Main Vulnerability Database SB2014101517

SB2014101517 - SUSE Linux update for rsyslog

Published: October 15, 2014

Security Bulletin ID SB2014101517

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Buffer overflow (CVE-ID: CVE-2014-3634)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

rsyslog before 7.6.6 and 8.x before 8.4.1 and sysklogd 1.5 and earlier allows remote attackers to cause a denial of service (crash), possibly execute arbitrary code, or have other unspecified impact via a crafted priority (PRI) value that triggers an out-of-bounds array access.

2) Input validation error (CVE-ID: CVE-2014-3683)

The vulnerability allows remote attackers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (crash) via a large priority (PRI) value.

Remediation

Install update from vendor's website.

References

https://lists.opensuse.org/opensuse-security-announce/2014-10/msg00005.html