Your message dated Sun, 29 May 2022 18:32:39 +0000 with message-id <e1nvnir-0004ys...@fasolo.debian.org> and subject line Bug#1010619: fixed in rsyslog 8.1901.0-1+deb10u2 has caused the Debian Bug report #1010619, regarding rsyslog: CVE-2022-24903: Potential heap buffer overflow in TCP syslog server (receiver) components to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1010619: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010619 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: rsyslog Version: 8.2204.0-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for rsyslog. Filling for now as grave, but we might downgrade. Probably affected configurations are not that common if I understood correctly, the advisory has some comments about it as well[1]. CVE-2022-24903[0]: | Potential heap buffer overflow in TCP syslog server (receiver) | components If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-24903 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24903 [1] https://github.com/rsyslog/rsyslog/security/advisories/GHSA-ggw7-xr6h-mmr8#advisory-comment-72243 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: rsyslog Source-Version: 8.1901.0-1+deb10u2 Done: Michael Biebl <bi...@debian.org> We believe that the bug you reported is fixed in the latest version of rsyslog, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1010...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Biebl <bi...@debian.org> (supplier of updated rsyslog package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 25 May 2022 16:51:45 +0200 Source: rsyslog Architecture: source Version: 8.1901.0-1+deb10u2 Distribution: buster-security Urgency: medium Maintainer: Michael Biebl <bi...@debian.org> Changed-By: Michael Biebl <bi...@debian.org> Closes: 1010619 Changes: rsyslog (8.1901.0-1+deb10u2) buster-security; urgency=medium . * Fix potential heap buffer overflow in TCP syslog server (receiver) components when octet-counted framing is used (CVE-2022-24903, Closes: #1010619) Checksums-Sha1: fcf5ef844da6715aaa059b1579b725cca8844342 2974 rsyslog_8.1901.0-1+deb10u2.dsc 7223f77a4ea75a7740130cc04ea3df052e82bdfd 2750872 rsyslog_8.1901.0.orig.tar.gz a1dc51c9bf3836f8272bf4bd57ae07c971145414 28772 rsyslog_8.1901.0-1+deb10u2.debian.tar.xz d35fba8d49763a589a0411839a2980a57b1efa62 7230 rsyslog_8.1901.0-1+deb10u2_source.buildinfo Checksums-Sha256: 85ead922b9cb2f3d9cb4b0fa350f8b2ad3183be15e5493f1fd7b7d3b750061c3 2974 rsyslog_8.1901.0-1+deb10u2.dsc ab02c1f11e21b54cfaa68797f083d6f73d9d72ce7a1c04037fbe0d4cee6f27c4 2750872 rsyslog_8.1901.0.orig.tar.gz bb5e081bad738a9af2c66116fac01a345f46cf64a3e112d0b5d7eba028c21fd6 28772 rsyslog_8.1901.0-1+deb10u2.debian.tar.xz 709da22c040b6f53564ed7bbed681cd992ef9ef8896714ddd33211f54d64b9c1 7230 rsyslog_8.1901.0-1+deb10u2_source.buildinfo Files: d77fea21530435c1cbcd3054413789d8 2974 admin important rsyslog_8.1901.0-1+deb10u2.dsc f068dadcf81a559db3be760abda0aaf8 2750872 admin important rsyslog_8.1901.0.orig.tar.gz b1350272bcd3912981cbaa61a0c867d3 28772 admin important rsyslog_8.1901.0-1+deb10u2.debian.tar.xz a56d263ffd185393eb42c51059ce8ced 7230 admin important rsyslog_8.1901.0-1+deb10u2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAmKOjGcACgkQauHfDWCP ItyobA/8DviZDvuAKa4YiGSfrzDPvlIyZdVB+SwbGzMtoRAsuxOL+k+kxKF8gxBg V2ZeQSe1ceo4qQUOW9xkWwr9K7kvg+aO/M1ulnUlTxHH0t2uW3+YrH97UVUxqhGm ZQtHOC+FOA/jhpMF6h6zF+8c4SZTOe+/fNo/TkrY+ndlyui7zMj1fb+O0b4a0Ojt fqGmb7IypWE8mjOXY5LuuMMLk87CxKqPFNzSbAeENPf2fyU5YKK4v6nJ1jUV16q5 wLqn7F1/F3qAxtkyOXM8csJIJRQZdfQQKq0MXjnz3m2efiFXe/jo7UZDI5Nlws7I fWgGePEGWon1OWaSGU2JNiG0g219q0NReb9cY7c4HYUtJ7Q98JvJZRg0nSE/RtiE njaKvhCe/i/qnapCSydn1F9wWvrNnkkAUrnnT9sNgrxGfo94j08fZt1Dzfpz9w8Q 5Cc4/g+C0nXZtSXk+rvGVxZnThm9c+ScMAs2j03Gh9lRD/9IPZiqKw0w/ShMg9wq 6r5Yn955LQntLqZH852WKiC7LJ7vjlUxQakzcwBhGifTxDOKHCtsm/XHZDQxPmVB 9ZTbRrYjU92P5t009LDIiJzwEU6CcOKI5IhGyhDtjEGXBXxtX0gl+S5Udgfzyqz7 65WBHpBRbbkj252U4EgGRSDf9qpslwY9pjjWUDFR+Doed7apT+4= =l+w3 -----END PGP SIGNATURE-----
--- End Message ---
