Debian Bug report logs -
#1024020
net-snmp: CVE-2022-44792 CVE-2022-44793
Reported by: Moritz Mühlenhoff <jmm@inutil.org>
Date: Sun, 13 Nov 2022 19:39:02 UTC
Severity: important
Tags: security, upstream
Found in versions net-snmp/5.9+dfsg-4+deb11u1, net-snmp/5.9.3+dfsg-1, net-snmp/5.9+dfsg-4
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian SNMP Team <team+snmp@tracker.debian.org>:
Bug#1024020; Package src:net-snmp.
(Sun, 13 Nov 2022 19:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian SNMP Team <team+snmp@tracker.debian.org>.
(Sun, 13 Nov 2022 19:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: net-snmp
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for net-snmp.
CVE-2022-44792[0]:
| handle_ipDefaultTTL in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP
| 5.8 through 5.9.3 has a NULL Pointer Exception bug that can be used by
| a remote attacker (who has write access) to cause the instance to
| crash via a crafted UDP packet, resulting in Denial of Service.
https://github.com/net-snmp/net-snmp/issues/474
https://gist.github.com/menglong2234/b7bc13ae1a144f47cc3c95a7ea062428
CVE-2022-44793[1]:
| handle_ipv6IpForwarding in agent/mibgroup/ip-mib/ip_scalars.c in Net-
| SNMP 5.4.3 through 5.9.3 has a NULL Pointer Exception bug that can be
| used by a remote attacker to cause the instance to crash via a crafted
| UDP packet, resulting in Denial of Service.
https://github.com/net-snmp/net-snmp/issues/475
https://gist.github.com/menglong2234/d07a65b5028145c9f4e1d1db8c4c202f
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-44792
https://www.cve.org/CVERecord?id=CVE-2022-44792
[1] https://security-tracker.debian.org/tracker/CVE-2022-44793
https://www.cve.org/CVERecord?id=CVE-2022-44793
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 13 Nov 2022 19:51:06 GMT) (full text, mbox, link).
Marked as found in versions net-snmp/5.9.3+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 13 Nov 2022 19:51:10 GMT) (full text, mbox, link).
Marked as found in versions net-snmp/5.9+dfsg-4+deb11u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 13 Nov 2022 19:51:10 GMT) (full text, mbox, link).
Marked as found in versions net-snmp/5.9+dfsg-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 13 Nov 2022 19:51:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Nov 14 07:17:38 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon