Source: syslog-ng Version: 4.8.1-4 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for syslog-ng. CVE-2024-47619[0]: | syslog-ng is an enhanced log daemo. Prior to version 4.8.2, | `tls_wildcard_match()` matches on certificates such as `foo.*.bar` | although that is not allowed. It is also possible to pass partial | wildcards such as `foo.a*c.bar` which glib matches but should be | avoided / invalidated. This issue could have an impact on TLS | connections, such as in man-in-the-middle situations. Version 4.8.2 | contains a fix for the issue. Note, while advisory say this is fixed in 4.8.2 it looks that syslong-ng-4.8.2 tag does not contain the fix? I might have missed something indeed, and asked upstream in [1] about it. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-47619 https://www.cve.org/CVERecord?id=CVE-2024-47619 [1] https://github.com/syslog-ng/syslog-ng/issues/5360 [2] https://github.com/syslog-ng/syslog-ng/security/advisories/GHSA-xr54-gx74-fghg [3] https://github.com/syslog-ng/syslog-ng/commit/dadfdbecde5bfe710b0a6ee5699f96926b3f9006 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
