Debian Bug report logs -
#910638
net-snmp: CVE-2018-18065
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 9 Oct 2018 08:21:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in version net-snmp/5.7.3+dfsg-1
Fixed in versions net-snmp/5.7.3+dfsg-1.7+deb9u1, net-snmp/5.7.3+dfsg-4
Done: Craig Small <csmall@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>:
Bug#910638; Package src:net-snmp.
(Tue, 09 Oct 2018 08:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>.
(Tue, 09 Oct 2018 08:21:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: net-snmp
Version: 5.7.3+dfsg-1
Severity: grave
Tags: patch security upstream
Hi,
The following vulnerability was published for net-snmp.
CVE-2018-18065[0]:
| _set_key in agent/helpers/table_container.c in Net-SNMP before 5.8 has
| a NULL Pointer Exception bug that can be used by an authenticated
| attacker to remotely cause the instance to crash via a crafted UDP
| packet, resulting in Denial of Service.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-18065
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18065
[1] https://sourceforge.net/p/net-snmp/code/ci/7ffb8e25a0db851953155de91f0170e9bf8c457d/
Regards,
Salvatore
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 09 Oct 2018 19:42:09 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#910638.
(Tue, 09 Oct 2018 19:42:13 GMT) (full text, mbox, link).
Message #10 received at 910638-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #910638 in net-snmp reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:
https://salsa.debian.org/debian/net-snmp/commit/7f11eee7b26e4e3262aff8346572e84de612f203
------------------------------------------------------------------------
snmpd crashes when receiving a GetNext PDU with multiple Varbinds (CVE-2018-18065)
Closes: #910638
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/910638
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Fri, 12 Oct 2018 19:03:13 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 12 Oct 2018 19:03:13 GMT) (full text, mbox, link).
Message #15 received at 910638-close@bugs.debian.org (full text, mbox, reply):
Source: net-snmp
Source-Version: 5.7.3+dfsg-1.7+deb9u1
We believe that the bug you reported is fixed in the latest version of
net-snmp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 910638@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated net-snmp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 09 Oct 2018 10:45:49 +0200
Source: net-snmp
Binary: snmpd snmptrapd snmp libsnmp-base libsnmp30 libsnmp30-dbg libsnmp-dev libsnmp-perl python-netsnmp tkmib
Architecture: source
Version: 5.7.3+dfsg-1.7+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 910638
Description:
libsnmp-base - SNMP configuration script, MIBs and documentation
libsnmp-dev - SNMP (Simple Network Management Protocol) development files
libsnmp-perl - SNMP (Simple Network Management Protocol) Perl5 support
libsnmp30 - SNMP (Simple Network Management Protocol) library
libsnmp30-dbg - SNMP (Simple Network Management Protocol) library debug
python-netsnmp - SNMP (Simple Network Management Protocol) Python support
snmp - SNMP (Simple Network Management Protocol) applications
snmpd - SNMP (Simple Network Management Protocol) agents
snmptrapd - Net-SNMP notification receiver
tkmib - SNMP (Simple Network Management Protocol) MIB browser
Changes:
net-snmp (5.7.3+dfsg-1.7+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* snmpd crashes when receiving a GetNext PDU with multiple Varbinds
(CVE-2018-18065) (Closes: #910638)
Checksums-Sha1:
9892e4bb6b3612d5cfd4f6e4ce1c10e678640edf 3316 net-snmp_5.7.3+dfsg-1.7+deb9u1.dsc
ebbbc5e9fc5006edd3e62d595366497592d964a2 3371224 net-snmp_5.7.3+dfsg.orig.tar.xz
c4b93e29ac47a4129bea38a52bdecf82d673cd29 74236 net-snmp_5.7.3+dfsg-1.7+deb9u1.debian.tar.xz
Checksums-Sha256:
61687e824bca1d7cbfa0506c854f4cbcbbefaa0d0e1c012a7c88520e5139815d 3316 net-snmp_5.7.3+dfsg-1.7+deb9u1.dsc
073eb05b926a9d23a2eba3270c4e52dd94c0aa27e8b7cf7f1a4e59a4d3da3fb5 3371224 net-snmp_5.7.3+dfsg.orig.tar.xz
17d7cd84de728889aabec767eb8b616bb750a42a194eddbd66953dd6311eb88b 74236 net-snmp_5.7.3+dfsg-1.7+deb9u1.debian.tar.xz
Files:
f7f9d620ab58372044e7d6110b2b1c90 3316 net optional net-snmp_5.7.3+dfsg-1.7+deb9u1.dsc
6391ae27eb1ae34ff5530712bb1c4209 3371224 net optional net-snmp_5.7.3+dfsg.orig.tar.xz
424d11ee489f1f8f7e0efae9df590be6 74236 net optional net-snmp_5.7.3+dfsg-1.7+deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlu9GMFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EgIsP/2emxTpp0+jWMagBt72U9nG/wHkWijFW
WVdoRq4qH8/iJY0/AcTaoOv1iNsCjKZhWEBpsmIebKLBGRtZTJ2P9P5wtYcdpkKa
IxGrJMmg2qRey8nvKrYqOI1Q21DVO1z9sCP4rpkc/rWb8GLDMCV7xpg4mBi1IzYL
YNo5dMfn+BxVyrzRpBBS8g8AkQqtCM/OOUgfozAvOB/Tz93VRHy/6LVeqpLdPSc4
/+CnkdwalhvJlGRFulDmwRy3f14msbffHIHBlAdLi0r18Mp1Z11KU4C72NQpjMOn
2bUcjtESlf2sTI8ryJeAcBIrRdAEtKFXR/iLtDmeRJYhLI6ZzaXg86i3zurToTFb
+iK8ZE6PUqelGXn+7naBBR6IQ5MQYE4Lwy5CGlkyEsuzJOuZBZ8yr2E4radC5fAz
Hb1CLis+ETzGtMAhWI6+i+yrlJJAZYkJyqF51sci5HMxgp0jmIA+adR8UVQBeNHG
iAoHudnxVeeFEpabAV6fxcxraN7GW0pc68kvC52rhd7SUGZLOQe9wbuvdJ4i218k
xQpqf3+K4JswXsYQ/I4cZVwsHdt6arDel9UhjUQi3fbtR3VoUum52E8k2pa5RWnZ
D+upZWSuUG9EHtQw0iEl7krn+T2faef/7YNbiS2v6ZntOA9/N5vps9jLsvHEeVXP
JFLjBfAeoPB4
=zzLz
-----END PGP SIGNATURE-----
Reply sent
to Craig Small <csmall@debian.org>:
You have taken responsibility.
(Fri, 26 Oct 2018 02:45:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 26 Oct 2018 02:45:06 GMT) (full text, mbox, link).
Message #20 received at 910638-close@bugs.debian.org (full text, mbox, reply):
Source: net-snmp
Source-Version: 5.7.3+dfsg-4
We believe that the bug you reported is fixed in the latest version of
net-snmp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 910638@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated net-snmp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 26 Oct 2018 12:40:34 +1100
Source: net-snmp
Binary: snmpd snmptrapd snmp libsnmp-base libsnmp30 libsnmp30-dbg libsnmp-dev libsnmp-perl python-netsnmp tkmib
Architecture: source all amd64
Version: 5.7.3+dfsg-4
Distribution: unstable
Urgency: medium
Maintainer: Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
libsnmp-base - SNMP configuration script, MIBs and documentation
libsnmp-dev - SNMP (Simple Network Management Protocol) development files
libsnmp-perl - SNMP (Simple Network Management Protocol) Perl5 support
libsnmp30 - SNMP (Simple Network Management Protocol) library
libsnmp30-dbg - SNMP (Simple Network Management Protocol) library debug
python-netsnmp - SNMP (Simple Network Management Protocol) Python support
snmp - SNMP (Simple Network Management Protocol) applications
snmpd - SNMP (Simple Network Management Protocol) agents
snmptrapd - Net-SNMP notification receiver
tkmib - SNMP (Simple Network Management Protocol) MIB browser
Closes: 898197 910638 911216
Changes:
net-snmp (5.7.3+dfsg-4) unstable; urgency=medium
.
[ Craig Small ]
* Use correct snmpwalk args in snmpcheck Closes: #898197
* Remove user only on purge Closes: #911216
.
[ Ondřej Nový ]
* d/copyright: Use https protocol in Format field
* d/control: Removing redundant Priority field in binary package
* d/changelog: Remove trailing whitespaces
* d/control: Remove trailing whitespaces
* d/watch: Use https protocol
.
[ Salvatore Bonaccorso ]
* snmpd crashes when receiving a GetNext PDU with multiple Varbinds
(CVE-2018-18065) (Closes: #910638)
Checksums-Sha1:
8bfc656e0a9a30a2ed8c3eed75c580414ff6f81a 2988 net-snmp_5.7.3+dfsg-4.dsc
2533c2d3cd3c0c8391ac7c9b6e3ecc25f17040a7 77028 net-snmp_5.7.3+dfsg-4.debian.tar.xz
f69a8643bb87eacab4c3198101711d715c849957 1594512 libsnmp-base_5.7.3+dfsg-4_all.deb
5bc7b6235ba67ad4cffd35ca5c2f2614e6980ad5 1100024 libsnmp-dev_5.7.3+dfsg-4_amd64.deb
b2ca7723e398f005f4281b7314b0da837f9bfec6 346868 libsnmp-perl-dbgsym_5.7.3+dfsg-4_amd64.deb
34160fb2de752862ee21b7ca90c62bc56590b7e2 1532324 libsnmp-perl_5.7.3+dfsg-4_amd64.deb
12229379a8a92aed182defbb6bd0ed89677f6764 2730916 libsnmp30-dbg_5.7.3+dfsg-4_amd64.deb
01f5030521cdd1f32a76ad1944f0c44901044a1d 2321260 libsnmp30_5.7.3+dfsg-4_amd64.deb
890414fd79056798a879a231cf51069a2e7f8172 10978 net-snmp_5.7.3+dfsg-4_amd64.buildinfo
073e95fed3d099c8c5dd8e3995d8a1d3c47fec54 47316 python-netsnmp-dbgsym_5.7.3+dfsg-4_amd64.deb
e0e99f8fdbf48f69918818855ea72ec76d2480da 19860 python-netsnmp_5.7.3+dfsg-4_amd64.deb
a29f2fbaa83960134f9a9ae20350cec4676d6949 281948 snmp-dbgsym_5.7.3+dfsg-4_amd64.deb
6ae0b1504b643f086f90048a57c5b5d5ea0ca08c 155660 snmp_5.7.3+dfsg-4_amd64.deb
17847e6c6b2ffc4141b68a39c3e0fdb4557af7d6 21668 snmpd-dbgsym_5.7.3+dfsg-4_amd64.deb
3a1ebaf18508711a5e6b23ce2ecc406e1b63dfeb 56040 snmpd_5.7.3+dfsg-4_amd64.deb
aa925494fd173c11797fa41f1b6937f1bbcde047 25236 snmptrapd-dbgsym_5.7.3+dfsg-4_amd64.deb
746273959ee9dad956c5029ee609f5278f4c9151 24364 snmptrapd_5.7.3+dfsg-4_amd64.deb
8186513fdea4f5a798b4fa355c44ff411dd75297 1471236 tkmib_5.7.3+dfsg-4_all.deb
Checksums-Sha256:
8f519449f536d833bea2d09dd967f3497c7843d03b3e071f81d935ea54488367 2988 net-snmp_5.7.3+dfsg-4.dsc
69a3db77e969cf95b7039f73369374962da94192d2bb08ed21586caa4d0c8359 77028 net-snmp_5.7.3+dfsg-4.debian.tar.xz
5001d8abd99b13f39344e5726c5396381165d46199fe66db9fe2367946ce6f5b 1594512 libsnmp-base_5.7.3+dfsg-4_all.deb
2c8e74f6d49e3e4fa2928cc74fef880e189b7b825743b6258d86ef736083420b 1100024 libsnmp-dev_5.7.3+dfsg-4_amd64.deb
3b155814cd6b7fda1c98e9b43d074c7868844b2b0318e580aa8ee06374eaebd8 346868 libsnmp-perl-dbgsym_5.7.3+dfsg-4_amd64.deb
6ea936c94579a21bd1829adda0bc33a63b4e2d99fbaeeb5b2d3e0a9e9a7f9df1 1532324 libsnmp-perl_5.7.3+dfsg-4_amd64.deb
62cccca6bf92013ad28ead2a43a5bebf5ebee5f6c0d34ca3c39a42eb78d1ab5b 2730916 libsnmp30-dbg_5.7.3+dfsg-4_amd64.deb
be58523ab2b7c6f610b5798a89c88a060e33e0f6851f6d65a9eb8aab9ce1fd6d 2321260 libsnmp30_5.7.3+dfsg-4_amd64.deb
92af5c4c777abf433d698d1b48c5409efe586785fc6229051de59033ca691a50 10978 net-snmp_5.7.3+dfsg-4_amd64.buildinfo
eacc7c70d8871460e7ba1fb31ea222960bb5711bf1045e6131bf5b07bb54aad1 47316 python-netsnmp-dbgsym_5.7.3+dfsg-4_amd64.deb
74947f37775d225d70dd6854c67711f6fd058f9fa7f528baf4d5112b74f75def 19860 python-netsnmp_5.7.3+dfsg-4_amd64.deb
828d93fe72ffee2d6bb01a5235b003edf566be1e16ed8acc8cb91c74edd2757c 281948 snmp-dbgsym_5.7.3+dfsg-4_amd64.deb
ee74e798e90875e7129b4d88a0e9a364a521981b7192566d47bf6032a89b5844 155660 snmp_5.7.3+dfsg-4_amd64.deb
4e976e449214f0b23040c41176f13c5ca97a118a58f5d5f91a383381fbb7cdc2 21668 snmpd-dbgsym_5.7.3+dfsg-4_amd64.deb
69f1db80096392c975a9c1875cf302a1a5e5b698cc50c250a15650595e9cdcd4 56040 snmpd_5.7.3+dfsg-4_amd64.deb
94f6fb34729b84fb9fde7e231ce0d35c30b0017ef319aedfa93f7bb3813f57f8 25236 snmptrapd-dbgsym_5.7.3+dfsg-4_amd64.deb
c50ede31d17d2042895adb6787db80b7f7096aed5fa0c034bc712c3685417f3b 24364 snmptrapd_5.7.3+dfsg-4_amd64.deb
48d5bbd8b91cd5bf6e39782dd240bff8c1453f4c7f87253b08e442088eea4b1f 1471236 tkmib_5.7.3+dfsg-4_all.deb
Files:
673b3ff7549b5a708085752b6f5a6eeb 2988 net optional net-snmp_5.7.3+dfsg-4.dsc
3b000e779122d7ebab04807583bd5bff 77028 net optional net-snmp_5.7.3+dfsg-4.debian.tar.xz
7806e02cea671467c7b0b044dba3378a 1594512 libs optional libsnmp-base_5.7.3+dfsg-4_all.deb
6d731f693b9f40f4016b7aa579539448 1100024 libdevel optional libsnmp-dev_5.7.3+dfsg-4_amd64.deb
49d67daa978734ee99b8c3c6e1717998 346868 debug optional libsnmp-perl-dbgsym_5.7.3+dfsg-4_amd64.deb
891c53dc650506281cad6b428423da56 1532324 perl optional libsnmp-perl_5.7.3+dfsg-4_amd64.deb
aef1299f1e71ab8c7132ef6bce5417d8 2730916 debug optional libsnmp30-dbg_5.7.3+dfsg-4_amd64.deb
aa1277a5e1dcf16c2ecf9c96bea2bd22 2321260 libs optional libsnmp30_5.7.3+dfsg-4_amd64.deb
52b0c8234551de564900ddafc4850d38 10978 net optional net-snmp_5.7.3+dfsg-4_amd64.buildinfo
f058494f18eff6bcf090171bf2f1f8e8 47316 debug optional python-netsnmp-dbgsym_5.7.3+dfsg-4_amd64.deb
10fa499179299ccf81718b25d9d4e638 19860 python optional python-netsnmp_5.7.3+dfsg-4_amd64.deb
df2c3e5481961f0e3612ddc027568408 281948 debug optional snmp-dbgsym_5.7.3+dfsg-4_amd64.deb
3a9c57fd1064c0fef53c0f35079cf4d7 155660 net optional snmp_5.7.3+dfsg-4_amd64.deb
856d4983de6d651548b79009b725afd8 21668 debug optional snmpd-dbgsym_5.7.3+dfsg-4_amd64.deb
1da6de08dacf05f5ef27a4415d02521d 56040 net optional snmpd_5.7.3+dfsg-4_amd64.deb
0d080116d1332c55defdfc0acb10e6bc 25236 debug optional snmptrapd-dbgsym_5.7.3+dfsg-4_amd64.deb
c62f32babcfc1b0fcd72c1caf49614b8 24364 net optional snmptrapd_5.7.3+dfsg-4_amd64.deb
0e478ead9cb484dee25d98747398b211 1471236 net optional tkmib_5.7.3+dfsg-4_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAlvScr8ACgkQAiFmwP88
hOPGnw/8CMPIxGpF0+7+WBLiFgL7s7+dkYH8/sGI5CsAhJrHDZ14eJ9cRETgzbFo
TNyb4XES73ELyMPaW0/edyjB6rBx5S1MrC3GonGtwdzjoZGICetL6bKGh/MSHCx5
Noxa88gXRpabhiGHVYO/opq0AQg0q0w8wMyAvyhOPG2/8ZtGaL/G1lbbxWsnwXpl
dKvMKtvQ3q/Kvf36xG1vj66MwLeui0gV9GoeP8Gbd7mnUDeBhJ9PRW3CtgG5aYVT
zb/HjXbg9C2dzALCnX7pbOvOhPvTxkn4/1RVLVq2iYKVJ0lDAm0AlHCw1vOPo479
3vi1tqzu4iisH1Amk2UruyG3cg3E0zBV9iFcFeRf5EFxAOsStDM7gKwD2XiWHRar
qFH2qEiRlZh+5nWqKZGhL/vBE3l7hzPP+klC5QBzklNF0lOP0CvHXu+Mla667Fr/
owX4e41eRRGP/1CusxYcs8To2zK2DvpCkIBuzzzVNSIDlRlBKl9MGK2zh5TDd01q
PnKSGBgg/rtEF+F3ikztXmYPMZ61XIWgsdAf4x7CO4P7GMIQHcuySZxHu0SFzIoO
zo14b7pMjwiDUQsdRcDzZ58xFB3Dym4WZR4bkWJwbrBympOkJBoWgvbX1BomfxqF
wb8BPQbZ/Z1qOzKDei/xojDNSCFT1fUkvbUbA1h/i1NDnwqwk6g=
=KieH
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 28 Nov 2018 07:35:27 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:46:07 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon