CVE-2024-47619

NameCVE-2024-47619
Descriptionsyslog-ng is an enhanced log daemo. Prior to version 4.8.2, `tls_wildcard_match()` matches on certificates such as `foo.*.bar` although that is not allowed. It is also possible to pass partial wildcards such as `foo.a*c.bar` which glib matches but should be avoided / invalidated. This issue could have an impact on TLS connections, such as in man-in-the-middle situations. Version 4.8.2 contains a fix for the issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1104890

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
syslog-ng (PTS)bullseye (security), bullseye3.28.1-2+deb11u1vulnerable
bookworm3.38.1-5vulnerable
trixie4.8.1-4vulnerable
sid4.8.1-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
syslog-ngsource(unstable)4.8.1-51104890

Notes

https://github.com/syslog-ng/syslog-ng/security/advisories/GHSA-xr54-gx74-fghg
https://github.com/syslog-ng/syslog-ng/issues/5360
Fixed by: https://github.com/syslog-ng/syslog-ng/commit/dadfdbecde5bfe710b0a6ee5699f96926b3f9006 (develop)
Search for package or bug name: Reporting problems