Changelog for 7.6.7 (v7-stable)
Version 7.6.7 [v7.6-stable] 2014-10-02
- bugfix: the fix for CVE-2014-3634 did not handle all cases
This is corrected now. See also: CVE-2014-3683 - fixed a build problem on some platforms
Thanks to Olaf for the patch - behaviour change: “msg” of messages with invalid PRI set to “rawmsg”
When the PRI is invalid, the rest of the header cannot be valid. So
we move all of it to MSG and do not try to parse it out. Note that
this is not directly related to the security issue but rather done
because it makes most sense.
rsyslog 7.6.7 (v7-stable) released
This is primarily a re-release of 7.6.6 because the patch for the PRI vulnerability was incomplete. Special thanks to “mancha” for notifying us and helping to get it right.
For more info, please see: http://www.rsyslog.com/remote-syslog-pri-vulnerability-cve-2014-3683/
Packages are also already available in the package archives.
http://www.rsyslog.com/changelog-for-7-6-7-v7-stable/
Download:
http://www.rsyslog.com/downloads/download-v7-stable/
As always, feedback is appreciated.
Best regards,
Tim Eifler
Changelog for 7.6.6 (v7-stable)
Version 7.6.6 [v7.6-stable] 2014-09-30
- bugfix: potential abort when a message with PRI > 191 was processed
if the “pri-text” property was used in active templates, this could be abused to a remote denial of service from permitted senders see also: CVE-2014-3634 - bugfix: potential segfault on startup on 64 bit systems
This happened immediately on startup during config processing. Once rsyslog got past this stage, it could not happen. - bugfix: build problems on SuSe Linux
Thanks Andreas Stieger for the patch
rsyslog 7.6.6 (v7-stable) released
This version adresses some bugs and a security issue. Please note that it fixes a potential remote DoS, which may happen for some (non-default) configurations. As such, users are highly encouraged to upgrade to this version.
http://www.rsyslog.com/changelog-for-7-6-6-v7-stable/
Download:
http://www.rsyslog.com/downloads/download-v7-stable/
As always, feedback is appreciated.
Best regards,
Florian Riedl
rsyslog 7.6.5 (v7-stable) released
This released provides an important regression fix, which rendered 7.6.4 unusable, as selector line evaluation was incorrect. Users of 7.6.4 are highly advised to upgrade to this version.
http://www.rsyslog.com/changelog-for-7-6-5-v7-stable/
Download:
http://www.rsyslog.com/downloads/download-v7-stable/
As always, feedback is appreciated.
Best regards,
Florian Riedl
rsyslog 7.6.4 (v7-stable) released
This is a new release for the v7-stable branch. It contains a lot of bug fixes and patches. Several issues have been fixed, thus ensuring better stability and reliability. This is a recommended update for all v7 users.
http://www.rsyslog.com/changelog-for-7-6-4-v7-stable/
Download:
http://www.rsyslog.com/downloads/download-v7-stable/
As always, feedback is appreciated.
Best regards,
Florian Riedl
Changelog for 7.6.4 (v7-stable)
Version 7.6.4 [v7.6-stable] 2014-09-12
- add –enable-generate-man-pages configure switch (default: enabled)
This forces generation of man pages, even if cached ones exists. This “fixes” a typical release tarball nit. While it is hackish, the benefit is clear given the history of failed tarball releases since we changed the cached man page handling. It was just too easy to get that wrong. - removed obsolete –disable-fsstnd configure option
Thanks to Thomas D. for alerting us.
Closes: https://github.com/rsyslog/rsyslog/issues/72 - permits to build against json-c 0.12
Unfortunately, json-c had an ABI breakage, so this is necessary. Note that versions prior to 0.12 had security issues (CVE-2013-6370, CVE-2013-6371) and so it is desirable to link against the new version.
Thanks to Thomas D. for the patch. Note that at least some distros have fixed the security issue in older versions of json-c, so this seems to apply mostly when building from sources. - new omfile default module parameters
- filecreatemode
- fileowner
- fileownernum
- filegroup
- filegroupnum
- dirowner
- dirownernum
- dirgroup
- dirgroupnum
Thanks to Karol Jurak for the patch.
- bugfix: memory leak in TCP TLS mode
- bugfix: imfile: if a state file for a different file name was set, that different file (name) was monitored instead of the configured one. Now, the state file is deleted and the correct file monitored.
closes: https://github.com/rsyslog/rsyslog/issues/103 - bugfix: using UUID property could cause segfault
- bugfix: mmutf8fix did not detect two invalid sequences
Thanks to Axel Rau for the patch. - bugfix: file descriptor leak with Guardtime signatures
When a .gtstate file is opened it is never closed. This is especially bad when dynafiles frequently get evicted from dynafile cache and be re-opened again. - bugfix: busy loop in tcp listener when running out of file descriptors
Thanks to Susant Sahani for the patch. - bugfix: mishandling of input modules not supporting new input instances
If they did not support this, accidently the output module part of the module union was written, leading to unpredictable results. Note: all core modules do support this interface, but some contributed or very old ones do not. - bugfix: double-free when ruleset() parser parameters were used
While unlikely, this could cause stability issues even after the config phase. - bugfix: output modules with parameters with multiple passing modes could caused strange behaviour including aborts
This was due to the fact that the action module only preserved and processed the last set passing mode. Note that this was not a problem for the plugins provided by the rsyslog git: none of them uses different passing modes.
Thanks to Tomas Heinrich for providing a very detailled bug report. - various fixes after coverty scan
These do not address issues seen in practice but those seen by the tool. Some of them may affect practical deployments.
Thanks to Tomas Heinrich for the patches. - bugfix imuxsock: “Last message repeated…” was not emitted at shutdown
The “Last message repeated…” notice didn’t get printed if rsyslog was shut down before the repetition was broken.
Thanks to Tomas Heinrich for the patch. - bugfix: make dist failed when GUARDTIME or LIBGCRYPT feature was disabled
- bugfix: mmjsonparse did not build with json-c < 0.10
This was a regression introduced some time in the past in order to support API changes in json-c. Now we check for the version and use proper code. - bugfix: mmanon did not properly anonymize IP addresses starting with ‘9’
Thanks to defa-at-so36.net for reporting this problem.
closes: http://bugzilla.adiscon.com/show_bug.cgi?id=529
rsyslog 7.6.3 (v7-stable) released
This release offers a couple of bug-fixes and also supports better interaction with librelp 1.2.5, which in turn supports anonymous TLS on platforms like CENTOS/RHEL 6 where GnuTLS is too old and RELP TLS was completely disable previously.
http://www.rsyslog.com/changelog-for-7-6-3-v7-stable/
Download:
http://www.rsyslog.com/downloads/download-v7-stable/
As always, feedback is appreciated.
Best regards,
Florian Riedl
Changelog for 7.6.3 (v7-stable)
Version 7.6.3 [v7.6-stable] 2014-03-27
- add capability to override GnuTLS path in build process
Thanks to Clayton Shotwell for the patch - support for librelp 1.2.5
Support new return states of librelp 1.2.5 to emit better error messages. For obvious reasons, librelp 1.2.5 is now required. - bugfix: ompipe used invalid default template
This is a regression from an old change (didn’t track it down precisely, but over a year ago). It used the Forwarding template instead of the file template (so we have a full syslog header). This fix corrects it back to previous behaviour, but new scripts that used the wrong format may now need to have the RSYSLOG_ForwardingFormat template explicitely be applied.
closes: https://github.com/rsyslog/rsyslog/issues/50 - bugfix: ompipe did emit many suspension messages for /dev/xconsole
(hopefully now) closes: https://github.com/rsyslog/rsyslog/issues/35
When it was present, but nobody reading from it. The problem is the way the rsyslog v7 engine tries to resolve failures in outputs. It does some retries, and along those lines some state information gets lost and it is close to impossible to retain it. However, the actual root problem is that ompipe does not reliably detect if it is able to recover. The problem here is that it actually does not know this before it does an actual write. These two things together mess up the logic that suppresses invalid resumption/suspension messages (actually, the plugin switches state really that often). Nevertheless, the prime problem with /dev/xconsole (and probably most other pipes as well) is that it gets full. So I have now added code that checks, during resume processing, if the pipe is writable. If it is not, resume is deferred. That should address the case.
rsyslog 7.6.2 (v7-stable) released
http://www.rsyslog.com/changelog-for-7-6-2-v7-stable/
Download:
http://www.rsyslog.com/downloads/download-v7-stable/
As always, feedback is appreciated.
Best regards,
Florian Riedl