Your message dated Sun, 11 May 2025 13:20:21 +0000
with message-id <[email protected]>
and subject line Bug#1104890: fixed in syslog-ng 4.8.1-5
has caused the Debian Bug report #1104890,
regarding syslog-ng: CVE-2024-47619
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1104890: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104890
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: syslog-ng
Version: 4.8.1-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for syslog-ng.
CVE-2024-47619[0]:
| syslog-ng is an enhanced log daemo. Prior to version 4.8.2,
| `tls_wildcard_match()` matches on certificates such as `foo.*.bar`
| although that is not allowed. It is also possible to pass partial
| wildcards such as `foo.a*c.bar` which glib matches but should be
| avoided / invalidated. This issue could have an impact on TLS
| connections, such as in man-in-the-middle situations. Version 4.8.2
| contains a fix for the issue.
Note, while advisory say this is fixed in 4.8.2 it looks that
syslong-ng-4.8.2 tag does not contain the fix? I might have missed
something indeed, and asked upstream in [1] about it.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-47619
https://www.cve.org/CVERecord?id=CVE-2024-47619
[1] https://github.com/syslog-ng/syslog-ng/issues/5360
[2]
https://github.com/syslog-ng/syslog-ng/security/advisories/GHSA-xr54-gx74-fghg
[3]
https://github.com/syslog-ng/syslog-ng/commit/dadfdbecde5bfe710b0a6ee5699f96926b3f9006
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: syslog-ng
Source-Version: 4.8.1-5
Done: SZALAY Attila <[email protected]>
We believe that the bug you reported is fixed in the latest version of
syslog-ng, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
SZALAY Attila <[email protected]> (supplier of updated syslog-ng package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 10 May 2025 12:12:49 +0100
Source: syslog-ng
Architecture: source
Version: 4.8.1-5
Distribution: unstable
Urgency: medium
Maintainer: syslog-ng maintainers
<[email protected]>
Changed-By: SZALAY Attila <[email protected]>
Closes: 1104890
Changes:
syslog-ng (4.8.1-5) unstable; urgency=medium
.
* Fix transport accepting incorrect wildcards
This patch cherry-picked from upstream until they fix it in an official
release.
It can also be used as a baseline to fix the same issue in older releases.
CVE-ID: CVE-2024-47619 (Closes: #1104890)
Checksums-Sha1:
8c5268e1838f89b372f0f8ff2675047212cd8f24 4292 syslog-ng_4.8.1-5.dsc
7896f50caa3b37de2826a6a268076b3641103519 47088 syslog-ng_4.8.1-5.debian.tar.xz
745768ed488a85ba18430297f3ec9486787db0e6 11482
syslog-ng_4.8.1-5_source.buildinfo
Checksums-Sha256:
e32b3bb5454993d5eb3e13ac96936a25e205d2fd43774fa3b57e862ca5f23212 4292
syslog-ng_4.8.1-5.dsc
8a06ac84f864e9de7b6d989d8280c1db04cd9f1f397f4f248b9428f68d42e099 47088
syslog-ng_4.8.1-5.debian.tar.xz
426006e5452bbb8c8b9146243b7d72435d39a5d276a117258c9eaeb8651ac795 11482
syslog-ng_4.8.1-5_source.buildinfo
Files:
198fe75a1a9acc3adf499ebc94c350c0 4292 admin optional syslog-ng_4.8.1-5.dsc
bd7816bf4253a89cb490b420e59f54ac 47088 admin optional
syslog-ng_4.8.1-5.debian.tar.xz
449aadfce8620da62fed63dc80de8aa9 11482 admin optional
syslog-ng_4.8.1-5_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCgAuFiEEDLxdlTMbVcF2xVjk+A0hGpn97vgFAmggoCcQHHNhc2FAZGVi
aWFuLm9yZwAKCRD4DSEamf3u+PEXD/9HAuc43y7BUirZdRgkm/nQLRF0KcjT/Ip+
QFNJb2zxN8Oup+TRoLNk+1FOaSk5yf9kgUv/a0zjjWNKCp+HnPhkgpg3IdfWJCjI
9qwVU2csrgTcd4NZ5GmPP3CD4fnWxihJD2jvs33zVnnUolENuHKYYOKNGS+lEZOt
1WxG+dk06eXO96G0UlStKW1kN9sFQciCyAshpVqWNzPRAxVYJtknNCOxnY3T4oE0
soU6rni7+8zNQy1gA+doDviBjywWgmBGgoejs9SOy9r3CF4qG4nifB4SKGwbDONV
pRbnwK119XFk1BCyJV5UOqDIZLGUELm0ZOi2fKdmnsVNdHvlB9XOcrvgAL3qXD2I
zcZpr7crl8MBgYe1c4u/NNY1Uay4E0LPcbUUF03rjNjLGddJ6q0DkcBGa3kidRTu
n3phX1m+5fjr7W8bwFWnjkOKaeeeJj8TKsKP7TGe6VG8QN/C4R4/A3LEj6ZdKE2J
b+2iGroZyWf0vHmToqoQ2Wi7hakCcds5VW+59DECZaTLPRPF91hlCPTst1KUnlK8
O+3dCssMIP4wvamRUeu/+cLYGvSUs2cBL0cZosS6pvgLuKk/wRLhcpFsPg62VVBK
1EQu3F4N6+GtkVcRydYkB1P9yJQbvd5Xkc/HK/LyIPVgQjFlNynxLd1XH2gWKNzJ
aA+YcBk3rQ==
=7Jhl
-----END PGP SIGNATURE-----
pgpKTRGWCZo2m.pgp
Description: PGP signature
--- End Message ---
