > > > > > > > rsyslog mailing list
> > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > > http://www.rsyslog.com
> > > > > > > _______________________________________________
> > > > > > > rsyslog mailing list
> > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > http://www.rsyslog.com
> > > > > > _______________________________________________
> > > > > > rsyslog mailing list
> > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > http://www.rsyslog.com
> > > > > _______________________________________________
> > > > > rsyslog mailing list
> > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > http://www.rsyslog.com
> > > > _______________________________________________
> > > > rsyslog mailing list
> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > http://www.rsyslog.com
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

Grrr... One more issue. I noticed that while I resolved some conflicts
on the devel branch integration. There is an option that a log message
is emitted by rsyslog itself, when a remote machine's message is
discarded due to no permission. This was requested so that people know
when something goes wrong. This is only in the UDP code.

HOWEVER, this is not rate-limited so if someone carries out a heavy
attack, he can still flood the local disk by these messages. I'll change
it so that the message is emited only once every minute and will then
re-release what already has been released...

Rainer


> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Wednesday, December 03, 2008 11:30 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] security issue in rsyslog
>
> The memory leak is now also fixed, I just quickly re-run some TLS
tests
> to make sure nothing is broken and it works there, too.
>
> Patch (on top of the others):
>
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=b41bdeff56ad9d54dd
> d
> cb8703560c750f04a6370
>
> Rainer
>
> > -----Original Message-----
> > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > Sent: Wednesday, December 03, 2008 10:54 AM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] security issue in rsyslog
> >
> > Ok, I ran this fix through a couple of tests yesterday. It looks
well
> > for TLS, too. Note that there is an implication that $AllowedSender
> > TCP,... applies to TLS to (because it is TCP). I'd consider this to
> be
> > a
> > side-effect, but I do not think it is worth fixing. With TLS, there
> is
> > much finer and better control. An issue may only exists if someone
> > decides to run non-tls tcp and tls tcp together AND use
> $AllowedSender.
> > Workaround in that case is to use the firewall, so I don't consider
> it
> > is worth fixing now.
> >
> > Please note that my testing revealed a potential memory leak as
> > side-effect of the fixes. This could be abused to a remote DoS, so I
> > will investigate that before releasing.
> >
> > Rainer
> >
> > > -----Original Message-----
> > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > Sent: Monday, December 01, 2008 6:47 PM
> > > To: rsyslog-users
> > > Subject: Re: [rsyslog] security issue in rsyslog
> > >
> > > And now there is an *untested* fix for the TLS driver:
> > >
> > >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=61b59a78c6b558ec06
> > > 3
> > > 83fc5969178887d00abfc
> > >
> > > Testing takes a bit more of time, I need to set up the test
> > environment
> > > for TLS again (looks like it would really pay to have a fixed test
> > > suite
> > > for all those cases - also the issue here would have never
> > > occurred...).
> > >
> > > Please note that I mistook GSSAPI with TLS in my previous mail.
The
> > TLS
> > > part should not be really affected by the problem: there are so
> much
> > > better access control features in TLS...
> > >
> > > Rainer
> > >
> > > > -----Original Message-----
> > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > Sent: Monday, December 01, 2008 5:52 PM
> > > > To: rsyslog-users
> > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > >
> > > > Ok, looks like I found a work-around. Not that elegant, but
seems
> > to
> > > > work quite well. Patch for TCP is here:
> > > >
> > > >
> > >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=97b89435aad77bd6d9
> > > > e
> > > > 18747b55d701e360d5aac
> > > >
> > > > Please note that this effectively disables GSS functionality.
> I'll
> > > > updated the GSS drivers in the next step.
> > > >
> > > > Rainer
> > > >
> > > > > -----Original Message-----
> > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > Sent: Monday, December 01, 2008 5:08 PM
> > > > > To: rsyslog-users
> > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > >
> > > > > The issue also exists in TCP mode, but analysis shows this is
> not
> > a
> > > > > trial fix. The design overlooked the situation. In theory, a
> > whole
> > > > new
> > > > > access control feature would be needed. I am checking out if
it
> > is
> > > > > possible to "just" enhance the interface. With the current
> > > netstreams
> > > > > defined that should be possible. I am tempted to release the
> UDP-
> > > > fixed
> > > > > version and release the next version with the TCP fix.
Feedback
> > > from
> > > > > packagers is appreciated. The TCP fix may take a day or two,
> > > > depending
> > > > > on how smart a way I find.
> > > > >
> > > > > Rainer
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > > Sent: Monday, December 01, 2008 4:37 PM
> > > > > > To: rsyslog-users
> > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > >
> > > > > > ... and the patch will not work on all of these version, due
> to
> > > the
> > > > > > introduction of the netstream driver functionality. Please
> note
> > > > that
> > > > > > anything older than current v3-stable is outdated, so the
> > proper
> > > > way
> > > > > to
> > > > > > replace the faulty code is to upgrade to the current v3-
> stable
> > > and
> > > > > > apply
> > > > > > the patch. I will also release a new v3-stable soon,
> hopefully
> > > > today
> > > > > > (but I'd like to conduct some more tests).
> > > > > >
> > > > > > Rainer
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > > > Sent: Monday, December 01, 2008 4:31 PM
> > > > > > > To: rsyslog-users
> > > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > > >
> > > > > > > I now clarified the affected versions. Affected are 3.12.2
> > and
> > > > > above.
> > > > > > >
> > > > > > > Rainer
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > > > > Sent: Monday, December 01, 2008 3:32 PM
> > > > > > > > To: rsyslog-users
> > > > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > > > >
> > > > > > > > Hi all,
> > > > > > > >
> > > > > > > > this is patch for v3-stable:
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=f0ddbed44c332391ae
> > > > > > > > 6
> > > > > > > > d9bbf6b07e2f06c4dd676
> > > > > > > >
> > > > > > > > I have not tried yet, but I think it will work on almost
> > all
> > > > > other
> > > > > > > > versions, too. I keep you posted on the progress.
> > > > > > > >
> > > > > > > > Rainer
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: rsyslog-bounces@lists.adiscon.com
> [mailto:rsyslog-
> > > > > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer
Gerhards
> > > > > > > > > Sent: Monday, December 01, 2008 11:27 AM
> > > > > > > > > To: rsyslog-users
> > > > > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > > > > >
> > > > > > > > > Version v2-stable is NOT vulnerable.
> > > > > > > > >
> > > > > > > > > Rainer
> > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: rsyslog-bounces@lists.adiscon.com
> > [mailto:rsyslog-
> > > > > > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer
> Gerhards
> > > > > > > > > > Sent: Monday, December 01, 2008 10:55 AM
> > > > > > > > > > To: rsyslog-users
> > > > > > > > > > Subject: [rsyslog] security issue in rsyslog
> > > > > > > > > >
> > > > > > > > > > Hi folks,
> > > > > > > > > >
> > > > > > > > > > thanks to a bug report, I found out that the
> > > $AllowedSender
> > > > > > > > directive
> > > > > > > > > > does not work in all releases. The bug in question
> is:
> > > > > > > > > >
> > > > > > > > > > http://bugzilla.adiscon.com/show_bug.cgi?id=111
> > > > > > > > > >
> > > > > > > > > > Im am currently working on the bug. Obviously, this
> can
> > > > lead
> > > > > to
> > > > > > > > > > messages
> > > > > > > > > > being received from systems that are not permitted
> so.
> > As
> > > a
> > > > > > work-
> > > > > > > > > > around,
> > > > > > > > > > proper firewalling should be set up on the
vulnerable
> > > > hosts.
> > > > > > > Until
> > > > > > > > > > further note, I would assume that all versions of
> > rsyslog
> > > > are
> > > > > > > > > affected
> > > > > > > > > > (I will provide more detail during my analysis).
> > > > > > > > > >
> > > > > > > > > > Thanks,
> > > > > > > > > > Rainer
> > > > > > > > > > _______________________________________________
> > > > > > > > > > rsyslog mailing list
> > > > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > > > > http://www.rsyslog.com
> > > > > > > > > _______________________________________________
> > > > > > > > > rsyslog mailing list
> > > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > > > http://www.rsyslog.com
> > > > > > > > _______________________________________________
> > > > > > > > rsyslog mailing list
> > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > > http://www.rsyslog.com
> > > > > > > _______________________________________________
> > > > > > > rsyslog mailing list
> > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > http://www.rsyslog.com
> > > > > > _______________________________________________
> > > > > > rsyslog mailing list
> > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > http://www.rsyslog.com
> > > > > _______________________________________________
> > > > > rsyslog mailing list
> > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > http://www.rsyslog.com
> > > > _______________________________________________
> > > > rsyslog mailing list
> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > http://www.rsyslog.com
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

OK, 3.20.1 is now re-released as 3.20.2 (there were a few downloads...).
The download link is still correct, it is updated (including the md5sum
;)). 3.21.8 is pulled and I'll restore it next.

Sorry for the hassle.

Rainer

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Thursday, December 04, 2008 1:38 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] security issue in rsyslog
>
> Grrr... One more issue. I noticed that while I resolved some conflicts
> on the devel branch integration. There is an option that a log message
> is emitted by rsyslog itself, when a remote machine's message is
> discarded due to no permission. This was requested so that people know
> when something goes wrong. This is only in the UDP code.
>
> HOWEVER, this is not rate-limited so if someone carries out a heavy
> attack, he can still flood the local disk by these messages. I'll
> change
> it so that the message is emited only once every minute and will then
> re-release what already has been released...
>
> Rainer
>
>
> > -----Original Message-----
> > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > Sent: Wednesday, December 03, 2008 11:30 AM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] security issue in rsyslog
> >
> > The memory leak is now also fixed, I just quickly re-run some TLS
> tests
> > to make sure nothing is broken and it works there, too.
> >
> > Patch (on top of the others):
> >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=b41bdeff56ad9d54dd
> > d
> > cb8703560c750f04a6370
> >
> > Rainer
> >
> > > -----Original Message-----
> > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > Sent: Wednesday, December 03, 2008 10:54 AM
> > > To: rsyslog-users
> > > Subject: Re: [rsyslog] security issue in rsyslog
> > >
> > > Ok, I ran this fix through a couple of tests yesterday. It looks
> well
> > > for TLS, too. Note that there is an implication that
$AllowedSender
> > > TCP,... applies to TLS to (because it is TCP). I'd consider this
to
> > be
> > > a
> > > side-effect, but I do not think it is worth fixing. With TLS,
there
> > is
> > > much finer and better control. An issue may only exists if someone
> > > decides to run non-tls tcp and tls tcp together AND use
> > $AllowedSender.
> > > Workaround in that case is to use the firewall, so I don't
consider
> > it
> > > is worth fixing now.
> > >
> > > Please note that my testing revealed a potential memory leak as
> > > side-effect of the fixes. This could be abused to a remote DoS, so
> I
> > > will investigate that before releasing.
> > >
> > > Rainer
> > >
> > > > -----Original Message-----
> > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > Sent: Monday, December 01, 2008 6:47 PM
> > > > To: rsyslog-users
> > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > >
> > > > And now there is an *untested* fix for the TLS driver:
> > > >
> > > >
> > >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=61b59a78c6b558ec06
> > > > 3
> > > > 83fc5969178887d00abfc
> > > >
> > > > Testing takes a bit more of time, I need to set up the test
> > > environment
> > > > for TLS again (looks like it would really pay to have a fixed
> test
> > > > suite
> > > > for all those cases - also the issue here would have never
> > > > occurred...).
> > > >
> > > > Please note that I mistook GSSAPI with TLS in my previous mail.
> The
> > > TLS
> > > > part should not be really affected by the problem: there are so
> > much
> > > > better access control features in TLS...
> > > >
> > > > Rainer
> > > >
> > > > > -----Original Message-----
> > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > Sent: Monday, December 01, 2008 5:52 PM
> > > > > To: rsyslog-users
> > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > >
> > > > > Ok, looks like I found a work-around. Not that elegant, but
> seems
> > > to
> > > > > work quite well. Patch for TCP is here:
> > > > >
> > > > >
> > > >
> > >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=97b89435aad77bd6d9
> > > > > e
> > > > > 18747b55d701e360d5aac
> > > > >
> > > > > Please note that this effectively disables GSS functionality.
> > I'll
> > > > > updated the GSS drivers in the next step.
> > > > >
> > > > > Rainer
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > > Sent: Monday, December 01, 2008 5:08 PM
> > > > > > To: rsyslog-users
> > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > >
> > > > > > The issue also exists in TCP mode, but analysis shows this
is
> > not
> > > a
> > > > > > trial fix. The design overlooked the situation. In theory, a
> > > whole
> > > > > new
> > > > > > access control feature would be needed. I am checking out if
> it
> > > is
> > > > > > possible to "just" enhance the interface. With the current
> > > > netstreams
> > > > > > defined that should be possible. I am tempted to release the
> > UDP-
> > > > > fixed
> > > > > > version and release the next version with the TCP fix.
> Feedback
> > > > from
> > > > > > packagers is appreciated. The TCP fix may take a day or two,
> > > > > depending
> > > > > > on how smart a way I find.
> > > > > >
> > > > > > Rainer
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > > > Sent: Monday, December 01, 2008 4:37 PM
> > > > > > > To: rsyslog-users
> > > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > > >
> > > > > > > ... and the patch will not work on all of these version,
> due
> > to
> > > > the
> > > > > > > introduction of the netstream driver functionality. Please
> > note
> > > > > that
> > > > > > > anything older than current v3-stable is outdated, so the
> > > proper
> > > > > way
> > > > > > to
> > > > > > > replace the faulty code is to upgrade to the current v3-
> > stable
> > > > and
> > > > > > > apply
> > > > > > > the patch. I will also release a new v3-stable soon,
> > hopefully
> > > > > today
> > > > > > > (but I'd like to conduct some more tests).
> > > > > > >
> > > > > > > Rainer
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > > > > Sent: Monday, December 01, 2008 4:31 PM
> > > > > > > > To: rsyslog-users
> > > > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > > > >
> > > > > > > > I now clarified the affected versions. Affected are
> 3.12.2
> > > and
> > > > > > above.
> > > > > > > >
> > > > > > > > Rainer
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: rsyslog-bounces@lists.adiscon.com
> [mailto:rsyslog-
> > > > > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer
Gerhards
> > > > > > > > > Sent: Monday, December 01, 2008 3:32 PM
> > > > > > > > > To: rsyslog-users
> > > > > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > > > > >
> > > > > > > > > Hi all,
> > > > > > > > >
> > > > > > > > > this is patch for v3-stable:
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=f0ddbed44c332391ae
> > > > > > > > > 6
> > > > > > > > > d9bbf6b07e2f06c4dd676
> > > > > > > > >
> > > > > > > > > I have not tried yet, but I think it will work on
> almost
> > > all
> > > > > > other
> > > > > > > > > versions, too. I keep you posted on the progress.
> > > > > > > > >
> > > > > > > > > Rainer
> > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: rsyslog-bounces@lists.adiscon.com
> > [mailto:rsyslog-
> > > > > > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer
> Gerhards
> > > > > > > > > > Sent: Monday, December 01, 2008 11:27 AM
> > > > > > > > > > To: rsyslog-users
> > > > > > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > > > > > >
> > > > > > > > > > Version v2-stable is NOT vulnerable.
> > > > > > > > > >
> > > > > > > > > > Rainer
> > > > > > > > > >
> > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > From: rsyslog-bounces@lists.adiscon.com
> > > [mailto:rsyslog-
> > > > > > > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer
> > Gerhards
> > > > > > > > > > > Sent: Monday, December 01, 2008 10:55 AM
> > > > > > > > > > > To: rsyslog-users
> > > > > > > > > > > Subject: [rsyslog] security issue in rsyslog
> > > > > > > > > > >
> > > > > > > > > > > Hi folks,
> > > > > > > > > > >
> > > > > > > > > > > thanks to a bug report, I found out that the
> > > > $AllowedSender
> > > > > > > > > directive
> > > > > > > > > > > does not work in all releases. The bug in question
> > is:
> > > > > > > > > > >
> > > > > > > > > > > http://bugzilla.adiscon.com/show_bug.cgi?id=111
> > > > > > > > > > >
> > > > > > > > > > > Im am currently working on the bug. Obviously,
this
> > can
> > > > > lead
> > > > > > to
> > > > > > > > > > > messages
> > > > > > > > > > > being received from systems that are not permitted
> > so.
> > > As
> > > > a
> > > > > > > work-
> > > > > > > > > > > around,
> > > > > > > > > > > proper firewalling should be set up on the
> vulnerable
> > > > > hosts.
> > > > > > > > Until
> > > > > > > > > > > further note, I would assume that all versions of
> > > rsyslog
> > > > > are
> > > > > > > > > > affected
> > > > > > > > > > > (I will provide more detail during my analysis).
> > > > > > > > > > >
> > > > > > > > > > > Thanks,
> > > > > > > > > > > Rainer
> > > > > > > > > > > _______________________________________________
> > > > > > > > > > > rsyslog mailing list
> > > > > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > > > > > http://www.rsyslog.com
> > > > > > > > > > _______________________________________________
> > > > > > > > > > rsyslog mailing list
> > > > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > > > > http://www.rsyslog.com
> > > > > > > > > _______________________________________________
> > > > > > > > > rsyslog mailing list
> > > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > > > http://www.rsyslog.com
> > > > > > > > _______________________________________________
> > > > > > > > rsyslog mailing list
> > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > > http://www.rsyslog.com
> > > > > > > _______________________________________________
> > > > > > > rsyslog mailing list
> > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > http://www.rsyslog.com
> > > > > > _______________________________________________
> > > > > > rsyslog mailing list
> > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > http://www.rsyslog.com
> > > > > _______________________________________________
> > > > > rsyslog mailing list
> > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > http://www.rsyslog.com
> > > > _______________________________________________
> > > > rsyslog mailing list
> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > http://www.rsyslog.com
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

> Sorry for the hassle.

It's not a hassle when you're being open and honest about issues. Too
few projects call an apple an apple, so it's pleasing to be able to
understand precisely what issues are.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

I must concur, I am not very active on this mailing list in either form,
but rsyslog does represent to me what open source was always about. The
openness, speed and intelligence with which bugs/issues are addressed
are exemplary.

Regards

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of RB
> Sent: 04 December 2008 15:04
> To: rsyslog-users
> Subject: Re: [rsyslog] security issue in rsyslog
>
> > Sorry for the hassle.
>
> It's not a hassle when you're being open and honest about issues. Too
> few projects call an apple an apple, so it's pleasing to be able to
> understand precisely what issues are.

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

Thanks folks for the nice statements. Obviously much appreciated ;)

Rainer

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of Gerhardus.Geldenhuis@gta-
> travel.com
> Sent: Thursday, December 04, 2008 4:09 PM
> To: rsyslog@lists.adiscon.com
> Subject: Re: [rsyslog] security issue in rsyslog
>
> I must concur, I am not very active on this mailing list in either
> form,
> but rsyslog does represent to me what open source was always about.
The
> openness, speed and intelligence with which bugs/issues are addressed
> are exemplary.
>
> Regards
>
> > -----Original Message-----
> > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > bounces@lists.adiscon.com] On Behalf Of RB
> > Sent: 04 December 2008 15:04
> > To: rsyslog-users
> > Subject: Re: [rsyslog] security issue in rsyslog
> >
> > > Sorry for the hassle.
> >
> > It's not a hassle when you're being open and honest about issues.
> Too
> > few projects call an apple an apple, so it's pleasing to be able to
> > understand precisely what issues are.
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

3.21.8 has now also been replaced by 3.21.9. As with 3.20.2, links
remain intact. 3.21.8 has probably never been downloaded, but I thought
it is saver to use a new version number, especially as it is a security
issue.

Rainer

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Thursday, December 04, 2008 2:48 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] security issue in rsyslog
>
> OK, 3.20.1 is now re-released as 3.20.2 (there were a few
> downloads...).
> The download link is still correct, it is updated (including the
md5sum
> ;)). 3.21.8 is pulled and I'll restore it next.
>
> Sorry for the hassle.
>
> Rainer
>
> > -----Original Message-----
> > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > Sent: Thursday, December 04, 2008 1:38 PM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] security issue in rsyslog
> >
> > Grrr... One more issue. I noticed that while I resolved some
> conflicts
> > on the devel branch integration. There is an option that a log
> message
> > is emitted by rsyslog itself, when a remote machine's message is
> > discarded due to no permission. This was requested so that people
> know
> > when something goes wrong. This is only in the UDP code.
> >
> > HOWEVER, this is not rate-limited so if someone carries out a heavy
> > attack, he can still flood the local disk by these messages. I'll
> > change
> > it so that the message is emited only once every minute and will
then
> > re-release what already has been released...
> >
> > Rainer
> >
> >
> > > -----Original Message-----
> > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > Sent: Wednesday, December 03, 2008 11:30 AM
> > > To: rsyslog-users
> > > Subject: Re: [rsyslog] security issue in rsyslog
> > >
> > > The memory leak is now also fixed, I just quickly re-run some TLS
> > tests
> > > to make sure nothing is broken and it works there, too.
> > >
> > > Patch (on top of the others):
> > >
> > >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=b41bdeff56ad9d54dd
> > > d
> > > cb8703560c750f04a6370
> > >
> > > Rainer
> > >
> > > > -----Original Message-----
> > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > Sent: Wednesday, December 03, 2008 10:54 AM
> > > > To: rsyslog-users
> > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > >
> > > > Ok, I ran this fix through a couple of tests yesterday. It looks
> > well
> > > > for TLS, too. Note that there is an implication that
> $AllowedSender
> > > > TCP,... applies to TLS to (because it is TCP). I'd consider this
> to
> > > be
> > > > a
> > > > side-effect, but I do not think it is worth fixing. With TLS,
> there
> > > is
> > > > much finer and better control. An issue may only exists if
> someone
> > > > decides to run non-tls tcp and tls tcp together AND use
> > > $AllowedSender.
> > > > Workaround in that case is to use the firewall, so I don't
> consider
> > > it
> > > > is worth fixing now.
> > > >
> > > > Please note that my testing revealed a potential memory leak as
> > > > side-effect of the fixes. This could be abused to a remote DoS,
> so
> > I
> > > > will investigate that before releasing.
> > > >
> > > > Rainer
> > > >
> > > > > -----Original Message-----
> > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > Sent: Monday, December 01, 2008 6:47 PM
> > > > > To: rsyslog-users
> > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > >
> > > > > And now there is an *untested* fix for the TLS driver:
> > > > >
> > > > >
> > > >
> > >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=61b59a78c6b558ec06
> > > > > 3
> > > > > 83fc5969178887d00abfc
> > > > >
> > > > > Testing takes a bit more of time, I need to set up the test
> > > > environment
> > > > > for TLS again (looks like it would really pay to have a fixed
> > test
> > > > > suite
> > > > > for all those cases - also the issue here would have never
> > > > > occurred...).
> > > > >
> > > > > Please note that I mistook GSSAPI with TLS in my previous
mail.
> > The
> > > > TLS
> > > > > part should not be really affected by the problem: there are
so
> > > much
> > > > > better access control features in TLS...
> > > > >
> > > > > Rainer
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > > Sent: Monday, December 01, 2008 5:52 PM
> > > > > > To: rsyslog-users
> > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > >
> > > > > > Ok, looks like I found a work-around. Not that elegant, but
> > seems
> > > > to
> > > > > > work quite well. Patch for TCP is here:
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=97b89435aad77bd6d9
> > > > > > e
> > > > > > 18747b55d701e360d5aac
> > > > > >
> > > > > > Please note that this effectively disables GSS
functionality.
> > > I'll
> > > > > > updated the GSS drivers in the next step.
> > > > > >
> > > > > > Rainer
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > > > Sent: Monday, December 01, 2008 5:08 PM
> > > > > > > To: rsyslog-users
> > > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > > >
> > > > > > > The issue also exists in TCP mode, but analysis shows this
> is
> > > not
> > > > a
> > > > > > > trial fix. The design overlooked the situation. In theory,
> a
> > > > whole
> > > > > > new
> > > > > > > access control feature would be needed. I am checking out
> if
> > it
> > > > is
> > > > > > > possible to "just" enhance the interface. With the current
> > > > > netstreams
> > > > > > > defined that should be possible. I am tempted to release
> the
> > > UDP-
> > > > > > fixed
> > > > > > > version and release the next version with the TCP fix.
> > Feedback
> > > > > from
> > > > > > > packagers is appreciated. The TCP fix may take a day or
> two,
> > > > > > depending
> > > > > > > on how smart a way I find.
> > > > > > >
> > > > > > > Rainer
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > > > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > > > > Sent: Monday, December 01, 2008 4:37 PM
> > > > > > > > To: rsyslog-users
> > > > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > > > >
> > > > > > > > ... and the patch will not work on all of these version,
> > due
> > > to
> > > > > the
> > > > > > > > introduction of the netstream driver functionality.
> Please
> > > note
> > > > > > that
> > > > > > > > anything older than current v3-stable is outdated, so
the
> > > > proper
> > > > > > way
> > > > > > > to
> > > > > > > > replace the faulty code is to upgrade to the current v3-
> > > stable
> > > > > and
> > > > > > > > apply
> > > > > > > > the patch. I will also release a new v3-stable soon,
> > > hopefully
> > > > > > today
> > > > > > > > (but I'd like to conduct some more tests).
> > > > > > > >
> > > > > > > > Rainer
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: rsyslog-bounces@lists.adiscon.com
> [mailto:rsyslog-
> > > > > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer
Gerhards
> > > > > > > > > Sent: Monday, December 01, 2008 4:31 PM
> > > > > > > > > To: rsyslog-users
> > > > > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > > > > >
> > > > > > > > > I now clarified the affected versions. Affected are
> > 3.12.2
> > > > and
> > > > > > > above.
> > > > > > > > >
> > > > > > > > > Rainer
> > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: rsyslog-bounces@lists.adiscon.com
> > [mailto:rsyslog-
> > > > > > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer
> Gerhards
> > > > > > > > > > Sent: Monday, December 01, 2008 3:32 PM
> > > > > > > > > > To: rsyslog-users
> > > > > > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > > > > > >
> > > > > > > > > > Hi all,
> > > > > > > > > >
> > > > > > > > > > this is patch for v3-stable:
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=f0ddbed44c332391ae
> > > > > > > > > > 6
> > > > > > > > > > d9bbf6b07e2f06c4dd676
> > > > > > > > > >
> > > > > > > > > > I have not tried yet, but I think it will work on
> > almost
> > > > all
> > > > > > > other
> > > > > > > > > > versions, too. I keep you posted on the progress.
> > > > > > > > > >
> > > > > > > > > > Rainer
> > > > > > > > > >
> > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > From: rsyslog-bounces@lists.adiscon.com
> > > [mailto:rsyslog-
> > > > > > > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer
> > Gerhards
> > > > > > > > > > > Sent: Monday, December 01, 2008 11:27 AM
> > > > > > > > > > > To: rsyslog-users
> > > > > > > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > > > > > > >
> > > > > > > > > > > Version v2-stable is NOT vulnerable.
> > > > > > > > > > >
> > > > > > > > > > > Rainer
> > > > > > > > > > >
> > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > From: rsyslog-bounces@lists.adiscon.com
> > > > [mailto:rsyslog-
> > > > > > > > > > > > bounces@lists.adiscon.com] On Behalf Of Rainer
> > > Gerhards
> > > > > > > > > > > > Sent: Monday, December 01, 2008 10:55 AM
> > > > > > > > > > > > To: rsyslog-users
> > > > > > > > > > > > Subject: [rsyslog] security issue in rsyslog
> > > > > > > > > > > >
> > > > > > > > > > > > Hi folks,
> > > > > > > > > > > >
> > > > > > > > > > > > thanks to a bug report, I found out that the
> > > > > $AllowedSender
> > > > > > > > > > directive
> > > > > > > > > > > > does not work in all releases. The bug in
> question
> > > is:
> > > > > > > > > > > >
> > > > > > > > > > > > http://bugzilla.adiscon.com/show_bug.cgi?id=111
> > > > > > > > > > > >
> > > > > > > > > > > > Im am currently working on the bug. Obviously,
> this
> > > can
> > > > > > lead
> > > > > > > to
> > > > > > > > > > > > messages
> > > > > > > > > > > > being received from systems that are not
> permitted
> > > so.
> > > > As
> > > > > a
> > > > > > > > work-
> > > > > > > > > > > > around,
> > > > > > > > > > > > proper firewalling should be set up on the
> > vulnerable
> > > > > > hosts.
> > > > > > > > > Until
> > > > > > > > > > > > further note, I would assume that all versions
of
> > > > rsyslog
> > > > > > are
> > > > > > > > > > > affected
> > > > > > > > > > > > (I will provide more detail during my analysis).
> > > > > > > > > > > >
> > > > > > > > > > > > Thanks,
> > > > > > > > > > > > Rainer
> > > > > > > > > > > > _______________________________________________
> > > > > > > > > > > > rsyslog mailing list
> > > > > > > > > > > >
http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > > > > > > http://www.rsyslog.com
> > > > > > > > > > > _______________________________________________
> > > > > > > > > > > rsyslog mailing list
> > > > > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > > > > > http://www.rsyslog.com
> > > > > > > > > > _______________________________________________
> > > > > > > > > > rsyslog mailing list
> > > > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > > > > http://www.rsyslog.com
> > > > > > > > > _______________________________________________
> > > > > > > > > rsyslog mailing list
> > > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > > > http://www.rsyslog.com
> > > > > > > > _______________________________________________
> > > > > > > > rsyslog mailing list
> > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > > http://www.rsyslog.com
> > > > > > > _______________________________________________
> > > > > > > rsyslog mailing list
> > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > http://www.rsyslog.com
> > > > > > _______________________________________________
> > > > > > rsyslog mailing list
> > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > http://www.rsyslog.com
> > > > > _______________________________________________
> > > > > rsyslog mailing list
> > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > http://www.rsyslog.com
> > > > _______________________________________________
> > > > rsyslog mailing list
> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > http://www.rsyslog.com
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com