syslog-ng does not call chdir before it calls chroot, which might allow attackers to escape the intended jail. NOTE: this is only a vulnerability when a separate vulnerability is present. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505791 http://www.openwall.com/lists/oss-security/2008/11/17/3
syslog-ng-2.0.10-1.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/syslog-ng-2.0.10-1.fc8
syslog-ng-2.0.10-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/syslog-ng-2.0.10-1.fc9
syslog-ng-2.0.10-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/syslog-ng-2.0.10-1.fc10
syslog-ng-2.0.10-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
syslog-ng-2.0.10-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
syslog-ng-2.0.10-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F10/FEDORA-2008-10879 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-10752