agentx: CVE-2014-2310: Oversized Object ID

Debian Bug report logs - #684388
agentx: CVE-2014-2310: Oversized Object ID

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: agentx: Oversized Object ID

Date: Thu, 09 Aug 2012 13:32:37 +0200

[Message part 1 (text/plain, inline)]

Package: libsnmp15
Version: 5.4.3~dfsg-2.5
Severity: important
Tags: upstream patch

Hi!

AgentX support is ineffective when a manager requests unrelated OID in
the same GET request. snmpd will send those unrelated variables into
the same PDU to the subagent and the subagent will choke with:

agentx: Oversized Object ID

This happens if one of the requested OID is larger than the previous
one:

agentx/master: request for variable (iso.3.6.1.2.1.2.2.1.7.7)
agentx/master: request for variable (iso.3.6.1.2.1.2.2.1.2.10)
agentx/master: request for variable (iso.3.6.1.2.1.2.2.1.8.7)
agentx/master: request for variable (iso.3.6.1.3.53.5.5.2.1.3.101)

First three OID contain 11 subid while the next one has 12
subid. snmpd will try several time to communicate those OID to the
subagent and will give up. A manager requesting always the same OID
will never get an answer.

The bug is fixed upstream in 5.4.4. I attach the revelant patch
extracted from the git repository. I think it may warrant a freeze
exception. The bug is 100% reproducible on my platform.

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (101, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libsnmp15 depends on:
ii  libc6         2.13-35
ii  libperl5.14   5.14.2-12
ii  libsensors4   1:3.3.2-2
ii  libsnmp-base  5.4.3~dfsg-2.5
ii  libssl1.0.0   1.0.1c-4
ii  libwrap0      7.6.q-24

libsnmp15 recommends no packages.

libsnmp15 suggests no packages.

-- Configuration Files:
/etc/snmp/snmp.conf changed:


-- no debconf information

[0001-NEWS-snmpd-Patch-3141462-from-fenner-fix-agentx-suba.patch (text/x-diff, attachment)]

Message #12 received at 684388-close@bugs.debian.org (full text, mbox, reply):

From: Hideki Yamane <henrich@debian.org>

To: 684388-close@bugs.debian.org

Subject: Bug#684388: fixed in net-snmp 5.7.2~dfsg-1~0.1

Date: Sat, 06 Apr 2013 01:00:15 +0000

Source: net-snmp
Source-Version: 5.7.2~dfsg-1~0.1

We believe that the bug you reported is fixed in the latest version of
net-snmp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 684388@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hideki Yamane <henrich@debian.org> (supplier of updated net-snmp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 19 Mar 2013 16:43:02 +0900
Source: net-snmp
Binary: snmpd snmp libsnmp-base libsnmp30 libsnmp30-dbg libsnmp-dev libsnmp-perl python-netsnmp tkmib
Architecture: source amd64 all
Version: 5.7.2~dfsg-1~0.1
Distribution: experimental
Urgency: low
Maintainer: Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>
Changed-By: Hideki Yamane <henrich@debian.org>
Description: 
 libsnmp-base - SNMP (Simple Network Management Protocol) MIBs and documentation
 libsnmp-dev - SNMP (Simple Network Management Protocol) development files
 libsnmp-perl - SNMP (Simple Network Management Protocol) Perl5 support
 libsnmp30  - SNMP (Simple Network Management Protocol) library
 libsnmp30-dbg - SNMP (Simple Network Management Protocol) library debug
 python-netsnmp - SNMP (Simple Network Management Protocol) Python support
 snmp       - SNMP (Simple Network Management Protocol) applications
 snmpd      - SNMP (Simple Network Management Protocol) agents
 tkmib      - SNMP (Simple Network Management Protocol) MIB browser
Closes: 44373 344979 397573 411858 428824 445608 447705 453124 495060 505149 514842 527231 528104 557186 557348 558356 561124 562787 568550 572414 581185 583391 599929 603593 611837 616437 616913 623499 631063 641608 647468 661899 668545 672063 673197 684388
Changes: 
 net-snmp (5.7.2~dfsg-1~0.1) experimental; urgency=low
 .
   * Non-maintainer upload.
   * New upstream version 5.7.2 (Closes: #557348, #631063, #684388, #599929,
     #673197, #581185, #558356, #568550, #514842, #445608, #557186, #411858,
     #428824, #611837, #495060, #527231, #583391, #572414, #668545, #344979,
     #397573)
   * debian/control
     - set "Standards-Version: 3.9.4"
     - set "Build-Depends: debhelper (>= 9)" to enable hardening
     - set "Build-Depends: automake", instead of automake1.9
     - drop "Build-Depends: python-central", use dh_python2 by default, instead
     - remove duplicational "Priority:" and "Section:" fields
     - make it "Multi-Arch" enable
     - add description for non-free snmp-mibs-downloader for users' convinience
       (Closes: #561124)
     - add "Build-Depends: libmysqld-dev" to support MySQL
     - add "Build-Depends: dh-autoreconf"
     - use python-all (2.6.6-3~) instead of python-all-dev (>= 2.5.4-1~), python
       (>=2.3.5-7) for Build-Depends
     - add "Build-Depends: python2.7-dev"
     - s/libsnmp-python/python-netsnmp/ as Python Policy compliant
       (Closes: #661899)
     - Add libsnmp-base to snmp and snmpd's Depends and remove it from
       libsnmp30, also remove "Depends: libsnmp-perl (=${binary:Version})" from
       libsnmp-dev to adjust dependencies in Multi-Arch compliant.
     - simplify libsnmp-perl's Depends to avoid piuparts error
     - remove "Conflicts: libsnmp-dev" from libsnmp-dev
     - point to git://anonscm.debian.org/pkg-net-snmp/pkg-net-snmp.git for
       Vcs-* fields
   * debian/compat
     - set 9
   * debian/*.install
     - split into *.manpages
   * debian/fixman: drop it.
   * debian/*.manpages (Closes: #505149)
     - remove unnecessary"snmp" from tail of all man pages
   * debian/libsnmp-base.install
     - move /usr/share/mibs to /usr/share/snmp/mibs (probably, previous setting
       was just wrong...)
     - install all mibs/*.txt
   * debian/libsnmp-dev.install
     - change from "usr/lib/*" to "usr/lib/*/*" to deal with Multi-Arch
   * debian/libsnmp30.install
     - change from "usr/lib/*.so" to "usr/lib/*/*.so" to deal with Multi-Arch
   * debian/snmp.dirs: remove it since unnecessary
   * debian/snmpd.dirs: remove lintian overrides direcotry, add /etc/snmp
   * debian/libsnmp-dev.dirs: add it
   * debian/libsnmp-perl.examples: add it since dh_installexamples target in
     previous debian/rules doesn't work correctly.
   * debian/patches
     - remove all *.README files
     - add fix_typo_in_snmpd.conf.patch (Closes: #603593)
       Thanks to Slavko <linux@slavino.sk>
     - add fix_logging_option.patch (Closes: #616437)
     - add fix_snmpcheck_perl_path.patch to provide snmpcheck (Closes: #44373)
     - add net-snmp-config_multi-arch.patch to enable Multi-Arch
     - add fix_regular_expression.patch enable to build under Multi-Arch
     - add to snmptranslate.1.patch fix lintian "hyphen-used-as-minus-sign"
       warnings
     - add fix_spelling_error.patch to fix typo
     - add after_RFC5378 to include some MIBs as DFSF-free code in RFC Documents.
     - adjust and refresh 03_makefiles.patch
     - add fix_man_error.patch
     - drop 25_duplicate_iftable.patch and 44_nlist_kvm.patch since it cannot be
       applied to current code.
     - drop 32_mnttab_path.patch since it was merged to upstream as
       configure.d/config_os_misc4
     - drop 56_manpage.patch since most of patches are merged, and others are
       unnecessary because upstream files are disappeared.
     - refresh 61_vacm_missing_dependency_check.patch
     - drop 63_fix_shell.patch since it was merged to upstream
     - reapplied 64_missing_lib.patch since upstream source has been changed.
     - drop 65_CVE-2012-2141.patch since it was merged to upstream
     - drop 66_formatstrings.patch since almost merged to upstream, some of
       code are changed in upstream and become unnecessary.
     - move 08_defaultconfig.patch to debian/snmptrapd.conf
   * debian/rules
     - enable hardening
       (TODO: building perl module would be failed without -pie)
     - specify LDFLAGS to enable hardening
     - add "--with autotools-dev,autoreconf"
     - export DEB_BUILD_MAINT_OPTIONS to enable hardening
     - drop "dh --with python-central" (Closes: #616913)
     - drop "include /usr/share/python/python.mk"
     - remove "$(PYVERS:%=debian/python-install-stamp-%)"
     - move exist python targets under override_dh_install
     - remove unnecessary .PHONY lines
     - enable tests by removing no instructions with dh_auto_test line
     - set DEB_HOST_MULTIARCH to enable Multi-Arch
     - enable install snmpcheck
     - don't specify to copy files but install them by using .install file
       (mostly)
     - enable mysql support
     - enable AES support (Closes: #447705)
     - don't make symlink for /usr/share/doc/libsnmp-perl since other are okay
       but it has examples files.
     - snmpd doc files link to libsnmp (Closes: #453124)
     - libsnmp-perl doc files link to libsnmp
     - adjust dh_strip for dbg package.
     - adjust dh_clean target
     - remove override_dh_auto_build since LD_RUN_PATH is clearly specified
       during building perl modules
     - add mibII/mta_sendmail to build modules (Closes: #641608)
     - install copyright file manually for libsnmp30
     - "get-orig-source:" target: really remove IANA files.
     - improve specifying MIBs directory with new one.
     - add "disman/event-mib" to MIB_MODULES, somehow changes in 5.2.2-5
       disappeared (Closes: #562787)
   * debian/clean
     - most listed files are cared by autotools-dev, so removed.
   * debian/snmp.conf: fix typo (Closes: #623499, #647468)
   * debian/snmpd.init
     - force remove pid files (Closes: #528104)
     - deal with MIBs directory changes
   * add libsnmp30.lintian-overrides since it seems to be false-positive.
   * debian/snmpd.dirs: fix "using of /var/agentx conflicts with FHS"
     RFC says "(It may create other, implementation-specific endpoints.)", so
     FHS-compliant endpoint is more suitable for Debian system.
     (Closes: #672063)
   * debian/snmpd.lintian-overrides
     - remove above overrides since it's unnecessary anomore.
   * move snmp.conf from libsnmp30 to snmp.
   * debian/snmpd.default
     - Disable loading mteTrigger and mteTriggerConf modules as they don't
       work without non-free MIBs.
   * libsnmp-perl.postinst: remove it since it's not necesssary because
     symlink is handled by debian/rules
Checksums-Sha1: 
 7122a9c32fbaa496a9317277a78c7c1995e68d9e 2878 net-snmp_5.7.2~dfsg-1~0.1.dsc
 c2e54386515e04d400fdb89d73907b312829d924 3316488 net-snmp_5.7.2~dfsg.orig.tar.xz
 330e4c844e836566d66cc9b5be091c822b350ed0 55284 net-snmp_5.7.2~dfsg-1~0.1.debian.tar.gz
 c6787f3fadb32e37e4f40af4ab8c16967a3589fa 79932 snmpd_5.7.2~dfsg-1~0.1_amd64.deb
 d581af53c4fed315a4c5f08ed3345ee2d6817228 181780 snmp_5.7.2~dfsg-1~0.1_amd64.deb
 bacc53b30d538ebe331cf0992c6b3f997f5c80e4 1556376 libsnmp-base_5.7.2~dfsg-1~0.1_all.deb
 3e402310b28d2cab03c9ec3cdf219b88da540287 2718194 libsnmp30_5.7.2~dfsg-1~0.1_amd64.deb
 d2d9d89d0d99bc74e84dc45b9aceeb45d7ac81e0 2873608 libsnmp30-dbg_5.7.2~dfsg-1~0.1_amd64.deb
 37c76e490f98298a85a25b45ed54e978f08cbfd6 1970658 libsnmp-dev_5.7.2~dfsg-1~0.1_amd64.deb
 4d33e7307a96c2e0ca797c6066025fe815aa9379 156488 libsnmp-perl_5.7.2~dfsg-1~0.1_amd64.deb
 3f63285909cfdff3f6ba1bebc074c451791fc132 22754 python-netsnmp_5.7.2~dfsg-1~0.1_amd64.deb
 2e9e33a8bf993d39f8f0fb446cde853ff9d0635a 1432152 tkmib_5.7.2~dfsg-1~0.1_all.deb
Checksums-Sha256: 
 c24ba8fdbb1b819f0d51bae7054cbefb3a25cb1cd6bdc055d85f30c249776e5d 2878 net-snmp_5.7.2~dfsg-1~0.1.dsc
 f336e3223dd641e05734d6b1752fd49cb4172afba1bcc812959e982fa536d3ff 3316488 net-snmp_5.7.2~dfsg.orig.tar.xz
 61e3cf7c360072ad85017b7101c614bcd4bebf69e6549e27c818ce762d7d5dc0 55284 net-snmp_5.7.2~dfsg-1~0.1.debian.tar.gz
 a4da45ce16ba52aaa5e509c46ce54d15ce5b8aa305f177ee212289e0293e1856 79932 snmpd_5.7.2~dfsg-1~0.1_amd64.deb
 6394c1125194e9ceb335877da6d5c9993a780e05d83c82fafe1ecf508a0df482 181780 snmp_5.7.2~dfsg-1~0.1_amd64.deb
 0daa9082a7cf194c3637975ec3f4d3d592ee1cb9aeab544cc7b267be8be0cd24 1556376 libsnmp-base_5.7.2~dfsg-1~0.1_all.deb
 9b8c838e3e581cd36ccbb83ccecd9f4b248ba4be4b544c9bc8ffff3fdaaf3cb9 2718194 libsnmp30_5.7.2~dfsg-1~0.1_amd64.deb
 755bf39ec74d3f7f88550e191540963c87c869c972dbe3290355590f1f80ce3d 2873608 libsnmp30-dbg_5.7.2~dfsg-1~0.1_amd64.deb
 c7859214f913a46f4191a2979e582420de11f7166f58829030930113e6d058d5 1970658 libsnmp-dev_5.7.2~dfsg-1~0.1_amd64.deb
 a09ab0551290a3d69b5a46d54489483bfd716d8e302bd42c2216d8d6fa956fee 156488 libsnmp-perl_5.7.2~dfsg-1~0.1_amd64.deb
 275fa85c25905b9b328489828ac8833bd737dc1c718c143e29247e529b9317de 22754 python-netsnmp_5.7.2~dfsg-1~0.1_amd64.deb
 7e87405642a9e018346d98c1ca3fe977fbdb227dbf730b7c6cc25ef428db145f 1432152 tkmib_5.7.2~dfsg-1~0.1_all.deb
Files: 
 8bdd047def961965c090dd117f826a70 2878 net optional net-snmp_5.7.2~dfsg-1~0.1.dsc
 6cb5706193a61c28e2e8818810a011d3 3316488 net optional net-snmp_5.7.2~dfsg.orig.tar.xz
 0fa9c255ff5af547a446c05923d38f99 55284 net optional net-snmp_5.7.2~dfsg-1~0.1.debian.tar.gz
 cf18a3d98da53fbaca7f23e01aae76d1 79932 net optional snmpd_5.7.2~dfsg-1~0.1_amd64.deb
 3dd50b6901d8783d1406e00096777c08 181780 net optional snmp_5.7.2~dfsg-1~0.1_amd64.deb
 744c9a054b2d83416e9c6a93c9ebd3a4 1556376 libs optional libsnmp-base_5.7.2~dfsg-1~0.1_all.deb
 24e78a43485c0340ace92434ee6a23ad 2718194 libs optional libsnmp30_5.7.2~dfsg-1~0.1_amd64.deb
 a3d24eb75443fce10ab01b51fbaab89e 2873608 debug extra libsnmp30-dbg_5.7.2~dfsg-1~0.1_amd64.deb
 3355cf74314b344ed9ed94ae4a922fb2 1970658 libdevel optional libsnmp-dev_5.7.2~dfsg-1~0.1_amd64.deb
 0aedac8414f698331befe92415fc1e7c 156488 perl optional libsnmp-perl_5.7.2~dfsg-1~0.1_amd64.deb
 4e38d4847b5b6ce285e9b0772996ab7e 22754 python optional python-netsnmp_5.7.2~dfsg-1~0.1_amd64.deb
 cbb4b2491c8f9010de593489680c8105 1432152 net optional tkmib_5.7.2~dfsg-1~0.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJRSBofAAoJEF0yjQgqqrFAimkQAIcnyey97saNtykIK17BpU43
kRSkAuVshLLHf2q1m/PSl54GgT56kdio13MkfB49RfO35Q98Q1oYv59rjPUUM/le
M4Qi4mDFNkaCDDgZBn1KB6fvq2GCrukowPpRjE1D/BJOKcsjvU+4UuZv4AkAdWPL
cZ+poAp7LN4oOW269khqX7k1oWR5pjETAzyWyQGrBXTDDu0ISAl7n1YAJRrJiVs3
xBV24W7hsp70ny1apbMo7s2iKFR6kbOproMQHqtciB7q3By7wFpnVnmarN4GKSPS
yspnJiW+djSytX9Ciz3T52UE//h5u6m1iR/rqP9PeWFLr67JOssIUHWFfnzyYyEq
8QTyNC8w22kSREZvgagEZBJInufC63TeG2QhwRyxPkNfLXrwKemUHt2nnrj5gAuz
UH87YXVSEiAyqMJeRb+bOuHEH6OStYuOpD6iWzdKFWvlFtdPgC/SACja5yCgyDTq
XLhjVQU7X6zovv9Z19fk5si+S/t/UWGETEEZM/gQkSVgeGpXTxV2F6F4UffO8Rh4
nWS+2iWIDBPaHu1b1OU8S8gSndupi/oWQySTAAH5vVJ4jjMRvhsvadgi4/T+FzGh
vrVgVQzi1CaMIPP924RhkWjUi96VRngOYb63fzs0Z0LlSbd2L6Sfa4sW7lM3WtvT
BsYqu124cf0li4nIjiqo
=MP0k
-----END PGP SIGNATURE-----

Message #23 received at 684388@bugs.debian.org (full text, mbox, reply):

From: Simon Paillard <spaillard@debian.org>

To: 684388@bugs.debian.org

Cc: Vincent Bernat <bernat@debian.org>

Subject: Re: Bug#684388: agentx: Oversized Object ID

Date: Thu, 6 Mar 2014 14:43:34 +0100

Hi,

On Thu, Aug 09, 2012 at 01:32:37PM +0200, Vincent Bernat wrote:
> Package: libsnmp15
> Version: 5.4.3~dfsg-2.5
> Severity: important
> Tags: upstream patch
> 
> AgentX support is ineffective when a manager requests unrelated OID in
> the same GET request. snmpd will send those unrelated variables into
> the same PDU to the subagent and the subagent will choke with:
> 
> agentx: Oversized Object ID
[..]
> First three OID contain 11 subid while the next one has 12
> subid. snmpd will try several time to communicate those OID to the
> subagent and will give up. A manager requesting always the same OID
> will never get an answer.
> 
> The bug is fixed upstream in 5.4.4. I attach the revelant patch
> extracted from the git repository. I think it may warrant a freeze
> exception. The bug is 100% reproducible on my platform.

I've been hitten by the very same bug, which is blocking, and may be even -in
my opinion- a security bug.

As the bugfix is already present in testing, would you consider an upload to
stable-proposed-updates ?

http://sources.debian.net/src/net-snmp/5.7.2~dfsg-8.1/agent/mibgroup/agentx/protocol.c#L1774

I can take care of the upload if necessary.

Thanks and best regards.

-- 
Simon Paillard

Message #34 received at 684388@bugs.debian.org (full text, mbox, reply):

From: Simon Paillard <spaillard@debian.org>

To: 684388@bugs.debian.org

Subject: Re: Bug#684388: agentx: Oversized Object ID

Date: Mon, 17 Mar 2014 21:46:50 +0100

[Message part 1 (text/plain, inline)]

Hi,

On Thu, Mar 06, 2014 at 02:43:34PM +0100, Simon Paillard wrote:
> On Thu, Aug 09, 2012 at 01:32:37PM +0200, Vincent Bernat wrote:
> > AgentX support is ineffective when a manager requests unrelated OID in
> > the same GET request. snmpd will send those unrelated variables into
> > the same PDU to the subagent and the subagent will choke with:
> > 
> > agentx: Oversized Object ID
> [..]
> > First three OID contain 11 subid while the next one has 12
> > subid. snmpd will try several time to communicate those OID to the
> > subagent and will give up. A manager requesting always the same OID
> > will never get an answer.
[..]
> As the bugfix is already present in testing, would you consider an upload to
> stable-proposed-updates ?
> http://sources.debian.net/src/net-snmp/5.7.2~dfsg-8.1/agent/mibgroup/agentx/protocol.c#L1774

NMU debdiff attached.

I don't know if security team want this to be fixed via security updates
(FTR Redhat considers this bug not grave,
https://bugzilla.redhat.com/show_bug.cgi?id=1074631#c3)

-- 
Simon Paillard

[net-snmp-5.4.3~dfsg-2.8-nmu.diff (text/x-diff, attachment)]

Message #39 received at 684388@bugs.debian.org (full text, mbox, reply):

From: Simon Paillard <spaillard@debian.org>

To: debian-release@lists.debian.org

Cc: 684388@bugs.debian.org

Subject: Re: Bug#684388: agentx: CVE-2014-2310: Oversized Object ID

Date: Wed, 19 Mar 2014 15:57:12 +0100

Hello Release team,

On Mon, Mar 17, 2014 at 09:46:50PM +0100, Simon Paillard wrote:
> On Thu, Mar 06, 2014 at 02:43:34PM +0100, Simon Paillard wrote:
> > On Thu, Aug 09, 2012 at 01:32:37PM +0200, Vincent Bernat wrote:
> > > AgentX support is ineffective when a manager requests unrelated OID in
> > > the same GET request. snmpd will send those unrelated variables into
> > > the same PDU to the subagent and the subagent will choke with:
> > > 
> > > agentx: Oversized Object ID
> > [..]
> > > First three OID contain 11 subid while the next one has 12
> > > subid. snmpd will try several time to communicate those OID to the
> > > subagent and will give up. A manager requesting always the same OID
> > > will never get an answer.
> [..]
> > As the bugfix is already present in testing, would you consider an upload to
> > stable-proposed-updates ?
> > http://sources.debian.net/src/net-snmp/5.7.2~dfsg-8.1/agent/mibgroup/agentx/protocol.c#L1774
> 
> NMU debdiff attached.
> 
> I don't know if security team want this to be fixed via security updates
> (FTR Redhat considers this bug not grave,
> https://bugzilla.redhat.com/show_bug.cgi?id=1074631#c3)

debian-security team prefers this bug in stable to be addressed using a upload 
in spu instead of issuing a DSA.

Do you agree with this ?

As you can see in the bug report and debdiff, the patch is very localized, and
already present in testing.

-- 
Simon Paillard

Message #44 received at 684388@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>

To: Simon Paillard <spaillard@debian.org>, debian-release@lists.debian.org, 684388@bugs.debian.org

Subject: Re: Bug#684388: agentx: CVE-2014-2310: Oversized Object ID

Date: Wed, 19 Mar 2014 20:35:29 +0100

[Message part 1 (text/plain, inline)]

On Wed, Mar 19, 2014 at 15:57:12 +0100, Simon Paillard wrote:

> debian-security team prefers this bug in stable to be addressed using a upload 
> in spu instead of issuing a DSA.
> 
> Do you agree with this ?
> 
> As you can see in the bug report and debdiff, the patch is very localized, and
> already present in testing.
> 
You didn't send us a debdiff.  Please file a bug against the
release.debian.org pseudo-package including that diff.

Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]

Message #49 received at 684388@bugs.debian.org (full text, mbox, reply):

From: Simon Paillard <spaillard@debian.org>

To: 684388@bugs.debian.org

Subject: Re: Bug#684388: agentx: CVE-2014-2310: Oversized Object ID

Date: Mon, 24 Mar 2014 13:47:38 +0100

On Wed, Mar 19, 2014 at 08:35:29PM +0100, Julien Cristau wrote:
> On Wed, Mar 19, 2014 at 15:57:12 +0100, Simon Paillard wrote:
> > debian-security team prefers this bug in stable to be addressed using a upload 
> > in spu instead of issuing a DSA.
> [..]
> > As you can see in the bug report and debdiff, the patch is very localized, and
> > already present in testing.
>
> You didn't send us a debdiff.  Please file a bug against the
> release.debian.org pseudo-package including that diff.

FTR, wheezy-proposed-update request at http://bugs.debian.org/742150


-- 
Simon Paillard

Message #54 received at 684388-close@bugs.debian.org (full text, mbox, reply):

From: Simon Paillard <spaillard@debian.org>

To: 684388-close@bugs.debian.org

Subject: Bug#684388: fixed in net-snmp 5.4.3~dfsg-2.8

Date: Tue, 15 Apr 2014 19:47:06 +0000

Source: net-snmp
Source-Version: 5.4.3~dfsg-2.8

We believe that the bug you reported is fixed in the latest version of
net-snmp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 684388@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon Paillard <spaillard@debian.org> (supplier of updated net-snmp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 17 Mar 2014 20:56:52 +0100
Source: net-snmp
Binary: snmpd snmp libsnmp-base libsnmp15 libsnmp15-dbg libsnmp-dev libsnmp-perl libsnmp-python tkmib
Architecture: source amd64 all
Version: 5.4.3~dfsg-2.8
Distribution: stable
Urgency: medium
Maintainer: Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>
Changed-By: Simon Paillard <spaillard@debian.org>
Description: 
 libsnmp-base - SNMP (Simple Network Management Protocol) MIBs and documentation
 libsnmp-dev - SNMP (Simple Network Management Protocol) development files
 libsnmp-perl - SNMP (Simple Network Management Protocol) Perl5 support
 libsnmp-python - SNMP (Simple Network Management Protocol) Python support
 libsnmp15  - SNMP (Simple Network Management Protocol) library
 libsnmp15-dbg - SNMP (Simple Network Management Protocol) library debug
 snmp       - SNMP (Simple Network Management Protocol) applications
 snmpd      - SNMP (Simple Network Management Protocol) agents
 tkmib      - SNMP (Simple Network Management Protocol) MIB browser
Closes: 684388
Changes: 
 net-snmp (5.4.3~dfsg-2.8) stable; urgency=medium
 .
   * Non-maintainer upload.
   * Fix agentx subagent issues with multiple-object requests and increasing
     object length (CVE-2014-2310) (Closes: #684388)
Checksums-Sha1: 
 09b47b729afcf2a1a1e07471c157c720de41dc13 2731 net-snmp_5.4.3~dfsg-2.8.dsc
 9ffaca17a55265fe03284826a6f15cd521f6fd54 56046 net-snmp_5.4.3~dfsg-2.8.debian.tar.gz
 e261f160f299dfe5f461ce56b6cb8a1e523ea843 967714 snmpd_5.4.3~dfsg-2.8_amd64.deb
 99cdbd168619827a4e5153f7f9bc97d4ebe25d8d 1050506 snmp_5.4.3~dfsg-2.8_amd64.deb
 a145a5124576bde88b302b3d681cc49efdfb17b7 1100824 libsnmp-base_5.4.3~dfsg-2.8_all.deb
 03bd9ec6b5beaee194d17f9d60c636f7c039b2eb 2246268 libsnmp15_5.4.3~dfsg-2.8_amd64.deb
 a485fbf9b0edb65af5fbfdcf2bb677dd282193db 2519598 libsnmp15-dbg_5.4.3~dfsg-2.8_amd64.deb
 46036e68274901e946aec74cc374ad738a3b2b82 1828306 libsnmp-dev_5.4.3~dfsg-2.8_amd64.deb
 d2c7a32a8484660666b70e39e486e7874bc6b26a 128780 libsnmp-perl_5.4.3~dfsg-2.8_amd64.deb
 8f68addfa17436ecd84edbc695e5cd687bce377c 927468 libsnmp-python_5.4.3~dfsg-2.8_amd64.deb
 48816f1e3722c60a5c8eac7e175a2ce36fd545b5 982140 tkmib_5.4.3~dfsg-2.8_all.deb
Checksums-Sha256: 
 f1b840e6d9f30d69561257253a318d63e1bdc7186b94c6ce03eae5da28415ed0 2731 net-snmp_5.4.3~dfsg-2.8.dsc
 f34250b7e4d858ae27ee6e56d61782dbcf51d8aafaf09fdf1e77d441ca12eedd 56046 net-snmp_5.4.3~dfsg-2.8.debian.tar.gz
 20750694a96a1469cf9626e38f5856581b52e4c86942f5f4102c01664c9a6cfd 967714 snmpd_5.4.3~dfsg-2.8_amd64.deb
 2e5ac7732b35194c5cbadb1514fce61607c71831444823a877eec1e3d9b2cd59 1050506 snmp_5.4.3~dfsg-2.8_amd64.deb
 b687bbe36f5eec70c5a8cfe8180a98ae250a0c32b60e3192d02a66287c9dbb26 1100824 libsnmp-base_5.4.3~dfsg-2.8_all.deb
 e998c17f88c0a0044eb737689e32cb52d1bd2e824d082d2e4b7841a7a6ec008d 2246268 libsnmp15_5.4.3~dfsg-2.8_amd64.deb
 8f66ee4bebebb81fccb77630f7e49a28b23e06862e907db3e5ff057634293947 2519598 libsnmp15-dbg_5.4.3~dfsg-2.8_amd64.deb
 781479f74b073dcaeed487b8eb10cfffb2617cacae145d4d3a28793a58d1f23c 1828306 libsnmp-dev_5.4.3~dfsg-2.8_amd64.deb
 48b60d9ca42cad3f7c729bace400166d8e6052b5407d31e4d05f3e904f09e1ae 128780 libsnmp-perl_5.4.3~dfsg-2.8_amd64.deb
 7807845b8764b82513cc2fad29aaf0c623b091588cecb2776bf50e406b630cd3 927468 libsnmp-python_5.4.3~dfsg-2.8_amd64.deb
 736c7efe35d90c6b62b6841103070dc61093a2b970d09e0fe1fbed23a2a5a66c 982140 tkmib_5.4.3~dfsg-2.8_all.deb
Files: 
 866ca01b4072ac5627b8cc120fc4bf4d 2731 net optional net-snmp_5.4.3~dfsg-2.8.dsc
 89b9e70e419f6e8a730c183b57f0a46a 56046 net optional net-snmp_5.4.3~dfsg-2.8.debian.tar.gz
 9634b88d7edbe617996568ab246893f8 967714 net optional snmpd_5.4.3~dfsg-2.8_amd64.deb
 03b40fb5fa6eb7bed58cea090f05ab09 1050506 net optional snmp_5.4.3~dfsg-2.8_amd64.deb
 2f9535b946550f5aba89abb21b05aad2 1100824 libs optional libsnmp-base_5.4.3~dfsg-2.8_all.deb
 7c9610e9413786a8af2c0d901e3c6e11 2246268 libs optional libsnmp15_5.4.3~dfsg-2.8_amd64.deb
 cc3e8fc86366562de9c350ff83bc1770 2519598 debug extra libsnmp15-dbg_5.4.3~dfsg-2.8_amd64.deb
 58200125c1ae421523e31e418ec53d82 1828306 libdevel optional libsnmp-dev_5.4.3~dfsg-2.8_amd64.deb
 751a4a20c02d3f906ee3f0e9f53b7d70 128780 perl optional libsnmp-perl_5.4.3~dfsg-2.8_amd64.deb
 ad70a2e3e9c08f8fc4153d7439ab1823 927468 python optional libsnmp-python_5.4.3~dfsg-2.8_amd64.deb
 0295e2b041423f6147fd938ab7a87a56 982140 net optional tkmib_5.4.3~dfsg-2.8_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJTSvpgAAoJEN/3OMLRbPui3lQP/1jU7B4eaR5yqNQKKWS78Z7b
OuKlt0UGchwDD7/mntaS7UrbC1hcVTH46gwwO1DUrSiAFNlq+P1pbxJ2ySosDsqI
PJpucsl/69UaOmpLGxhxHh/v/ZEc3JKV0vobqLScMy2F7ls3XRLrmo0jCU4Tovro
kviRulpdgBnQfVeBqb0GFPQXJdWSGtR/FqItDvl+xZBD70SLFxc5yqSy81TwNn15
cPJvNofHAgrko2gwMXdbDqULWCuawykip7GcsFowpAXzS1YRxIlU/n44n/hPsoUB
42jHiWQX45KRtopd4qiq7pyyKJRqgXAVV+Mxp1f4Sc1eQXPZuCOagMzDFzq+lwfW
KYdWWCqUM3XneGHq+RQNpfuvZ87yqOUsDCvTHPM5us+W5zlfDZi3HVqYhSd8YqXQ
sp+7ZvntspnPm+zDkkyBd3treJ6PhSMUdh+Lz+yD8Tr/FMs2uOO9ja0DEeJNFUtg
pvsMNZ9utObcqUr81An/YMmQY5ZctNy/LdqYNhfQHsR45mcBV6zwJDVxWRSz6HdY
UX6HWTkfAoNKeO+2kBR+re/azU8U83et68FtDQZXIxnsFtiv6gRwoEyfGD2AeBE2
3f+P+ZADuun4Jiqgay4TzvY+beS7icUSAAv0fx5XA7r8G77FAQyOOnynFaOTQF9e
hz6roA/wrKxJA4RxI0+w
=jkTL
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.