Team,
Apologies up front if this is not the correct place to raise a question like this, feel free to redirect me.
Back in 2015 a defect (2615) was created against NetSNMP that reported a security issue (CVE-2015-5621).
Later on, 22 Jun 2015, another defect was reported (2643).
Here's the link:
When I read 2643, it tells me that its a duplicate of 2615.
I am not able to get at defect 2615 - it seems to be hidden/removed.....I can see defects 2614 & 2616, but not 2615.
Anyhow, when I read through defect 2643, the reporter tells us that they are confirming a security defect known as CVE-2015-5621 is present in Net-SNMP 5.7.3. The defect is reported against the snmp_pdu_parse().
Shortly afterwards, the Net-SNMP team respond to defect 2643, confirming:
- its a duplicate defect (of 2615)
- its fixed
- its not released yet (that was 26 Jun 2015)
I also know that Net-SNMP 5.7.3 was first released in Dec 2014, so I am sort of hoping there will be some sort of a maintenance release that contains a fix for the reported security issue and maybe a roll up of other patches.
Does anyone have any news/insights on prospects of a patched 5.7.3? and if so when?
I've also discovered a possible fix for the issue, but I cannot tell if this fix is applicable to the 5.7.3 code I have (it looks similar, but the line numbers are a bit different in my version compared to what's published here).
Maybe someone can tell me if this changed code (snmplib/snmp_api.c) (which was supposed to address the issue):
Is all that's needed?
Is this fix cross-dependent on other fixes elsewhere?
Regards,
Bb
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
