Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org> (release.debian.org for {1120690}), syslog-ng@packages.debian.org (additional cc recipient for {1120690}): Bug#1120690; Package release.debian.org.
(Fri, 14 Nov 2025 18:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jochen Sprickerhof <jspricke@debian.org>:
New Bug report received and forwarded. Copy sent to syslog-ng@packages.debian.org, debian-release@lists.debian.org.
(Fri, 14 Nov 2025 18:45:03 GMT) (full text, mbox, link).
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: syslog-ng@packages.debian.org
Control: affects -1 + src:syslog-ng
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
This fixes CVE-2024-47619 in bookworm. It was tagged no-dsa but would be
still good to have fixed as it was fixed in older and newer releases.
[ Impact ]
Wildcard hostnames are not correctly checked in TLS certificates. Also
This would be a regression for users upgrading from older releases.
[ Tests ]
There are a number of new unit tests from the upstream commit and I ran
autopkgtest and other tests.
[ Risks ]
Low, the same patch is already rolled out in older releases and only
modifies one specific function. Given that TLS certificates are
regularly rotated anyway I expect stricter checks to be useful.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
The hostname check is extended to catch more invalid cases and how
special characters are treated. Also a number of unit tests are added.
Added indication that 1120690 affects src:syslog-ng
Request was from Jochen Sprickerhof <jspricke@debian.org>
to submit@bugs.debian.org.
(Fri, 14 Nov 2025 18:45:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org> (release.debian.org for {1120690}): Bug#1120690; Package release.debian.org.
(Sat, 06 Dec 2025 11:41:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Adam D Barratt <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to debian-release@lists.debian.org.
(Sat, 06 Dec 2025 11:41:03 GMT) (full text, mbox, link).
Subject: syslog-ng 3.38.1-5+deb12u1 flagged for acceptance
Date: Sat, 06 Dec 2025 11:38:58 +0000
package release.debian.org
tags 1120690 = bookworm pending
thanks
Hi,
The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.
Thanks for your contribution!
Upload details
==============
Package: syslog-ng
Version: 3.38.1-5+deb12u1
Explanation: fix incorrect wildcard matching in certificate names [CVE-2024-47619]
Added tag(s) pending.
Request was from Adam D Barratt <adam@adam-barratt.org.uk>
to control@bugs.debian.org.
(Sat, 06 Dec 2025 11:41:09 GMT) (full text, mbox, link).
Message sent on
to Jochen Sprickerhof <jspricke@debian.org>:
Bug#1120690.
(Sat, 06 Dec 2025 11:41:13 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.