Hello community, here is the log from the commit of package rsyslog.3055 for openSUSE:12.3:Update checked in at 2014-10-15 15:59:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.3:Update/rsyslog.3055 (Old) and /work/SRC/openSUSE:12.3:Update/.rsyslog.3055.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "rsyslog.3055" Changes: -------- New Changes file: --- /dev/null 2014-09-26 12:09:11.568032006 +0200 +++ /work/SRC/openSUSE:12.3:Update/.rsyslog.3055.new/rsyslog.changes 2014-10-15 15:59:54.000000000 +0200 @@ -0,0 +1,1091 @@ +------------------------------------------------------------------- +Mon Oct 6 12:38:35 UTC 2014 - mt@suse.de + +- Fixed remote PRI DoS vulnerability patch (CVE-2014-3683,bnc#899756) + [* rsyslog-7.2.7-remote-PRI-DoS-fix-backport_CVE-2014-3634.patch] +- Removed broken, unsupported and dropped by upstream zpipe utility + from rsyslog-diag-tools package (bnc#890228) + +------------------------------------------------------------------- +Mon Sep 29 09:22:15 UTC 2014 - mt@suse.de + +- Remote syslog PRI DoS vulnerability fix (CVE-2014-3634,bnc#897262) + [+ rsyslog-7.2.7-remote-PRI-DoS-fix-backport_CVE-2014-3634.patch] + +------------------------------------------------------------------- +Fri Aug 22 14:37:57 UTC 2014 - mt@suse.de + +- Stop syslog.socket in %preun to avoid the daemon we uninstall + gets started by a log message due to dependencies (bnc#840815). + +------------------------------------------------------------------- +Fri Apr 19 09:11:23 UTC 2013 - mt@suse.de + +- update to 7.2.7 [v7-stable] 2013-04-17 (bnc#809852): + - rsyslogd startup information is now properly conveyed back to init + when privileges are beging dropped. Actually, we have moved + termination of the parent in front of the priv drop. So it shall + work now in all cases. See code comments in commit for more details. + - If forking, the parent now waits for a maximum of 60 seconds for + termination by the child + - improved debugging support in forked (auto-backgrounding) mode. + The rsyslog debug log file is now continued to be written across the + fork. + - updated systemd files to match current systemd source + - bugfix: failover/action suspend did not work correctly + This was experienced if the retry action took more than one second + to complete. For suspending, a cached timestamp was used, and if the + retry took longer, that timestamp was already in the past. As a + result, the action never was kept in suspended state, and as such no + failover happened. The suspend functionalit now does no longer use + the cached timestamp (should not have any performance implication, + as action suspend occurs very infrequently). + - bugfix: nested if/prifilt conditions did not work properly + closes: http://bugzilla.adiscon.com/show_bug.cgi?id=415 + - bugfix: script == comparison did not work properly on JSON objects + [backport from 7.3 branch] + - bugfix: imudp scheduling parameters did affect main thread, not imudp + closes: http://bugzilla.adiscon.com/show_bug.cgi?id=409 + - bugfix: imuxsock rate-limiting could not be configured via legacy conf + Rate-limiting for the system socket could not be configured via legacy + configuration directives. However, the new-style RainerScript config + options worked. + Thanks to Milan Bartos for the patch. + closes: http://bugzilla.adiscon.com/show_bug.cgi?id=390 + - bugfix: using group resolution could lead to endless loop + Thanks to Tomas Heinrich for the patch. + closes: http://bugzilla.adiscon.com/show_bug.cgi?id=310 + - bugfix: $mmnormalizeuseramsg paramter was specified with wrong type + Thank to Renzhong Zhang for alerting us of the problem. + closes: http://bugzilla.adiscon.com/show_bug.cgi?id=420 + - bugfix: RainerScript getenv() function caused segfault when var was + not found. + Thanks to Philippe Muller for the patch. + - bugfix: several issues in imkmsg + see bug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=421#c8 + - bugfix: imuxsock was missing SysSock.ParseTrusted module parameter + To use that functionality, legacy rsyslog.conf syntax had to be used. + Also, the doc was missing information on the "ParseTrusted" set of + config directives. + - bugfix: parameter action.execOnlyWhenPreviousIsSuspended was + accidently of integer-type. For obvious reasons, it needs to be + boolean. Note that this change can break existing configurations + if they circumvented the problem by using 0/1 values. + - doc bugfix: rsyslog.conf man page had invalid file format info + closes: http://bugzilla.adiscon.com/show_bug.cgi?id=418 +- update to 7.2.6 [v7-stable] 2013-03-05: + - slightly improved config parser error messages when invalid escapes + happen + - bugfix: include files got included in the wrong order + closes: http://bugzilla.adiscon.com/show_bug.cgi?id=411 + This happens if an $IncludeConfig directive was done on multiple + files (e.g. the distro default of $IncludeConfig /etc/rsyslog.d/*.conf). + In that case, the order of include file processing is reversed, which + could lead to all sorts of problems. + Thanks to Nathan Stratton Treadway for his great analysis of the + problem, which made bug fixing really easy. + - bugfix: omelasticsearch failed when authentication data was provided + ... at least in most cases it emitted an error message: + "snprintf failed when trying to build auth string" + Thanks to Joerg Heinemann for alerting us. + closes: http://bugzilla.adiscon.com/show_bug.cgi?id=404 + - bugfix: some property-based filter were incorrectly parsed + This usually lead to a syntax error on startup and rsyslogd not actually + starting up. The problem was the regex, which did not care for double + quote characters to follow in the action part - unfortunately something + that can frequently happen with v6+ format. An example: + :programname, isequal, "as" {action(type="omfile" ...) } + Here, the part + :programname, isequal, "as" {action(type="omfile" + was treated as the property filter, and the rest as action part. + Obviously, this did not work out. Unfortunately, such situations usually + resulted in very hard to understand error messages. +- Removed rsyslog.conf from doc file list, not shipped any more. + +------------------------------------------------------------------- +Fri Mar 29 11:53:49 UTC 2013 - vcizek@suse.com + +- restore SELinux label when creating xconsole (bnc#812447) + +------------------------------------------------------------------- +Tue Feb 19 16:25:03 UTC 2013 - mt@suse.de + +- Fixed rsyslog.service file to support reload (bnc#803994) + +------------------------------------------------------------------- +Tue Jan 15 09:35:07 UTC 2013 - mt@suse.de + +- Fixed relp build requires change, which broke SLE-11 build. + +------------------------------------------------------------------- +Mon Jan 14 21:59:15 UTC 2013 - andreas.stieger@gmx.de + +- update to 7.2.5 [v7-stable]: + - build system cleanup + - bugfix: omelasticsearch did not properly compile on some platforms + due to missing libmath + - bugfix: on termination, actions were incorrectly called + - bugfix: very large memory consumption (and probably out of memory) when + FromPos was specified in template, but ToPos not. + - bugfix: timeval2syslogTime cause problems on some platforms + due to invalid assumption on structure data types. + - bugfix: compile errors in im3195 + - bugfix: doGetFileCreateMode() had invalid validity check + - bugfix: mmjsonparse errornously returned action error when no + CEE cookie was present. + +------------------------------------------------------------------- +Wed Jan 9 14:05:53 UTC 2013 - mt@suse.com + +- Enable rsyslog.service and create the syslog.service alias link + in post install -- regardless of a preset config (bnc#790805). +- Check the existence of /etc/init.d/syslog script before calling + the restart_on_update and stop_on_removal macros to avoid errors + on update. Since openSUSE 12.3, no syslog init script is shipped + (bnc#790298,bnc#750478). + +------------------------------------------------------------------- +Mon Jan 7 10:58:19 UTC 2013 - mt@suse.com + +- Update to 7.2.4 [v7-stable] with following changes: + - enhance: permit RFC3339 timestamp in local log socket messages + Thanks to Sebastien Ponce for the patch. + - imklog: added ParseKernelTimestamp parameter (import from 5.10.2) + Thanks to Marius Tomaschewski for the patch. + - fix missing functionality: ruleset(){} could not specify ruleset queue + The "queue.xxx" parameter set was not supported, and legacy ruleset + config statements did not work (by intention). The fix introduces the + "queue.xxx" parameter set. It has some regression potential, but only + for the new functionality. Note that using that interface it is possible + to specify duplicate queue file names, which will cause trouble. This + will be solved in v7.3, because there is a too-large regression + potential for the v7.2 stable branch. + - imklog: added KeepKernelTimestamp parameter (import from 5.10.2) + Thanks to Marius Tomaschewski for the patch. + - bugfix: imklog mistakenly took kernel timestamp subseconds as nanoseconds + ... actually, they are microseconds. So the fractional part of the + timestamp was not properly formatted. (import from 5.10.2) + Thanks to Marius Tomaschewski for the bug report and the patch idea. + - bugfix: supportoctetcountedframing parameter did not work in imptcp + - bugfix: modules not (yet) supporting new conf format were not properly + registered. This lead to a "module not found" error message instead of + the to-be-expected "module does not support new style" error message. + That invalid error message could be quite misleading and actually stop + people from addressing the real problem (aka "go nuts" ;)) + - bugfix: template "type" parameter is mandatory (but was not) + - bugfix: some message properties could be garbled due to race condition + This happened only on very high volume systems, if the same message was + being processed by two different actions. This was a regression caused + by the new config processor, which did no longer properly enable msg + locking in multithreaded cases. The bugfix is actually a refactoring of + the msg locking code - we no longer do unlocked operations, as the use + case for it has mostly gone away. It is potentially possible only at + very low-end systems, and there the small additional overhead of doing + the locking does not really hurt. Instead, the removal of that + capability can actually slightly improve performance in common cases, + as the code path is smaller and requires slightly less memory writes. + That probably outperforms the extra locking overhead (which in the + low-end case always happens in user space, without need for kernel + support as we can always directly aquire the lock - there is no + contention at all). +- Removed imklog-kernel-timestamp-parsing (bnc#783967) patch obsoleted + by this version. + +------------------------------------------------------------------- +Fri Nov 23 01:28:46 UTC 2012 - mrueckert@suse.de + +- fix zeromq support ++++ 894 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.3:Update/.rsyslog.3055.new/rsyslog.changes New: ---- rsyslog-7.2.7-remote-PRI-DoS-fix-backport_CVE-2014-3634.patch rsyslog-7.2.7.tar.gz rsyslog-service-prepare.in rsyslog.changes rsyslog.conf.in rsyslog.d.remote.conf.in rsyslog.service.in.in rsyslog.spec rsyslog.sysconfig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rsyslog.spec ++++++ ++++ 924 lines (skipped) ++++++ rsyslog-7.2.7-remote-PRI-DoS-fix-backport_CVE-2014-3634.patch ++++++
From 0624e463f78a924c675f516ee067829ec9dd7484 Mon Sep 17 00:00:00 2001 From: Marius Tomaschewski
Date: Mon, 29 Sep 2014 11:18:55 +0200 Subject: [PATCH] Remote PRI DoS vulnerability fix backport (CVE-2014-3634) References: CVE-2014-3634,bnc#897262 Upstream: yes
A backport of v7-stable patch by Rainer Gerhards
"${cfg_file}" for variable in ${!SYSLOGD_ADDITIONAL_SOCKET*}; do eval value=\$$variable test -z "$value" && continue test -d "${value%/*}" || continue echo "\$AddUnixListenSocket $value" done >> "${cfg_file}"
# # make sure xconsole exists and is a pipe # if test -e /dev/xconsole -a ! -p /dev/xconsole ; then /bin/rm -f /dev/xconsole fi if test ! -e /dev/xconsole ; then /bin/mknod -m 0600 /dev/xconsole p /bin/chown root:tty /dev/xconsole restorecon /dev/xconsole 2> /dev/null fi exit 0 ++++++ rsyslog.conf.in ++++++ ## ## === When you're using remote logging, enable on-disk queues === ## === in rsyslog.d/remote.conf. When neccesary also set the === ## === SYSLOG_REQUIRES_NETWORK=yes in /etc/sysconfig/syslog, === ## === e.g. when rsyslog has to receive on a specific IP only. === ## ## Note, that when the MYSQL, PGSQL, GSSAPI, GnuTLS or SNMP modules ## (provided in separate rsyslog-module-* packages) are enabled, the ## configuration can't be used on a system with /usr on a remote ## filesystem, except on newer systems where initrd mounts /usr. ## [The modules are linked against libraries installed bellow of ## /usr thus also installed in /usr/lib*/rsyslog because of this.] ## # # if you experience problems, check # http://www.rsyslog.com/troubleshoot for assistance # and report them at http://bugzilla.novell.com/ # # since rsyslog v3: load input modules # If you do not load inputs, nothing happens! # provides --MARK-- message capability (every 1 hour) $ModLoad immark.so $MarkMessagePeriod 3600 # provides support for local system logging (e.g. via logger command) $ModLoad imuxsock.so # reduce dupplicate log messages (last message repeated n times) $RepeatedMsgReduction on # kernel logging (may be also provided by /sbin/klogd) # see also http://www.rsyslog.com/doc-imklog.html. $ModLoad imklog.so # set log level 1 (same as in /etc/sysconfig/syslog). $klogConsoleLogLevel 1 # Use rsyslog native, rfc5424 conform log format as default # ($ActionFileDefaultTemplate RSYSLOG_FileFormat). # # To change a single file to use obsolete BSD syslog format # (rfc 3164, no high-precision timestamps), set the variable # bellow or append ";RSYSLOG_FileFormat" to the filename. # See # http://www.rsyslog.com/doc/rsyslog_conf_templates.html # for more informations. # #$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # # Include config generated by /etc/init.d/syslog script # using the SYSLOGD_ADDITIONAL_SOCKET* variables in the # /etc/sysconfig/syslog file. # $IncludeConfig ADDITIONAL_SOCKETS # # Include config files, that the admin provided? : # $IncludeConfig ETC_RSYSLOG_D_GLOB ### # print most important on tty10 and on the xconsole pipe # if ( \ /* kernel up to warning except of firewall */ \ ($syslogfacility-text == 'kern') and \ ($syslogseverity <= 4 /* warning */ ) and not \ ($msg contains 'IN=' and $msg contains 'OUT=') \ ) or ( \ /* up to errors except of facility authpriv */ \ ($syslogseverity <= 3 /* errors */ ) and not \ ($syslogfacility-text == 'authpriv') \ ) \ then /dev/tty10 & |/dev/xconsole # Emergency messages to everyone logged on (wall) *.emerg :omusrmsg:* # enable this, if you want that root is informed # immediately, e.g. of logins #*.alert root # # firewall messages into separate file and stop their further processing # if ($syslogfacility-text == 'kern') and \ ($msg contains 'IN=' and $msg contains 'OUT=') \ then -/var/log/firewall & ~ # # acpid messages into separate file and stop their further processing # # => all acpid messages for debuging (uncomment if needed): #if ($programname == 'acpid' or $syslogtag == '[acpid]:') then \ # -/var/log/acpid # # => up to notice (skip info and debug) if ($programname == 'acpid' or $syslogtag == '[acpid]:') and \ ($syslogseverity <= 5 /* notice */) \ then -/var/log/acpid & ~ # # NetworkManager into separate file and stop their further processing # if ($programname == 'NetworkManager') or \ ($programname startswith 'nm-') \ then -/var/log/NetworkManager & ~ # # email-messages # mail.* -/var/log/mail mail.info -/var/log/mail.info mail.warning -/var/log/mail.warn mail.err /var/log/mail.err # # news-messages # news.crit -/var/log/news/news.crit news.err -/var/log/news/news.err news.notice -/var/log/news/news.notice # enable this, if you want to keep all news messages # in one file #news.* -/var/log/news.all # # Warnings in one file # *.=warning;*.=err -/var/log/warn *.crit /var/log/warn # # the rest in one file # *.*;mail.none;news.none -/var/log/messages # # enable this, if you want to keep all messages # in one file #*.* -/var/log/allmessages # # Some foreign boot scripts require local7 # local0.*;local1.* -/var/log/localmessages local2.*;local3.* -/var/log/localmessages local4.*;local5.* -/var/log/localmessages local6.*;local7.* -/var/log/localmessages ### ++++++ rsyslog.d.remote.conf.in ++++++ ## ## === When you're using remote logging, enable on-disk queues === ## === in rsyslog.d/remote.conf. When neccesary also set the === ## === SYSLOG_REQUIRES_NETWORK=yes in /etc/sysconfig/syslog, === ## === e.g. when rsyslog has to receive on a specific IP only. === ## ## Note, that when the MYSQL, PGSQL, GSSAPI, GnuTLS or SNMP modules ## (provided in separate rsyslog-module-* packages) are enabled, the ## configuration can't be used on a system with /usr on a remote ## filesystem, except on newer systems where initrd mounts /usr. ## [The modules are linked against libraries installed bellow of ## /usr thus also installed in /usr/lib*/rsyslog because of this.] ## # ######### Enable On-Disk queues for remote logging ########## # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. # #$WorkDirectory RSYSLOG_SPOOL_DIR # where to place spool files #$ActionQueueFileName uniqName # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList # run asynchronously #$ActionResumeRetryCount -1 # infinite retries if host is down # ######### Sending Messages to Remote Hosts ########## # Remote Logging using TCP for reliable delivery # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host # Remote Logging using UDP # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @remote-host # ######### Receiving Messages from Remote Hosts ########## # TCP Syslog Server: # provides TCP syslog reception and GSS-API (if compiled to support it) #$ModLoad imtcp.so # load module ##$UDPServerAddress 10.10.0.1 # force to listen on this IP only, ## # needs SYSLOG_REQUIRES_NETWORK=yes. #$InputTCPServerRun <port> # Starts a TCP server on selected port # UDP Syslog Server: #$ModLoad imudp.so # provides UDP syslog reception ##$UDPServerAddress 10.10.0.1 # force to listen on this IP only, ## # needs SYSLOG_REQUIRES_NETWORK=yes. #$UDPServerRun 514 # start a UDP syslog server at standard port 514 ########### Encrypting Syslog Traffic with TLS ########## # -- TLS Syslog Server: ## make gtls driver the default #$DefaultNetstreamDriver gtls # ## certificate files #$DefaultNetstreamDriverCAFile ETC_RSYSLOG_D_DIR/ca.pem #$DefaultNetstreamDriverCertFile ETC_RSYSLOG_D_DIR/server_cert.pem #$DefaultNetstreamDriverKeyFile ETC_RSYSLOG_D_DIR/server_key.pem # #$ModLoad imtcp # load TCP listener # #$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode #$InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated #$InputTCPServerRun 10514 # start up listener at port 10514 # # -- TLS Syslog Client: ## certificate files - just CA for a client #$DefaultNetstreamDriverCAFile ETC_RSYSLOG_D_DIR/ca.pem # ## set up the action #$DefaultNetstreamDriver gtls # use gtls netstream driver #$ActionSendStreamDriverMode 1 # require TLS for the connection #$ActionSendStreamDriverAuthMode anon # server is NOT authenticated #*.* @@(o)server.example.net:10514 # send (all) messages ++++++ rsyslog.service.in.in ++++++ [Unit] Description=System Logging Service Requires=var-run.mount syslog.target After=var-run.mount Before=syslog.target Conflicts=syslog-ng.service syslogd.service [Service] Environment=RSYSLOGD_PARAMS= ExecStartPre=@sbindir@/rsyslog-service-prepare EnvironmentFile=-/etc/sysconfig/syslog ExecStart=@sbindir@/rsyslogd -n $RSYSLOGD_PARAMS ExecReload=/bin/kill -HUP $MAINPID Sockets=syslog.socket StandardOutput=null [Install] WantedBy=multi-user.target Alias=syslog.service ++++++ rsyslog.sysconfig ++++++ ## Type: string ## Default: "" ## Config: "" ## ServiceRestart: syslog # # Parameters for rsyslogd, except of the version compatibility (-c) # and the config file (-f), because they're used by sysconfig and # earlysysconfig init scripts. # # See also the RSYSLOGD_COMPAT_VERSION variable in this file, the # documentation provided in /usr/share/doc/packages/rsyslog/doc by # the rsyslog-doc package and the rsyslogd(8) and rsyslog.conf(5) # manual pages. # RSYSLOGD_PARAMS="" -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org