On 2014/10/12 11:47, Philip Guenther wrote:
> On Sun, Oct 12, 2014 at 4:12 AM, Tobias Stoeckmann
> wrote:
> > our syslogd is also vulnerable to rsyslog's CVE-2014-3634. The CVE is
> > about parsing the priority from network clients. The priority boundary
> > isn't properly checked, which could l
On Sun, Oct 12, 2014 at 11:47:36AM -0700, Philip Guenther wrote:
> Have you actually managed to make it crash? I've already committed a
> check for this when this first came out, mapping out of bounds pri
> values to LOG_USER, and at that time no one was able to crash the code
> without the check.
On Sun, Oct 12, 2014 at 4:12 AM, Tobias Stoeckmann
wrote:
> our syslogd is also vulnerable to rsyslog's CVE-2014-3634. The CVE is
> about parsing the priority from network clients. The priority boundary
> isn't properly checked, which could lead to out of bounds access later on.
Have you actual
Hi,
our syslogd is also vulnerable to rsyslog's CVE-2014-3634. The CVE is
about parsing the priority from network clients. The priority boundary
isn't properly checked, which could lead to out of bounds access later on.
sysklogd's commit message is pretty extensive, so have a read here:
http://