[linux-security] Re: [RHSA-1999:055-01] Denial of service attack in syslogd

[Olaf Kirch <okir monad swb de>]

On Mon, Nov 22, 1999 at 09:46:23PM +0100, Pavel Kankovsky wrote:
> The syslogd client in question (mail daemon?) continues using the obsolete
> communication protocol that does not work any longer because:
> 1. has not been restarted to load the new libc.so, 2. is statically linked
> with an old version of libc, 3. is using its own implementation of
> syslog().

#1 is the most likely reason. While the syslog implementation in glibc2
tries to be smart and supports both stream and dgram sockets, it will
lose one message when you do the switch. Now if you're using sendmail
in daemon mode, the parent usually will not have done any syslogging
since startup (i.e. way before the upgrade). Now if a mail comes in,
it forks, and when trying to log a line to syslog trips over the changed
logging protocol, and loses the first message.

#3 could have been an issue with PAM but thankfully it does use the
standard syslog from glibc.

It's always a good idea to reboot your machine if you've restarted
(rather than sighupped!) syslogd, let alone upgraded it.

[mod: Let me add that you COULD manually restart all deamons that use
syslog, but you really need to know what you're doing. -- REW]

Olaf
-- 
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir monad swb de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir caldera de    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.