| Message ID | 20230911085000.559230-1-judge.packham@gmail.com |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | [1/2] syslog-ng: bump version to 4.3.1 | expand |
On Mon, 11 Sep 2023 20:49:59 +1200
Chris Packham <judge.packham@gmail.com> wrote:
> Update to latest version. This includes a fix for CVE-2022-38725.
So this is a security bump?
Thomas
Hello Chris, On Mon, 11 Sep 2023 15:52:25 +0200 Thomas Petazzoni via buildroot <buildroot@buildroot.org> wrote: > On Mon, 11 Sep 2023 20:49:59 +1200 > Chris Packham <judge.packham@gmail.com> wrote: > > > Update to latest version. This includes a fix for CVE-2022-38725. > > So this is a security bump? Actually, are you sure it is related to CVE-2022-38725. According to https://nvd.nist.gov/vuln/detail/CVE-2022-38725, this CVE only affects versions up to 3.38, and we're at 4.2.0. In addition, https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.3.1 does not mention "CVE" anywhere. Could you clarify this? Thanks! Thomas
On Tue, 12 Sept 2023, 7:41 am Thomas Petazzoni, < thomas.petazzoni@bootlin.com> wrote: > Hello Chris, > > On Mon, 11 Sep 2023 15:52:25 +0200 > Thomas Petazzoni via buildroot <buildroot@buildroot.org> wrote: > > > On Mon, 11 Sep 2023 20:49:59 +1200 > > Chris Packham <judge.packham@gmail.com> wrote: > > > > > Update to latest version. This includes a fix for CVE-2022-38725. > > > > So this is a security bump? > > Actually, are you sure it is related to CVE-2022-38725. According to > https://nvd.nist.gov/vuln/detail/CVE-2022-38725, this CVE only affects > versions up to 3.38, and we're at 4.2.0. In addition, > https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.3.1 > does not mention "CVE" anywhere. Could you clarify this? > I was going on the Debian issue that said 4.3.1 was fixed. But perhaps it was actually unaffected. I can resubmit without the mention. My intent was just a feature bump.
diff --git a/package/syslog-ng/syslog-ng.conf b/package/syslog-ng/syslog-ng.conf index a3cfa8dacf..06e48cdd50 100644 --- a/package/syslog-ng/syslog-ng.conf +++ b/package/syslog-ng/syslog-ng.conf @@ -1,4 +1,4 @@ -@version: 4.2 +@version: 4.3 source s_sys { file("/proc/kmsg" program_override("kernel")); diff --git a/package/syslog-ng/syslog-ng.hash b/package/syslog-ng/syslog-ng.hash index a917331580..6841ed5eb1 100644 --- a/package/syslog-ng/syslog-ng.hash +++ b/package/syslog-ng/syslog-ng.hash @@ -1,5 +1,5 @@ # Locally computed -sha256 092bd17fd47002c988aebdf81d0ed3f3cfd0e82b388d2453bcaa5e67934f4dda syslog-ng-4.2.0.tar.gz +sha256 999dbab62982c3cffba02c0be22c596ee1ce81d6954689dc9b3a6afeb513cce3 syslog-ng-4.3.1.tar.gz sha256 c75dcbfc17ccf742f12042a370f825a40951085d2352dfc9d07e715dae3ca9bd COPYING sha256 ce3324c9f22299cfc7c281e5a6ab40fbe9c2ea1a67cee87226cb8cd39db1e1d2 GPL.txt sha256 dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551 LGPL.txt diff --git a/package/syslog-ng/syslog-ng.mk b/package/syslog-ng/syslog-ng.mk index 39433185b4..ff5aaee429 100644 --- a/package/syslog-ng/syslog-ng.mk +++ b/package/syslog-ng/syslog-ng.mk @@ -6,7 +6,7 @@ # When updating the version, please check at runtime if the version in # syslog-ng.conf header needs to be updated -SYSLOG_NG_VERSION = 4.2.0 +SYSLOG_NG_VERSION = 4.3.1 SYSLOG_NG_SITE = https://github.com/balabit/syslog-ng/releases/download/syslog-ng-$(SYSLOG_NG_VERSION) SYSLOG_NG_LICENSE = LGPL-2.1+ (syslog-ng core), GPL-2.0+ (modules) SYSLOG_NG_LICENSE_FILES = COPYING GPL.txt LGPL.txt
Update to latest version. This includes a fix for CVE-2022-38725. Release notes: https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.3.1 Signed-off-by: Chris Packham <judge.packham@gmail.com> --- package/syslog-ng/syslog-ng.conf | 2 +- package/syslog-ng/syslog-ng.hash | 2 +- package/syslog-ng/syslog-ng.mk | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-)