StarlingX

[Debian] CVE: CVE-2022-38725: syslog-ng: An integer overflow in the RFC3164 parser

Bug #2012868 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
ZhangXiao

Bug Description

CVE-2022-38725: https://nvd.nist.gov/vuln/detail/CVE-2022-38725

An integer overflow in the RFC3164 parser in One Identity syslog-ng 3.0 through 3.37 allows remote attackers to cause a Denial of Service via crafted syslog input that is mishandled by the tcp or network function. syslog-ng Premium Edition 7.0.30 and syslog-ng Store Box 6.10.0 are also affected.

Score:
cve_id status cvss3Score av ac pr ui ai
CVE-2022-38725 fixed 7.5 N L N N H

References:
['syslog-ng_3.28.1-2_all.deb===>syslog-ng_3.28.1-2+deb11u1_all.deb', 'syslog-ng-core_3.28.1-2_amd64.deb===>syslog-ng-core_3.28.1-2+deb11u1_amd64.deb', 'syslog-ng-mod-mongodb_3.28.1-2_amd64.deb===>syslog-ng-mod-mongodb_3.28.1-2+deb11u1_amd64.deb', 'syslog-ng-mod-sql_3.28.1-2_amd64.deb===>syslog-ng-mod-sql_3.28.1-2+deb11u1_amd64.deb']

See original description

CVE References

Yue Tao (wrytao)
information type: Public → Public Security
Changed in starlingx:
importance: Undecided → High
status: New → Triaged
tags: added: stx.9.0 stx.security
ZhangXiao (zhangxiao-windriver)
Changed in starlingx:
assignee: nobody → ZhangXiao (zhangxiao-windriver)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/879344

Changed in starlingx:
status: Triaged → In Progress
Ghada Khalil (gkhalil)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/879344
Committed: https://opendev.org/starlingx/tools/commit/6ebfca01f4505f7e4f1d89e034e0b9382a343323
Submitter: "Zuul (22348)"
Branch: master

commit 6ebfca01f4505f7e4f1d89e034e0b9382a343323
Author: Zhang Xiao <email address hidden>
Date: Mon Apr 3 21:17:58 2023 +0800

    Debian: syslog-ng: fix CVE-2022-38725

    Upgrade packages to below version to fix CVE-2022-38725:
    syslog-ng_3.28.1-2+deb11u1_all.deb
    syslog-ng-core_3.28.1-2+deb11u1_amd64.deb
    syslog-ng-mod-mongodb_3.28.1-2+deb11u1_amd64.deb
    syslog-ng-mod-sql_3.28.1-2+deb11u1_amd64.deb

    Refer to:
    https://nvd.nist.gov/vuln/detail/CVE-2022-38725

    Test Plan:
    Pass: downloader
    Pass: build-pkgs --clean --all
    Pass: build-image
    Pass: boot

    Closes-bug: #2012868

    Signed-off-by: Zhang Xiao <email address hidden>
    Change-Id: I5577da009521ac8e76abc35926d48f6a1955bc22

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.