SUSE-SU-2022:2314-1: important: Security update for rsyslog

sle-updates at lists.suse.com sle-updates at lists.suse.com
Thu Jul 7 07:17:52 UTC 2022


   SUSE Security Update: Security update for rsyslog
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:2314-1
Rating:             important
References:         #1051798 #1068678 #1080238 #1082318 #1101642 
                    #1110456 #1160414 #1178288 #1178490 #1182653 
                    #1188039 #1199061 SLE-23304 
Cross-References:   CVE-2022-24903
CVSS scores:
                    CVE-2022-24903 (NVD) : 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2022-24903 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:
                    SUSE Linux Enterprise Server 12-SP5
______________________________________________________________________________

   An update that solves one vulnerability, contains one
   feature and has 11 fixes is now available.

Description:

   This update for rsyslog fixes the following issues:

   - CVE-2022-24903: fix potential heap buffer overflow in modules for TCP
     syslog reception (bsc#1199061)

   Upgrade to rsyslog 8.2106.0 (bsc#1188039)

     * NOTE: the prime new feature is support for TLS and non-TLS connections
       via imtcp in parallel. Furthermore, most TLS parameters can now be
       overriden at the input() level. The notable exceptions are certificate
       files, something that is due to be implemented as next step.
     * 2021-06-14: new global option "parser.supportCompressionExtension"
       This permits to turn off rsyslog's single-message compression
       extension when it interferes with non-syslog message processing (the
       parser subsystem expects syslog messages, not generic text) closes
       https://github.com/rsyslog/rsyslog/issues/4598
     * 2021-05-12: imtcp: add more override config params to input() It is
       now possible to override all module parameters at the input() level.
       Module parameters serve as defaults. Existing configs need no
       modification.
     * 2021-05-06: imtcp: add stream driver parameter to input()
       configuration This permits to have different inputs use different
       stream drivers and stream driver parameters. closes
       https://github.com/rsyslog/rsyslog/issues/3727
     * 2021-04-29: imtcp: permit to run multiple inputs in parallel
       Previously, a single server was used to run all imtcp inputs. This had
       a couple of drawsbacks. First and foremost, we could not use different
       stream drivers in the varios inputs. This patch now provides a
       baseline to do that, but does still not implement the capability (in
       this sense it is a staging patch). Secondly, we now ensure that each
       input has at least one exclusive thread for processing, untangling the
       performance of multiple inputs from each other. see also:
       https://github.com/rsyslog/rsyslog/issues/3727
     * 2021-04-27: tcpsrv bugfix: potential sluggishnes and hang on shutdown
       tcpsrv is used by multiple other modules (imtcp, imdiag, imgssapi,
       and, in theory, also others - even ones we do not know about).
       However, the internal synchornization did not properly take multiple
       tcpsrv users in consideration. As such, a single user could hang under
       some circumstances. This was caused by improperly awaking all users
       from a pthread condition wait. That in turn could lead to some
       sluggish behaviour and, in rare cases, a hang at shutdown. Note: it
       was highly unlikely to experience real problems with the
       officially provided modules.
     * 2021-04-22: refactoring of syslog/tcp driver parameter passing This
       has now been generalized to a parameter block, which makes it much
       cleaner and also easier to add new parameters in the future.
     * 2021-04-22: config script: add re_match_i() and re_extract_i()
       functions This provides case-insensitive regex functionality. closes
       https://github.com/rsyslog/rsyslog/issues/4429

   - Update to rsyslog 8.2104.0:
     * rainerscript: call getgrnam_r repeatedly to get all group members
     * new contributed module imhiredis
     * new built-in function get_property() to access property vars
     * mmdblookup: add support for mmdb DB reload on HUP
     * script bugfix: empty array in foreach() improperly handled
     * imjournal bugfixes (handle leak, empty file)
     * new contributed function module fmunflatten
     * test bugfix: some tests did not work with newer TLS library versions
     * some improvements to project CI

   - Update to rsyslog 8.2102.0:
     * omfwd: add stats counter for sent bytes
     * omfwd: add error reporting configuration option
     * action stats counter bugfix: failure count was not properly incremented
     * action stats counter bugfix: resume count was not incremented
     * omfwd bugfix: segfault or error if port not given
     * lookup table bugfix: data race on lookup table reload
     * testbench modernization
     * testbench: fix invalid sequence of kafka tests runs
     * testbench: fix kafkacat issues
     * testbench: fix year-dependendt clickhouse test

   - Update to rsyslog 8.2012.0:
     * testbench bugfix: some tests did not work in make distcheck
     * immark: rewrite with many improvements
     * usability: re-phrase error message to help users better understand
       cause
     * add new system property $now-unixtimestamp
     * omfwd: add new rate limit option
     * omfwd bug: param "StreamDriver.PermitExpiredCerts" is not "off" by
       default

   - Update to rsyslog 8.2010.0:
     * gnutls TLS subsystem bugfix: handshake error handling
     * core/msg bugfix: memory leak
     * core/msg bugfix: segfault in jsonPathFindNext() when root not an object
     * openssl TLS subsystem: improvments of error and status messages
     * add 'exists()' script function to check if variable exists
     * core bugfix: do not create empty JSON objects on non-existent key
       access
     * gnutls subsysem bugfix: potential hang on session closure
     * core/network bugfix: obey net.enableDNS=off when querying local
       hostname
     * core bugfix: potential segfault on query of PROGRAMNAME property
     * imtcp bugfix: broken connection not necessariy detected
     * new module: imhttp - http input
     * mmdarwin bugfix: potential zero uuid when reusing existing one
     * imdocker bugfix: build issue on some platforms
     * omudpspoof bugfix: make compatbile with Solaris build
     * testbench fix: python 3 incompatibility
     * core bugfix: segfault if disk-queue file cannot be created
     * cosmetic: fix dummy module name in debug output
     * config bugfix: intended warning emitted as error

   - Update to rsyslog 8.39.0
     * imfile: improve truncation detection
     * imjournal: work around journald excessive reloading behavior
     * errmsg: remove no longer needed code
     * queue bugfix: invalid error message on queue startup
     * bugfix imrelp: regression with legacy configuration startup fail
     * bugfix imudp: stall of connection and/or potential segfault
     * bugfix gcry crypto driver: small memleak
     * fix potential misadressing in encryption subsystem
     * ksi subsystem changes
     * bugfix core: regex compile error messages could be incorrect
     * bugfix core: potential hang on rsyslog termination
     * bugfix imkafka: system hang when backgrounded
     * bugfix imfile: file change was not reliably detected
     * bugfix imrelp: do not fail build if librelp does not have
       relpSrvSetLstnAddr
     * bugfix queue subsystem: DA queue did ignore encryption settings
     * bugfix KSI: lmsig-ksils12 module skips signing the last block
     * bugfix fmhash: function hash64mod sometimes returned wrong result
     * bugfix core/debug: data written to random fd 2 under some debug
       settings

   - Update to rsyslog 8.38.0:
     * imfile: support for endmsg.regex
     * omhttp: new contribued module
     * imrelp: add support for seting address to bind to (#894)
     * ommysql: support mysql unix domain socket
     * omusrmsg: do not fall back to max username length of 8
     * various bug fixes and minor updates to other modules and core
     * various fixes for memory leaks

   - Update to rsyslog 8.36.0:
     * Liblogging-stdlog deprecated
     * OpenSSL based TLS driver added in addition to GnuTLS
     * GnuTLS TLS driver: support intermediate certificates
     * imptcp: add ability to configure socket backlog
     * fmhash: new hash function module
     * updates and fixes to various modules
     * omfwd: add support for bind-to-address for UDP
     * mmkubernetes: new module

   - Update to rsyslog 8.33.1:
     * devcontainer: use some more sensible defaults
     * auto-detect if running inside a container (as pid 1)
     * config: add include() script object
     * template: add option to generate json "container"
     * core/template: add format jsonf to constant template entries
     * config: add ability to disable config parameter ("config.enable")
     * script: permit to use environment variables during configuration
     * new global config parameter "shutdown.enable.ctlc"
     * config optimizer: detect totally empty "if" statements and optimize
       them out
     * template: constant entry can now also be formatted as json field
     * omstdout: support for new-style configuration parameters added
     * core: set TZ on startup if not already set
     * imjournal bugfix: file handle leak during journal rotation
     * lmsig_ksils12 bugfix: dirOwner and dirGroup config was not respected
     * script bugfix: replace() function worked incorrectly in some cases
     * core bugfix: misadressing in external command parser
     * core bugfix: small memory leak in external command parser
     * core bugfix: string not properly terminated when RFC5424 MSGID is used
     * bugfix: strndup() compatibility layer func copies too much

   - Update to rsyslog 8.32.0
     * libfastjson 0.99.8 required
     * libczmq >= 3.0.2 is now required for omczmq
     * libcurl is now needed for rsyslog core
     * rsyslogd: add capability to specify that no pid file shall be written
     * core improvements and bug fixes
     * RainerScript improvements and bug fixes
     * build fixes, including gcc7 fixes
     * various bug fixes in multiple modules
     * imudp: fix segfault in ratelimit code

   - Update to rsyslog 8.30.0
     * changed behaviour: all variables are now case-insensitive by default
     * core: handle (JSON) variables in case-insensitive way
     * imjournal: made switching to persistent journal in runtime possible
     * mmanon: complete refactor and enhancements
     * imfile: add "fileoffset" metadata
     * RainerScript: add ltrim and rtrim functions
     * core: report module name when suspending action
     * core: add ability to limit number of error messages going to stderr
     * tcpsrv subsystem: improvate clarity of some error messages
     * imptcp: include module name in error msg
     * imtcp: include module name in error msg
     * tls improvement: better error message if certificate file cannot be
       read
     * omfwd: slightly improved error messages during config parsing
     * ommysql improvements
     * ommysql bugfix: do not duplicate entries on failed transaction
     * imtcp bugfix: parameter priorityString was ignored
     * template/bugfix: invalid template option conflict detection
     * core/actions: fix handling of data-induced errors
     * core/action bugfix: no "action suspended" message during retry
       processing
     * core/action: if commitTransaction fails, try individual messages
     * core/ratelimit bugfix: race can lead to segfault
     * core bugfix: rsyslog aborts if errmsg is generated in early startup
     * core bugfix: informational messages was logged with error severity
     * core bugfix: --enable-debugless build was broken
     * queue bugfix: file write error message was incorrect
     * omrelp bugfix:  segfault when rebindinterval parameter is used
     * omkafka bugfix: invalid load of failedmsg file on startup if disabled
     * kafka bugfix: problem on invalid kafka configuration values
     * imudp bugfix: UDP oversize message not properly handled
     * core bugfix: memory corruption during configuration parsing
     * core bugfix: race on worker thread termination during shutdown
     * omelasticsearch: avoid ES5 warnings while sending json in bulkmode
     * omelasticsearch bugfix: incompatibility with newer ElasticSearch
       version
     * imptcp bugfix: invalid mutex addressing on some platforms
     * imptcp bugfix: do not accept missing port in legacy listener definition

   - Update to rsyslog 8.29.0:
     * imptcp: add experimental parameter "multiline"
     * imptcp: framing-related error messages now also indicate remote peer
     * imtcp: framing-related error messages now also indicate remote peer
     * imptcp: add session statistics conunter
     * imtcp: add ability to specify GnuTLS priority string
     * impstats: add new ressoure counter "openfiles"
     * pmnormalize: new parser module
     * core/queue: provide informational messages on thread startup and
       shutdown
     * omfwd/udp: improve error reporting, depricate maxerrormessages
       parameter
     * core: add parameters debug.file and debug.whitelist
     * core/net.c: improve UDP socket creation error messages
     * omfwd/udp: add "udp.sendbuf" parameter
     * core: make rsyslog internal message rate-limiter configurable
     * omelasticsearch bugfixes and changed ES5 API support
       + avoid 404 during health check
       + avoid ES5 warnings while sending json
       + bugfix for memomry leak while writing error file
     * imfile bugfix: wildcard detection issue on path wildcards
     * omfwd bugfix: always give reason for suspension
     * omfwd bugfix: configured compression level was not properly used
     * imptcp bugfix: potential socket leak on session shutdown
     * omfwd/omudpspoof bugfix: switch udp client sockets to nonblocking mode
     * imklog: fix permitnonkernelfacility not working
     * impstats bugfix: impstats does not handle HUP
     * core bugfix: segfault after configuration errors
     * core/queue bugfixes
     * lmsig_ksi: removed pre-KSI_LS12 components

   - Update to rsyslog 8.28.0
     * omfwd: add parameter "tcp_frameDelimiter"
     * omkafka: large refactor of kafka subsystem
     * imfile: improved handling of atomically renamed file (w/ wildcards)
     * imfile: add capability to truncate oversize messages or split into
       multiple
     * mmdblookup fixes and extensions
     * bugfix: fixed multiple memory leaks
     * imptcp: add new parameter "flowControl"
     * imrelp: add "maxDataSize" config parameter
     * multiple modules: gtls: improve error if certificate file can't be
       opened
     * omsnare: allow different tab escapes
     * omelasticsearch: converted to use libfastjson instead of json-c
     * imjournal: _PID fallback
     * added fallback for _PID proprety when SYSLOG_PID is not available
     * introduced new option "usepid" which sets which property should
       rsyslog use, it has 3 states system|syslog|both, default is both
     * deprecated "usepidfromsystem" option, still can be used and override
       the "usepid"
     * it is possible to revert previous default with usepid="syslog"
     * multiple modules: add better error messages when regcomp is failing
     * omhiredis: fix build warnings
     * imfile bugfix: files mv-ed in into directory were not handled
     * omprog bugfix: execve() incorrectly called
     * imfile bugfix: multiline timeout did not work if state file exists
     * lmsig_ksi-ls12 bugfix: build problems on some platforms
     * core bugfix: invalid object type assertion
     * regression fix: local hostname was not always detected properly...
     * bugfix: format security issues in zmq3 modules
     * bugfix build system: add libksi only to those binaries that need it
     * bugfix KSI ls12 components: invalid tree height calculation
     * bugfix imfile: fix multiline timeout code

   - Update to rsyslog 8.27.0
   - imkafka: add module
   - imptcp enhancements:
     * optionally emit an error message if incoming messages are truncated
     * optionally emit connection tracking message (on connection create and
       close)
     * add "maxFrameSize" parameter to specify the maximum size permitted in
       octet-counted mode
     * add parameter "discardTruncatedMsg" to permit truncation of
       oversize messages
     * improve octect-counted mode detection: if the octet count is larger
       then the set frame size (or overly large in general), it is now
       assumed that octet-stuffing mode is used. This probably solves a
       number of issues seen in real deployments.
   - imtcp enhancements:
     * add parameter "discardTruncatedMsg" to permit truncation of
       oversize messages
     * add "maxFrameSize" parameter to specify the maximum size permitted in
       octet-counted mode
   - imfile bugfix: "file not found error" repeatedly being reported for
     configured non-existing file. In polling mode, this message appeared
     once in each polling cycle, causing a potentially very large amout of
     error messages. Note that they were usually emitted too infrequently to
     trigger the error message rate limiter, albeit often enough to be a
     major annoance.
   - imfile: in inotify mode, add error message if configured file cannot be
     found
   - imfile: add parameter "fileNotFoundError" to optinally disable "file not
     found" error messages
   - core: replaced gethostbyname() with getaddrinfo() call Gethostbyname()
     is generally considered obsolete, is not reentrant and cannot really
     work with IPv6. Changed the only place in rsyslog where this call
     remained. Thanks to github user jvymazal for the patch
   - omkafka: add "origin" field to stats output See also
     https://github.com/rsyslog/rsyslog/issues/1508 Thanks to Yury Bushmelev
     for providing the patch.
   - imuxsock: rate-limiting also uses process name both for the actual limit
     procesing as well as warning messages emitted see also
     https://github.com/rsyslog/rsyslog/pull/1520 Thanks to github user
     jvymazal for the patch
   - Added new module: KSI log signing ver. 1.2 (lmsig_ksi_ls12)
   - rsylsog base functionality now builds on osx (Mac) Thanks to github user
     hdatma for his help in getting this done.
   - build now works on solaris again
   - imfile: fix cross-platform build issue see also
     https://github.com/rsyslog/rsyslog/issues/1494 Thanks to Felix Janda for
     bug report and solution suggestion.
   - bugfix core: segfault when no parser could parse message
   - core bugfix: memory leak when internal messages not processed internally

   - Update to rsyslog 8.26.0:
     * liblognorm 2.0.3 is required for mmnormalize
     * enable internal error messages at all times
     * core: added logging name of source of rate-limited messages
     * omfwd: omfwd: add support for network namespaces
     * imrelp: honor input name if provided when submitting to impstats
     * imptcp: add ability to set owner/group/access perms for uds
     * mmnormalize: add ability to load a rulebase from action() parameter
     * pmrfc3164 improvements
       + permit to ignore leading space in MSG
       + permit to use at-sign in host names
       + permit to require tag to end in colon
     * add new global parameter "umask"
     * core: make use of -T command line option more secure
     * omfile: add error if both file and dynafile are set
     * bugfix: build problem on MacOS (not a supported platform)
     * regression fix: in 8.25, str2num() returned error on empty string
     * bugfix omsnmp: improper handling of new-style configuration parameters
     * bugfix: rsyslog identifies itself as "liblogging-stdlog" in internal
       messages
     * bugfix imfile: wrong files were monitored when using multiple imfile
       inputs
     * bugfix: setting net.aclResolveHostname/net.acladdhostnameonfail
       segfaults
     * bugfix: immark emitted error messages with text "imuxsock"
     * bugfix tcpflood: build failed if RELP was disabled
     * fix gcc6 compiler warnings
     * the output module array passing interface has been removed

   - Update to rsyslog 8.25.0:
     * imfile: add support for wildcards in directory names
     * add new global option "parser.PermitSlashInProgramname"
     * mmdblookup: fix build issues, code cleanup
     * improved debug output for queue corruption cases
     * an error message is now displayed when a directory owner cannot be set
     * rainerscript: add new function ipv42num
     * rainerscript: add new function num2ipv4
     * bugfix: ratelimiter does not work correctly is time is set back
     * core: fix potential message loss in old-style transactional interface
     * bugfix queue subsystem: queue corrupted if certain msg props are used
     * bugfix imjournal: fixed situation when time goes backwards
     * bugfix: bFlushOnTxEnd == 0 not honored when writing w/o async writer
     * bugfix core: str2num mishandling empty strings
     * bugfix rainerscript: set/unset statement do not check variable name
       validity
     * bugfix mmrm1stspace: last character of rawmsg property was doubled
     * bugfix imtcp: fix very small (cosmetic) memory leak
     * However, the leak breaks memleak checks in the testbench.
     * fix segfault in libc


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 12-SP5:

      zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-2314=1



Package List:

   - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):

      rsyslog-8.2106.0-8.5.2
      rsyslog-debuginfo-8.2106.0-8.5.2
      rsyslog-debugsource-8.2106.0-8.5.2
      rsyslog-diag-tools-8.2106.0-8.5.2
      rsyslog-diag-tools-debuginfo-8.2106.0-8.5.2
      rsyslog-doc-8.2106.0-8.5.2
      rsyslog-module-gssapi-8.2106.0-8.5.2
      rsyslog-module-gssapi-debuginfo-8.2106.0-8.5.2
      rsyslog-module-gtls-8.2106.0-8.5.2
      rsyslog-module-gtls-debuginfo-8.2106.0-8.5.2
      rsyslog-module-mmnormalize-8.2106.0-8.5.2
      rsyslog-module-mmnormalize-debuginfo-8.2106.0-8.5.2
      rsyslog-module-mysql-8.2106.0-8.5.2
      rsyslog-module-mysql-debuginfo-8.2106.0-8.5.2
      rsyslog-module-pgsql-8.2106.0-8.5.2
      rsyslog-module-pgsql-debuginfo-8.2106.0-8.5.2
      rsyslog-module-relp-8.2106.0-8.5.2
      rsyslog-module-relp-debuginfo-8.2106.0-8.5.2
      rsyslog-module-snmp-8.2106.0-8.5.2
      rsyslog-module-snmp-debuginfo-8.2106.0-8.5.2
      rsyslog-module-udpspoof-8.2106.0-8.5.2
      rsyslog-module-udpspoof-debuginfo-8.2106.0-8.5.2


References:

   https://www.suse.com/security/cve/CVE-2022-24903.html
   https://bugzilla.suse.com/1051798
   https://bugzilla.suse.com/1068678
   https://bugzilla.suse.com/1080238
   https://bugzilla.suse.com/1082318
   https://bugzilla.suse.com/1101642
   https://bugzilla.suse.com/1110456
   https://bugzilla.suse.com/1160414
   https://bugzilla.suse.com/1178288
   https://bugzilla.suse.com/1178490
   https://bugzilla.suse.com/1182653
   https://bugzilla.suse.com/1188039
   https://bugzilla.suse.com/1199061



More information about the sle-updates mailing list