| Package | syslog-ng |
|---|---|
| Version | 3.8.1-10+deb9u2 (stretch), 3.19.1-5+deb10u2 (buster) |
| Related CVEs | CVE-2024-47619 |
Syslog-ng, a widely used logging service, was found to be vulnerable due to improper handling of wildcard certificates during TLS authentication.
Specifically, the function tls_wildcard_match() incorrectly accepted certificate patterns like foo.*.bar,
which violate standard wildcard rules and should not be permitted. Additionally, partial wildcard
patterns such as foo.a*c.bar were matched by GLib, further weakening the authentication mechanism.
This flaw could allow a monster-in-the-middle attacker to impersonate legitimate endpoints, compromising the integrity of secure logging. Such wildcard mismatches must be explicitly rejected to ensure robust TLS validation.
For Debian 10 buster, these problems have been fixed in version 3.19.1-5+deb10u2.
For Debian 9 stretch, these problems have been fixed in version 3.8.1-10+deb9u2.
We recommend that you upgrade your syslog-ng packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.