Your message dated Wed, 17 Dec 2008 21:03:10 +0000
with message-id <e1ld3xy-0006hl...@ries.debian.org>
and subject line Bug#504150: fixed in net-snmp 5.2.3-7etch4
has caused the Debian Bug report #504150,
regarding snmpd: DoS in getbulk handling code in net-snmp
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
504150: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504150
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: snmpd
Severity: grave
Tags: security, patch
Justification: user security hole
Hi
The following announcement has been released by net-snmp upstream:
SECURITY ISSUE: A bug in the getbulk handling code could let anyone
with even minimal access crash the agent. If you have open access
to your snmp agents (bad bad bad; stop doing that!) or if you don't
trust everyone that does have access to your agents you should
updated immediately to prevent potential denial of service attacks.
You can find the upstream patch here[0], which applies fine to the sid
version.
Once we get a CVE id for this issue, I'll forward it to this bugreport.
For lenny, I guess an upload to sid with high urgency should be sufficient.
I'll email you soon about the stable situation.
Cheers
Steffen
[0]:
http://net-snmp.svn.sourceforge.net/viewvc/net-snmp/tags/Ext-5-4-2-1/net-snmp/agent/snmp_agent.c?view=patch&r1=17272&r2=17271&pathrev=17272
--- End Message ---
--- Begin Message ---
Source: net-snmp
Source-Version: 5.2.3-7etch4
We believe that the bug you reported is fixed in the latest version of
net-snmp, which is due to be installed in the Debian FTP archive:
libsnmp-base_5.2.3-7etch4_all.deb
to pool/main/n/net-snmp/libsnmp-base_5.2.3-7etch4_all.deb
libsnmp-perl_5.2.3-7etch4_i386.deb
to pool/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_i386.deb
libsnmp9-dev_5.2.3-7etch4_i386.deb
to pool/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_i386.deb
libsnmp9_5.2.3-7etch4_i386.deb
to pool/main/n/net-snmp/libsnmp9_5.2.3-7etch4_i386.deb
net-snmp_5.2.3-7etch4.diff.gz
to pool/main/n/net-snmp/net-snmp_5.2.3-7etch4.diff.gz
net-snmp_5.2.3-7etch4.dsc
to pool/main/n/net-snmp/net-snmp_5.2.3-7etch4.dsc
snmp_5.2.3-7etch4_i386.deb
to pool/main/n/net-snmp/snmp_5.2.3-7etch4_i386.deb
snmpd_5.2.3-7etch4_i386.deb
to pool/main/n/net-snmp/snmpd_5.2.3-7etch4_i386.deb
tkmib_5.2.3-7etch4_all.deb
to pool/main/n/net-snmp/tkmib_5.2.3-7etch4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 504...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steffen Joeris <wh...@debian.org> (supplier of updated net-snmp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 04 Nov 2008 14:11:29 +0100
Source: net-snmp
Binary: libsnmp9 tkmib snmp libsnmp-perl libsnmp-base libsnmp9-dev snmpd
Architecture: source all i386
Version: 5.2.3-7etch4
Distribution: stable-security
Urgency: high
Maintainer: Net-SNMP Packaging Team <pkg-net-snmp-de...@lists.alioth.debian.org>
Changed-By: Steffen Joeris <wh...@debian.org>
Description:
libsnmp-base - NET SNMP (Simple Network Management Protocol) MIBs and Docs
libsnmp-perl - NET SNMP (Simple Network Management Protocol) Perl5 Support
libsnmp9 - NET SNMP (Simple Network Management Protocol) Library
libsnmp9-dev - NET SNMP (Simple Network Management Protocol) Development Files
snmp - NET SNMP (Simple Network Management Protocol) Apps
snmpd - NET SNMP (Simple Network Management Protocol) Agents
tkmib - NET SNMP (Simple Network Management Protocol) MIB Browser
Closes: 504150
Changes:
net-snmp (5.2.3-7etch4) stable-security; urgency=high
.
* Non-maintainer upload by the security team
* Fix DoS in getbulk code via vectors related to the number of
responses or repeats (Closes: #504150)
Fixes: CVE-2008-4309
Files:
8018cc23033178515298d5583a74f9ff 1046 net optional net-snmp_5.2.3-7etch4.dsc
2ccd6191c3212980956c30de392825ec 94030 net optional
net-snmp_5.2.3-7etch4.diff.gz
d579d8f28f3d704b6c09b2b480425086 1214368 libs optional
libsnmp-base_5.2.3-7etch4_all.deb
b5ccd827adbcefcca3557fa9ae28cc08 855594 net optional tkmib_5.2.3-7etch4_all.deb
cb705c9fe9418cc9348ac935ea7b0ba2 833970 net optional
snmpd_5.2.3-7etch4_i386.deb
159b4244ef701edbe0fb8c9685b5b477 925914 net optional snmp_5.2.3-7etch4_i386.deb
3b7ac7b8fe0da1a3909ee56aba46d464 1838900 libs optional
libsnmp9_5.2.3-7etch4_i386.deb
f05c7491a8100684c5085588738f05b5 1423294 libdevel optional
libsnmp9-dev_5.2.3-7etch4_i386.deb
3df41a0c99c41d1bccf6801011cf8ed5 920070 perl optional
libsnmp-perl_5.2.3-7etch4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkQUbwACgkQ62zWxYk/rQe+fwCeOkxbnuTwgzlBwnUwuGHs11D4
xQQAn2w5lNCj2Pf2MZpCnnYVYcNl0D+v
=FRZG
-----END PGP SIGNATURE-----
--- End Message ---
