Hi, I'm writing this mail to announce that syslog-ng 1.4.x and 1.5.x are both vulnerable to a buffer overflow. Exploiting the bug needs a site specific exploit to be written, as the way the buffer is overwritten depends on the local configuration file. The buffer overflow can be triggered when templated output files or filename templates are used. Everybody is urged to upgrade to 1.4.16 or 1.5.21, these are available at the usual place, http://www.balabit.hu/en/downloads/syslog-ng/downloads/ The bug was found be me, so possibly nobody else knows the details. Of course diffing the new version with the previous one unveils the problem. Bugtraq announcement will be sent out soon. Debian package has been released and accepted (though mirrors need time to get the new one) ps: sigh, this was my first BoF :( -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1