maintain ChangeLog

rgerhards · Sep 13, 2023 · d0f4d1b · d0f4d1b
1 parent 1b70a16
commit d0f4d1b
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,5 +1,27 @@
 ----------------------------------------------------------------------------------------
 Scheduled Release 8.2310.0 (aka 2023.10) 2023-10-??
+- 2023-09-13: omprog bugfix: Add CAP_DAC_OVERRIDE to the bounding set
+  The omprog module uses the execve() function to execute
+  a third party program. Some required capabilities were not
+  preserved in the bounding set [1]. This caused problems, e.g.
+  the program could not write to files even if rsyslog was
+  executed as root and privileges were not dropped. As of now,
+  only the CAP_DAC_OVERRIDE capability is added to the bounding
+  set. Others could be added later, if there is justification
+  behind that.
+  [1] The capability bounding set is a security mechanism that
+  can be used to limit the capabilities that can be gained
+  during an execve(2). During an execve, the capability
+  bounding set is ANDed with the file permitted capability
+  set, and the result of this operation is assigned to the
+  thread's  permitted  capability  set. The capability
+  bounding set thus places a limit on the permitted
+  capabilities that may be granted by an executable file.
+  Thanks to Attila Lakatos for the patch.
+- 2023-09-13: tcpflood bugfix: plain tcp send error not properly reported
+  The error code when plain tcp sending failed was improperly returned,
+  resulting in no meaningful error message.
+  Note: tcpflood is a testbench tool, not part of production rsyslog.
 ----------------------------------------------------------------------------------------
 Scheduled Release 8.2308.0 (aka 2023.08) 2023-08-15
 - 2023-08-07: crypto subsystem bugfix: potential undefined behaviour