OpenBSD's syslogd (Tested on OpenBSD 2.9 - 3.2, i386 only) seems to have a bug that might lead to false information on a remote syslog-server. The problem can be reproduced by changing the machines IP using ifconfig and NOT rebooting the whole machine. Though the machine should not use the old IP anymore, packets from syslogd to the remote syslog-server (514/UDP) originate with the OLD source IP, the OpenBSD machine had before ifconfig. Though this is not a severe security issue which leads into a compromise of the system itself, it is an issue that leads into false information on the remote syslogd server, because the packets seem to originate from an address they are not really coming from. This might for example result in ID-systems reporting alarms from the wrong server or even worse not report alarms at all, depending on the configuration. The people at OpenBSD have been informed about this today via sendbug(1), but the Bug Tracking System seems to be disabled at the moment. T. ------------------------------ Torsten Valentin General Manager SecuLution GmbH Friedenstr. 3b 59199 Bönen Germany E-Mail: info@4ss.de http://www.4ss.de
