Debian Security Advisory

DLA-72-2 rsyslog -- LTS security update

Date Reported:
19 Oct 2014
Affected Packages:
rsyslog
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2014-3634, CVE-2014-3683.
More information:

The Wheezy patch left an unresolved symbol in the imklog module of the Squeeze version. rsyslog worked fine except that messages from the kernel couldn't be submitted any longer. This update fixes this issue.

For reference, the original advisory text follows.

  • CVE-2014-3634

    Fix remote syslog vulnerability due to improper handling of invalid PRI values.

  • CVE-2014-3683

    Followup fix for CVE-2014-3634. The initial patch was incomplete. It did not cover cases where PRI values > MAX_INT caused integer overflows resulting in negative values.

For Debian 6 Squeeze, these issues have been fixed in rsyslog version 4.6.4-2+deb6u2