[2270] in linux-security and linux-alert archive
[linux-security] Re: [RHSA-1999:055-01] Denial of service attack in syslogd
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Thu Nov 25 08:56:29 1999
Date: Wed, 24 Nov 1999 09:45:33 +0100
From: Olaf Kirch <okir@monad.swb.de>
To: Pavel Kankovsky <peak@argo.troja.mff.cuni.cz>
Cc: S/lawek /Lawicki <slawicki@unisoft.com.pl>, linux-security@redhat.com
Message-ID: <19991124094533.A16373@monad.swb.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <19991122214130.4AA2.0@argo.troja.mff.cuni.cz>; from Pavel Kankovsky on Mon, Nov 22, 1999 at 09:46:23PM +0100
Resent-From: linux-security@redhat.com
On Mon, Nov 22, 1999 at 09:46:23PM +0100, Pavel Kankovsky wrote:
> The syslogd client in question (mail daemon?) continues using the obsolete
> communication protocol that does not work any longer because:
> 1. has not been restarted to load the new libc.so, 2. is statically linked
> with an old version of libc, 3. is using its own implementation of
> syslog().
#1 is the most likely reason. While the syslog implementation in glibc2
tries to be smart and supports both stream and dgram sockets, it will
lose one message when you do the switch. Now if you're using sendmail
in daemon mode, the parent usually will not have done any syslogging
since startup (i.e. way before the upgrade). Now if a mail comes in,
it forks, and when trying to log a line to syslog trips over the changed
logging protocol, and loses the first message.
#3 could have been an issue with PAM but thankfully it does use the
standard syslog from glibc.
It's always a good idea to reboot your machine if you've restarted
(rather than sighupped!) syslogd, let alone upgraded it.
[mod: Let me add that you COULD manually restart all deamons that use
syslog, but you really need to know what you're doing. -- REW]
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir@caldera.de +-------------------- Why Not?! -----------------------
UNIX, n.: Spanish manufacturer of fire extinguishers.
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null
