Debian Security Advisory
DLA-72-2 rsyslog -- LTS security update
- Date Reported:
- 19 Oct 2014
- Affected Packages:
- rsyslog
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2014-3634, CVE-2014-3683.
- More information:
-
The Wheezy patch left an unresolved symbol in the imklog module of the Squeeze version. rsyslog worked fine except that messages from the kernel couldn't be submitted any longer. This update fixes this issue.
For reference, the original advisory text follows.
- CVE-2014-3634
Fix remote syslog vulnerability due to improper handling of invalid PRI values.
- CVE-2014-3683
Followup fix for CVE-2014-3634. The initial patch was incomplete. It did not cover cases where PRI values > MAX_INT caused integer overflows resulting in negative values.
For Debian 6
Squeeze
, these issues have been fixed in rsyslog version 4.6.4-2+deb6u2 - CVE-2014-3634