Bugzilla – Bug 2574
syslog-ng version bump/security problem
Last modified: 2007-04-01 01:16:53 UTC
Hi, the syslog-ng in devel grim (v. 1.4.14) (which is an "realy old one" :), has an security problem : http://www.balabit.hu/static/zsa/ZSA-2002-014-en.txt, thes solution is use the new one => 1.4.17 => version bump will fix this. Also please, ca u change the init.d file with one wich will be in next attachement ? (cos it looks much more cool :) Another question, I'm using without problem the 1.5.x branch of syslog-ng (actualy 1.5.27) - and there are some nice features (as chroot, ...) - can u thing about changing from 1.4.x to 1.5.x branch ? (only a question :)
Created attachment 615 [details] new init.d script for syslog-ng looks much more nice :)
Created attachment 743 [details] syslog-ng spell Added HISTORY and CONFIGURE file, fixed/modified BUILD,DETAILS . Entered myself as maintainer . Version bump to 1.6.0rc1 . Created new start/stop script + Nex - custom syslog-ng.conf .
Can you please submit previous tarball as syslog-ng spell ? Reasons: 1. current version in grim have as explained before the SECURITY BUG (and it's realy olf), in the time they changed bug url: http://www.balabit.com/products/zorp/zsa/ZSA-2002-014-en.txt 2. added HISTORY file, fixed/modified BUILD,DETAILS . 3. created custom syslog-ng.conf file (I hope that anybody can se watious features of the syslog-ng in this file) - and I added CONFIGURE option to use this conf. file (so user can chose betweon - standart and custom conf) 3. created "new" init.d script Thanks BTW: I realy use this spell so please fix it, once again thx.
I forgot to mention that this version of syslog-ng requires libol 0.3.x
Sorry, for the past two days I've been in a peace vigil and just got a chance to read my email! This looks bad! OK, so... I think Jeff is busy lately. This RC1 version sounds good enough for me. Since this something that will have to be pushed up all the way to stable grimoire, can you, Vladimir, attest to its stabilty and upgrade path? Will the admins need to redo config files? Looks like it. If so, I'll need to note that in the upgrade. I do think it is a good idea to go to 1.6 RC branch now because of chroot option and it's already RC-level. Is the new init script making it chroot by default? If not, I'll put this in and we can get that going in devel, as I want this to go in as fast as possible. Whenever I see a response, I'll put it in and release an advisory of our own.
Hi, situation with syslog-ng changed since my first post, as is stated now in syslog-ng home page : "Current stable (version 1.6.x),this should be deployed in production environments .. ". Also my personal experience with this 1.6.0rc1 is relay good = no "runtime" problem, and also the configuration file can be exactly same as for 1.4.x . So If u want me to atest the stability :) : Yes the spell which I submited Is OK. What is does: 1. new init.d script (only looks nicer then old one) 2. configure option to use "my" syslog-ng.conf (has some pretty features - as no need of logrotate ... and also I was traing to use the comments - so anybody can see various features of syslog), but If 'u ansver no for this configure (which is the default option) - the "standart" = example syslog-ng.conf from syslog-ng package will be used. 3. some cleanups in DETAILS,HISTORY,BUILD,.... scripts For your question about chroot - I was talking about this - "Only as motivation to use 1.5.x branch when it was devel branch". Personaly I'm using chrooted syslog-ng, named, apache, postfix, ... :) but I don't thing it's good idea to add this kind of functionality to standart spells - because "The spell caster must have som level of knowledge ..." - so also in this syslog-ng spell - there is no chroot option/no chroot usage (so this spell is "as the old grimoire one" but little bit nicer :) . But if 'u re intrested I can post my chrooted syslog-ng spell (but I thing that before - all section maintainers - must agree some convenction in creation of chrooted spells - personaly I prefere to have - separate spell for chroot - not an configure option, but this is another topic :)). Last thing : If u submit this spel in grimoire - don't forget to version bump the libol to new verion 0.3.9 (as all newer version of syslog-ng are dependent against libol 0.3.x). In the current devel grim there is libol 0.2.x (as syslog-ng 1.4.x is dependent on liob 0.2.x) thanks, Vlad PS: as I told before - I use this spell on 8 server without problem PPS: and to be sure sure :) I tested again te cast -r -c syslog-ng ... and no problem :)
As far as chroot -- I suppose it would be good having separate spells to do that, except I thought that was what CONFIGURE was for ... and about standardized chrooting, I was thinking an /opt/chroot/$SPELL would be a good place to locate them, as far as any auxiliary libraries are concerned, I've been working with snakebyte about how to make it easier for the maintainers to chroot the spells and I was thinking that if on cast the chrooting spells could copy all ldd-detected files into the chroot and make sure none of have suid or sgid and give them their own user, etc, then if extra files need to be in place that aren't detected, we can just have a standard CHROOT file with the list (say run-time linking, or run-time executables) for full chrootability. perhaps you can join the new sm-security mailing list on lists.ibiblio.org, and we can talk about this... as for now, I'm going to resolve this bug because your new spell is in all three grimoires! thanks! Seth
Oulala - the libol spell whas not bumped to 0.3.9 => syslog-ng fail to compile (see bug #2875).
ummm, yeah, I forgot you had mentioned it...
reassign to sm-grimoire-bugs