Last week, we released syslog-ng 4.8.2, containing a CVE fix along with improvements to the Elasticsearch and S3 destinations. As such, an upgrade is highly recommended. Version 4.8.3 does not bring any code changes, just a fix to the release process.
So, why the new release? The “official” syslog-ng source release is generated by a script from syslog-ng sources on GitHub and includes Makefiles, a configure script and man pages. This source is used by most Linux distributions and BSD variants, and the 4.8.2 release includes everything it needs to include. Read my blog about DBLD for more details at https://www.syslog-ng.com/community/b/blog/posts/dbld-a-syslog-ng-developer-tool-not-just-for-developers
However, if you take a look at the release notes at https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.8.2 you see two more files under assets: “Source code (zip)” and “Source code (tar.gz)”. These archives are unmodified snapshots of the git repository, taken when the given release was tagged. We considered it to be just a byproduct of the release, but as we learned soon after the release, these files are actually used by the Debian project to build syslog-ng packages. Unfortunately, due to the master → develop change in the syslog-ng repository, the wrong commit was tagged, so these files did not include the CVE fix and the version upgrade.
Long story short: if you use the generated source release tgz, you do not need to upgrade from 4.8.2 to 4.8.3. However, if you use the snapshot archives, then use the 4.8.3 release. This also means that the openSUSE / SLES, Fedora/RHEL and FreeBSD packages will stay at 4.8.2. For them, the next upgrade will be 4.9.0.