net-snmp: CVE-2014-2284

Debian Bug report logs - #742817
net-snmp: CVE-2014-2284

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: net-snmp: CVE-2014-2284

Date: Thu, 27 Mar 2014 19:55:07 +0100

Package: net-snmp
Version: 5.7.2~dfsg-8.1
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for net-snmp.

CVE-2014-2284[0]:
| The Linux implementation of the ICMP-MIB in Net-SNMP 5.5 before
| 5.5.2.1, 5.6.x before 5.6.2.1, and 5.7.x before 5.7.2.1 does not
| properly validate input, which allows remote attackers to cause a
| denial of service via unspecified vectors.

The upstream patch is available at [1].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2284
    https://security-tracker.debian.org/tracker/CVE-2014-2284
[1] http://sourceforge.net/p/net-snmp/code/ci/a1fd64716f6794c55c34d77e618210238a73bfa1/
[2] http://sourceforge.net/p/net-snmp/mailman/message/32026655/

Regards,
Salvatore

Message #10 received at 742817-close@bugs.debian.org (full text, mbox, reply):

From: Hideki Yamane <henrich@debian.org>

To: 742817-close@bugs.debian.org

Subject: Bug#742817: fixed in net-snmp 5.7.2.1~dfsg-1

Date: Tue, 01 Apr 2014 13:00:08 +0000

Source: net-snmp
Source-Version: 5.7.2.1~dfsg-1

We believe that the bug you reported is fixed in the latest version of
net-snmp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 742817@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hideki Yamane <henrich@debian.org> (supplier of updated net-snmp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 30 Mar 2014 19:58:39 +0900
Source: net-snmp
Binary: snmpd snmptrapd snmp libsnmp-base libsnmp30 libsnmp30-dbg libsnmp-dev libsnmp-perl python-netsnmp tkmib
Architecture: source amd64 all
Version: 5.7.2.1~dfsg-1
Distribution: experimental
Urgency: medium
Maintainer: Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>
Changed-By: Hideki Yamane <henrich@debian.org>
Description: 
 libsnmp-base - SNMP configuration script, MIBs and documentation
 libsnmp-dev - SNMP (Simple Network Management Protocol) development files
 libsnmp-perl - SNMP (Simple Network Management Protocol) Perl5 support
 libsnmp30  - SNMP (Simple Network Management Protocol) library
 libsnmp30-dbg - SNMP (Simple Network Management Protocol) library debug
 python-netsnmp - SNMP (Simple Network Management Protocol) Python support
 snmp       - SNMP (Simple Network Management Protocol) applications
 snmpd      - SNMP (Simple Network Management Protocol) agents
 snmptrapd  - Net-SNMP notification receiver
 tkmib      - SNMP (Simple Network Management Protocol) MIB browser
Closes: 482041 577649 589040 606784 610630 640456 717179 717419 718988 726158 728546 729732 731625 741504 742817
Changes: 
 net-snmp (5.7.2.1~dfsg-1) experimental; urgency=medium
 .
   * New upstream release
     - fix DoS on ICMP-MIB as CVE-2014-2284 (Closes: #742817)
   * Ack NMU (Closes: #717419)
   * debian/patches
     - add add_rocommunity6.patch to fix snmpwalk using ipv6 (Closes: #717179)
     - add fix_manpage-has-errors-from-man.patch
     - add agentx-crash.patch, taken from Fedora package. It fixes CVE-2012-6151
       (Closes: #731625)
     - add TrapReceiver.patch to fix CVE-2014-2285
   * debian/control
     - set Standards-Version: 3.9.5
     - add "Build-Depends: libpci-dev" to enable libpci function that was
       introduced in 5.7 (Closes: #741504)
   * debian/libsnmp-dev.install
     - add missing net-snmp-create-v3-user (Closes: #726158, #718988)
   * debian/upstream/signing-key.asc
     - check upstream PGP key
   * debian/rules
     - add etherlike-mib/dot3StatsTable (Closes: #729732, LP#1251847)
   * debian/snmpd.init
     - relax start-stop-daemons avoid restart daemon before it terminates.
       Thanks to Saj Goonatilleke <saj.goonatilleke@anchor.net.au> for the
       patch (Closes: #640456)
     - fix "init.d-script-does-not-source-init-functions" lintian warning
   * debian/snmpd.postinst
     - fix weird user creation (Closes: #482041, #589040, #606784, #610630)
   * debian/snmpd.postrm
     - remove unnecessary old /var/agentx/master directory with purge
       (Closes: #728546)
   * debian/snmp.install
     - move traptoemail to snmptrapd.install releated to above changes
   * debian/{snmpd,snmptrapd}.default
     - fix pid diretory
   * debian/README.Debian
     - note snmpconf is in snmp package (Closes: #577649)
Checksums-Sha1: 
 382c8d4ad3f24231bce42a722de203f35778d99b 2946 net-snmp_5.7.2.1~dfsg-1.dsc
 232b1da37961d7fa509321f9fd8fd9ea7a88eb2b 3555276 net-snmp_5.7.2.1~dfsg.orig.tar.xz
 aa7979511cac9ed4b4c2a19d272a922ecff26fde 59540 net-snmp_5.7.2.1~dfsg-1.debian.tar.xz
 d5005c992e6facb81a624f43b1580e6e16f6b355 56854 snmpd_5.7.2.1~dfsg-1_amd64.deb
 740238a6767d5e3f4513289c35dcd886bb28d3bd 23142 snmptrapd_5.7.2.1~dfsg-1_amd64.deb
 9accd6bea0c605b47a024342faae43c5e310432d 145180 snmp_5.7.2.1~dfsg-1_amd64.deb
 bfa800a38f58f04ea29d67434380f2744f90b32a 1767108 libsnmp-base_5.7.2.1~dfsg-1_all.deb
 1913613bed5b7466a929ab5ebc382737bed13307 2144238 libsnmp30_5.7.2.1~dfsg-1_amd64.deb
 b14a2da74d3df3f0a82814a5cca0a7fbdb7976cb 2124414 libsnmp30-dbg_5.7.2.1~dfsg-1_amd64.deb
 3913cd20ba85a9ad27cbb2db298bc84cf95ac667 1057562 libsnmp-dev_5.7.2.1~dfsg-1_amd64.deb
 83b55bd84eded86dbb09c2b94e02ac46bc4fed69 1455362 libsnmp-perl_5.7.2.1~dfsg-1_amd64.deb
 8c335d77c19000271cd82ffeac6799cda88e1b06 19894 python-netsnmp_5.7.2.1~dfsg-1_amd64.deb
 ab1eea5df21e2b12e2537d7e9edf5c3045086d4a 1430090 tkmib_5.7.2.1~dfsg-1_all.deb
Checksums-Sha256: 
 c58bafe6f943ab75972f048886efb754a18f0c22e80aaef8207ddfba5193ebfd 2946 net-snmp_5.7.2.1~dfsg-1.dsc
 e45424ed191475625277d036b13da533807477d4839e63288e9b89b71457fe55 3555276 net-snmp_5.7.2.1~dfsg.orig.tar.xz
 088acb067f6432dff3d26bcbe132f3e997103a1441a59d0a3c7393a344502ded 59540 net-snmp_5.7.2.1~dfsg-1.debian.tar.xz
 26db4f013c92a4da0d370bbd8b2c7f8451d1793dc52cf39d8ccc416595ff0b40 56854 snmpd_5.7.2.1~dfsg-1_amd64.deb
 48d31c14b9643db141bcaf24750673b652d9a054ce26fdcc6d493f52f612ade7 23142 snmptrapd_5.7.2.1~dfsg-1_amd64.deb
 a94c6ae2ce20ceddf84cf6bf747e33b8afe8d702292dac0b9789a7f314f7dc9d 145180 snmp_5.7.2.1~dfsg-1_amd64.deb
 94c80aece490a598dde26dedd14b6c9a87e08218a667b7fd038bbfcbb93ff2d1 1767108 libsnmp-base_5.7.2.1~dfsg-1_all.deb
 9c402dd4360cb476ed9e659e869a7195473861fa80753d8ab5c36224e86dd9ee 2144238 libsnmp30_5.7.2.1~dfsg-1_amd64.deb
 fcc1f0c1cb5dc5bed78df5ea006f44987b7885a34c9bf7a97e9317262a8149c8 2124414 libsnmp30-dbg_5.7.2.1~dfsg-1_amd64.deb
 f14aa5bd4e84addf4cf21c1c05bd0ed94a25cc40c83c44c4cf52f70c50e7378d 1057562 libsnmp-dev_5.7.2.1~dfsg-1_amd64.deb
 8eebb0bd7b25207288fa4a883e31512341b7690673f46edc454ed8a15b409ea5 1455362 libsnmp-perl_5.7.2.1~dfsg-1_amd64.deb
 9e5d12694d7d1acd6573dee6671a9b3224579689e00fd3a63c48f6ade96a1a2c 19894 python-netsnmp_5.7.2.1~dfsg-1_amd64.deb
 e35dcd3b2f6f49bfb0f732c57d9005e966e301efcc897e9e173640adf30244c8 1430090 tkmib_5.7.2.1~dfsg-1_all.deb
Files: 
 43b390e803cd95081ff7df05825248ae 2946 net optional net-snmp_5.7.2.1~dfsg-1.dsc
 2828e1631692809c245bece19725cad2 3555276 net optional net-snmp_5.7.2.1~dfsg.orig.tar.xz
 75bce7f1d9d610b9c7e05a5592514d3e 59540 net optional net-snmp_5.7.2.1~dfsg-1.debian.tar.xz
 637fb1f7615a618ae92c6ba9034a4eeb 56854 net optional snmpd_5.7.2.1~dfsg-1_amd64.deb
 6484aa2f8c91d8fbcd1e8573bb3720c0 23142 net optional snmptrapd_5.7.2.1~dfsg-1_amd64.deb
 6d2a5ee5362a71796003ba7bf6c35acb 145180 net optional snmp_5.7.2.1~dfsg-1_amd64.deb
 fc40314262b8f6658624e9e2929c118d 1767108 libs optional libsnmp-base_5.7.2.1~dfsg-1_all.deb
 6a6530c7cfef121bda40225b3eb2e881 2144238 libs optional libsnmp30_5.7.2.1~dfsg-1_amd64.deb
 da7af9a1597dc037c2fca9523c6a64bc 2124414 debug extra libsnmp30-dbg_5.7.2.1~dfsg-1_amd64.deb
 9c563c97c94254596d06d81ab52fc646 1057562 libdevel optional libsnmp-dev_5.7.2.1~dfsg-1_amd64.deb
 c3f790da3bdfa7006803cbdc2e91fda7 1455362 perl optional libsnmp-perl_5.7.2.1~dfsg-1_amd64.deb
 729b3f2705a5deaa346b66ad18d68eab 19894 python optional python-netsnmp_5.7.2.1~dfsg-1_amd64.deb
 b6ccc929c4f63abefc7a905aa2ed9cd8 1430090 net optional tkmib_5.7.2.1~dfsg-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJTOCm9AAoJEF0yjQgqqrFAm9wP/AoOjwkrLcBuXn2BY7lrk/pP
NlqulSUTTk1n3vD5yPV2Tf2TRTRYLS8MdolVHUH1brZQJFG3RkJGI9KNk9VUp16Q
cxw3plqrjvGURYD3cAW3cKD7EzHPVyp193dRGGRspUjvYiop1Qy7mhwmqaHxcNFK
24epURCW4ljsbiIaqppK27jDvVkNz5nezd9+xVPpWu3q7GcYQyR4h+8HaUOHly+O
4ghTN12fQ7YeR5lBbScFSWHPnz30bHq64qXfTTASz1ILThuvgp/8tdVWQdBSa/f9
Bj6Ac9+rV9/+30rQ5R1onOY854AruusTAfgLBgf7VnvttQuNT7lXz+PNyHqC44C8
+MOKP197osZeZaQ0Vqsdhf/Ee0HD+dGFPpuoXlhk0EQz1e2pmmARKJ289p90Xt+t
LQgnoqnsjvCNjS0sRJFH71ySQQTYGKJzwlPUUyKdC8QTRxuZJdYQ1QOkfOsc9K7a
O5+2K++55wClR0Hli1wkSbd6ASnu6vKS4Gd/cc2RkALCz8SZqnd7G8GCCHqOcQSw
WvE7wpP8YDpnRzpgaZwHm3qTpNjsDBkGqA5A2JnIG2VwfmjHzms1yxgGU/xBng6t
OnC/7oar6azsIUU89lrU26jCD7JKTULjudMRFjnNlM1YILdgni6vHuXHbo9LmfjO
8fFf7IvKsYuTvx3g13Tc
=Xm2f
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.