RHBA-2008:0750 - Bug Fix Advisory

Topic

An updated logwatch package that fixes several bugs and adds an
enhancement is now available.

Description

Logwatch is a customizable log-analysis system. Logwatch parses through
your system's logs for a given period of time, and creates a report
analyzing the areas that you specify, in as much detail as you require.

This updated package fixes the following bugs:

• logwatch did not recognize certain types of "try_tls" messages from

sendmail. logwatch handled them as an unmatched entries. In this updated
package, these types of "try_tls" message are ignored.

• some logwatch services weren't able to handle log directories correctly

when the '--logdir' option was used. In this updated package, the log
directory is correctly handled.

• logwatch changed the case of the log directory as defined by the

'--logdir' option. For example, if "LogDir = /ABC" was configured in the
"logwatch.conf" configuration file, logwatch tried to access "/abc". In
this updated package, logwatch no longer changes the case of the log
directory, which resolves this issue.

• multiple warnings, similar to the following, were generated for Postfix:

statistics: max connection rate 1/60s for (smtp:[IP-address])
statistics: max connection count 1 for (smtp:[IP-address])
statistics: max cache size 1

These warnings were most noticeable on servers under high load. In this
updated package, such warnings are now ignored.

• logwatch incorrectly categorized certain sendmail messages as "Unmatched

Entries"; the logs are now parsed or ignored depending on their information
value.

• if the "/tmp" directory have not enough space to logwatch auxiliary files

(and the 'tmpdir' option was not used) then logwatch might have slowed and
filled all available free space. This could have caused services, such as
httpd, to no longer serve requests. logwatch now tests for this situation,
and terminates if it occurs.

• logwatch did not handle the format of OpenBSD's OpenSSH logs in newer

versions of the openssh packages. This caused certain entries to appear as
"**Unmatched Entries**". In this updated package, these logs are handled
correctly, which resolves this issue.

• logwatch did not handle PAM authentication errors from SSH. This caused

logwatch to report errors similar to the following:

Use of uninitialized value in hash element at
/etc/log.d/scripts/services/sshd line 174, [STDIN] line 1.

In this updated package, such errors are handled correctly, and these
situations logwatch reports:

Cannot release PAM authentication: Authentication failure for
[user] from [hostname] : [x] Time(s)

• As well, when using split hosts, if logs from "machine0" were sent to

"machine1", and were processed by logwatch on "machine1", the email from
logwatch had the subject "LogWatch for machine0", instead of "machine1". In
this updated package, the subject contains "LogWatch run on [x]", where [x]
is the name of the machine logwatch was run on.

Users of logwatch are advised to upgrade to this updated package, which
resolves these issues and adds this enhancement.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Affected Products

• Red Hat Enterprise Linux Server 4 x86_64
• Red Hat Enterprise Linux Server 4 ia64
• Red Hat Enterprise Linux Server 4 i386
• Red Hat Enterprise Linux Workstation 4 x86_64
• Red Hat Enterprise Linux Workstation 4 ia64
• Red Hat Enterprise Linux Workstation 4 i386
• Red Hat Enterprise Linux Desktop 4 x86_64
• Red Hat Enterprise Linux Desktop 4 i386
• Red Hat Enterprise Linux for IBM z Systems 4 s390x
• Red Hat Enterprise Linux for IBM z Systems 4 s390
• Red Hat Enterprise Linux for Power, big endian 4 ppc

Fixes

• BZ - 204056 - Logwatch does not recognise try_tls messages from sendmail
• BZ - 204434 - email title is wrong when using splithosts
• BZ - 205096 - should have relative paths in default config and should make sensible use of absolute paths
• BZ - 205104 - Should not change the case of $logdir
• BZ - 205238 - Too much postfix noise after U4
• BZ - 227805 - New sshd logs not processed correctly

CVEs

(none)

References

(none)