Bug#1137526: marked as done (lwip: CVE-2026-8836)

Debian Bug Tracking System Wed, 27 May 2026 11:37:20 -0700

Your message dated Wed, 27 May 2026 20:35:44 +0200
with message-id <[email protected]>
and subject line Re: Accepted lwip 2.2.1+dfsg1-5 (source) into unstable
has caused the Debian Bug report #1137526,
regarding lwip: CVE-2026-8836
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1137526: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137526
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Source: lwip
Version: 2.2.1+dfsg1-1
Severity: important
Tags: security upstream
Forwarded: https://savannah.nongnu.org/bugs/?68194
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for lwip.

CVE-2026-8836[0]:
| A vulnerability was found in lwIP up to 2.2.1. Affected is the
| function snmp_parse_inbound_frame of the file
| src/apps/snmp/snmp_msg.c of the component snmpv3 USM Handler.
| Performing a manipulation of the argument
| msgAuthenticationParameters results in stack-based buffer overflow.
| The attack may be initiated remotely. The patch is named
| 0c957ec03054eb6c8205e9c9d1d05d90ada3898c. It is suggested to install
| a patch to address this issue.

Unfortunately the upstream issue [1] is yet private at time of this
writing.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-8836
    https://www.cve.org/CVERecord?id=CVE-2026-8836
[1] https://savannah.nongnu.org/bugs/?68194
[2] 
https://cgit.git.savannah.gnu.org/cgit/lwip.git/commit/?id=0c957ec03054eb6c8205e9c9d1d05d90ada3898c

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: lwip
Source-Version: 2.2.1+dfsg1-5

This fixes as well #1137526 for the CVE fix.

On Wed, May 27, 2026 at 04:04:08PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Format: 1.8
> Date: Wed, 27 May 2026 17:21:38 +0200
> Source: lwip
> Architecture: source
> Version: 2.2.1+dfsg1-5
> Distribution: unstable
> Urgency: medium
> Maintainer: Joan Lledó <[email protected]>
> Changed-By: Joan Lledó <[email protected]>
> Changes:
>  lwip (2.2.1+dfsg1-5) unstable; urgency=medium
>  .
>    * Add security patches
>      * CVE-2026-8836
>      * VU#129944
> Checksums-Sha1:
>  818d61a45547ad528f866dc8d432c01fab29794f 2086 lwip_2.2.1+dfsg1-5.dsc
>  fe7c4592ce0ffbbcb01cfe9b6fa1cce83ca8b41a 17292 
> lwip_2.2.1+dfsg1-5.debian.tar.xz
>  6560b396bcb24c5d92c60db885448d1c52a6d0af 6870 
> lwip_2.2.1+dfsg1-5_source.buildinfo
> Checksums-Sha256:
>  5ba363b0829cad30c3140f4f448256505a58d7862a97fa7387ad0808c29c635e 2086 
> lwip_2.2.1+dfsg1-5.dsc
>  d4978b5bfabbd377c7a0b8f2643337f0d14076252190362ec0c857a1fb00919e 17292 
> lwip_2.2.1+dfsg1-5.debian.tar.xz
>  a7bbc3d310a9915e1049c4533e43300a6d206de9b1775d251932e35462f4c0f1 6870 
> lwip_2.2.1+dfsg1-5_source.buildinfo
> Files:
>  007386367a84ada5b89f708499edb768 2086 libs optional lwip_2.2.1+dfsg1-5.dsc
>  722ab95092748935cfb2872ef8b1dc91 17292 libs optional 
> lwip_2.2.1+dfsg1-5.debian.tar.xz
>  a51a9d5d86c25c67e16cc99798c90037 6870 libs optional 
> lwip_2.2.1+dfsg1-5_source.buildinfo
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iQJLBAEBCgA1FiEEitwNudTbNE2R94iMoZnXa8pGkeMFAmoXEMIXHGpsbGVkb21A
> bWVtYmVyLmZzZi5vcmcACgkQoZnXa8pGkeNteA/+O0fBv52sfl3NRCUI7qSk2Csk
> F52bRV2vliqkEWj40UfO3Y33BSZqkvmhI+k9VClKg3rPzt9/936EX3kMt1l4owj3
> wubG58BjnUbfyn3RxfTXIh8Wnmlx3V4HecOQl6g+rEJSuU3L2vbk9ql/MWbLZjF8
> Lgj77U/tPJaApZE+bDmi0R9//T6BKVDWqnVbxcNaBWTwwun1IEVAEnP41zZBN4sV
> km1uvUbVPsuWATSYwqH5QxjROq12EOScFqBzouzzA5yOPnV+p/7hbSDwCmeVRDlR
> k70asi3AgMzVNDWjjIAzasVvPmNIgpXyzPGF46SAU/G7qt3dN10Ra5SSK07aDFIn
> 2+z/8kkohJEr5xl+A86LAV8+v5DdwAICgPnCb8x4g7Nvre+FPIGvV0bKeWGMF7qj
> oUz51EyWEB9/rO966VPQo4klTc7lB9LTZ3h/QQJ98nU9c/UFAYUvsBd2YYM3mUN5
> BLscPNnC9Bst0j39F99aSK/ptc/JkJYbiFWHg8Jvdc2iz9w0+CtHUubWGcRU0ae2
> WfQ21YNYt1/99fAdbn4L9Zfe5Paeo9xAQT9QQx61SarQ9aoV8h+ej6PuO2cxyRDp
> V8dmQyPj+q3QYZBKTwQpd8ymxr7GPC0+j+TJI1zy4eE779GBOlFlL0XkOtFj4xM6
> 4oEPytGdN4dcvqxilDo=
> =Hgbg
> -----END PGP SIGNATURE-----

--- End Message ---

Bug#1137526: marked as done (lwip: CVE-2026-8836)

Reply via email to