Bugzilla – Bug 1207460
VUL-0: CVE-2022-38725: syslog-ng: integer overflow in the RFC3164 parser allows remote attackers Denial of Service
Last modified: 2024-05-03 09:57:53 UTC
CVE-2022-38725 An integer overflow in the RFC3164 parser in One Identity syslog-ng 3.0 through 3.37 allows remote attackers to cause a Denial of Service via crafted syslog input that is mishandled by the tcp or network function. syslog-ng Premium Edition 7.0.30 and syslog-ng Store Box 6.10.0 are also affected. Upstream PR: https://github.com/syslog-ng/syslog-ng/pull/4110 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38725 https://www.cve.org/CVERecord?id=CVE-2022-38725 https://github.com/syslog-ng/syslog-ng/security/advisories/GHSA-7932-4fc6-pvmc https://lists.balabit.hu/pipermail/syslog-ng/
It's not very clear whether SUSE:SLE-12:Update is affected, but there is some room to add checks on `left` variable content in `log_msg_parse_date()` (now `log_msg_parse_cisco_timestamp_attributes()`) and `log_msg_parse_seq()` (now `log_msg_parse_cisco_sequence_id()`), so I track it as affected. SUSE:SLE-11-SP1:Update is not affected.
Hm: is_maintained -l syslog-ng syslog-ng is maintained in: WARNING: LTSS results are only approximated using disabled channels, use your mind when reading these results Product Codestream SLE-DEBUGINFO_11-SP3-TERADATA SUSE:SLE-11-SP1:Update SLE-SERVER_11-SP3-TERADATA SUSE:SLE-11-SP1:Update SLE-Module-Legacy_12 SUSE:SLE-12:Update openSUSE Leap package Comes from All currently maintained openSUSE Leap and Backports package locations If this mentions SUSE:SLE-... it needs to be updated in IBS, otherwise in OBS. openSUSE:Backports:SLE-15-SP4:Update/syslog-ng According to: https://scc.suse.com/docs/lifecycle/sle/12/modules support for syslog-ng in SLE-Module-Legacy_12 endet: 2017-10-27 So, is this fix only for the openSUSE Leap version then?
This fix was primarily for SUSE:SLE-12:Update (we should still provide security fixes to SLE-Module-Legacy_12 channels), but you're right, OBS Backports codestreams will also have to be fixed
This is an autogenerated message for OBS integration: This bug (1207460) was mentioned in https://build.opensuse.org/request/show/1061138 Backports:SLE-15-SP4 / syslog-ng
openSUSE-SU-2023:0040-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1207460 CVE References: CVE-2022-38725 JIRA References: Sources used: openSUSE Backports SLE-15-SP4 (src): syslog-ng-3.35.1-bp154.3.3.1
SUSE-SU-2023:0319-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1207460 CVE References: CVE-2022-38725 JIRA References: Sources used: SUSE Linux Enterprise Module for Legacy Software 12 (src): syslog-ng-3.6.4-12.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done, closing