Your message dated Wed, 26 Dec 2007 16:22:57 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#457334: fixed in syslog-ng 2.0.5-3+lenny1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: syslog-ng
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for syslog-ng.
CVE-2007-6437[0]:
| Balabit syslog-ng 2.0.x before 2.0.6 and 2.1.x before 2.1.8 allows
| remote attackers to cause a denial of service (crash) via a message
| with a timestamp that does not contain a trailing space, which
| triggers a NULL pointer dereference.
The upstream patch is available on:
http://git.balabit.hu/?p=bazsi/syslog-ng-2.0.git;a=commitdiff;h=3126ebad217e7fd6356f4733ca33f571aa87a170
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6437
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpiMFN4GCLkF.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: syslog-ng
Source-Version: 2.0.5-3+lenny1
We believe that the bug you reported is fixed in the latest version of
syslog-ng, which is due to be installed in the Debian FTP archive:
syslog-ng_2.0.5-3+lenny1.diff.gz
to pool/main/s/syslog-ng/syslog-ng_2.0.5-3+lenny1.diff.gz
syslog-ng_2.0.5-3+lenny1.dsc
to pool/main/s/syslog-ng/syslog-ng_2.0.5-3+lenny1.dsc
syslog-ng_2.0.5-3+lenny1_i386.deb
to pool/main/s/syslog-ng/syslog-ng_2.0.5-3+lenny1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated syslog-ng package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 22 Dec 2007 14:33:13 +0100
Source: syslog-ng
Binary: syslog-ng
Architecture: source i386
Version: 2.0.5-3+lenny1
Distribution: testing-security
Urgency: high
Maintainer: SZALAY Attila <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
syslog-ng - Next generation logging daemon
Closes: 457334
Changes:
syslog-ng (2.0.5-3+lenny1) testing-security; urgency=high
.
* Non-maintainer upload by security team.
* This update addresses the following security issue:
- A remote attacker can cause a denial of service (crash)
via a crafted log message that is missing a whitespace
at the end of the timestamp (CVE-2007-6437; Closes: #457334).
Files:
b6472011ab7a60d5f41d51b3accfcb54 634 admin extra syslog-ng_2.0.5-3+lenny1.dsc
c161eefc450fabc246c1a10997c6c6a5 363064 admin extra syslog-ng_2.0.5.orig.tar.gz
37ef489132204adbc7223a61d11fad6e 15699 admin extra
syslog-ng_2.0.5-3+lenny1.diff.gz
942f949ae3cf5cafffbeffdb5677c36f 190648 admin extra
syslog-ng_2.0.5-3+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHcP74HYflSXNkfP8RAmZYAKCbD79YM1FDrzoZjgd94ltpQr2ZYgCeKnFW
qd3g0Szi711/MvNAO1Q+h6E=
=cRsp
-----END PGP SIGNATURE-----
--- End Message ---
