CVE-2024-47619

Name of the Vulnerable Software and Affected Versions syslog-ng versions prior to 4.8.2 syslog-ng version 3.28.1-2+deb11u2 and earlier for Debian 11 bullseye

Description syslog-ng is an enhanced log daemon. Prior to version 4.8.2, tls wildcard match() matches on certificates such as foo.*.bar although that is not allowed. It is also possible to pass partial wildcards such as foo.a*c.bar which glib matches but should be avoided / invalidated. This issue could have an impact on TLS connections, such as in man-in-the-middle situations.

Recommendations For versions prior to 4.8.2, upgrade to version 4.8.2 or later. For Debian 11 bullseye, upgrade to version 3.28.1-2+deb11u2 or later. As a temporary workaround, consider disabling the tls wildcard match() function until a patch is available. Restrict access to TLS connections to minimize the risk of exploitation.