From Secunia: DESCRIPTION: A vulnerability has been reported in syslog-ng, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to the improper processing of incoming timestamps. This can be exploited to trigger a NULL pointer dereference via a specially crafted message containing a timestamp without a terminating space character. The vulnerability is reported in syslog-ng versions prior to 2.0.6 See URL for the original advisory and a patch. http://seclists.org/bugtraq/2007/Dec/0202.html http://git.balabit.hu/?p=bazsi/syslog-ng-2.0.git;a=commitdiff;h=3126ebad217e7fd6356f4733ca33f571aa87a170
Bump 2.0.6 would also fix the issue.
CVE ID was requested
I'm working on getting 2.0.6 built in rawhide right now.
syslog-ng-2.0.7-1.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update syslog-ng'
syslog-ng-2.0.7-1.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update syslog-ng'
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-0559 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-0523
syslog-ng-2.0.7-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
syslog-ng-2.0.7-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.