** Please note that this issue is confidential at the moment and no information should be disclosed until it is made public ** We have been contacted by CERT/CC about the following issue: <quote> According to net-snmp project: "The quick technical summary is that the SNMPv3 packet contains a truncated HMAC authentication code. The author that wrote the code very very long ago to check that HMAC code used the length of the packet's version of the HMAC code to do the check. Thus if you send a single byte HMAC code, it'll only check it against the first byte of HMAC output. Thus it's fairly easy to spoof an authenticated SNMPv3 packet. </quote>
Created attachment 155709 [details, diff] patch for CVE-2008-0960
pva/falco/vapier since you are all in netmon herd anyways, please prepare an ebuild with the patch and attach it here. Do not commit anything to the tree until this issue is made public.
Created attachment 155745 [details, diff] net-snmp-5.4.1-CVE-2008-0960.patch Thank you Matthias. Attached patch was corrupted one. Attaching correct one.
BTW, I don't see any rush with this security fix. I'm going to bump net-snmp now to fix quite a number of bugs, after that I'd like to have at least 2 weeks for feedback on patches I've backported from upstream and only after that stabilize this package... Also we have another security fix for this package in queue so it's better to test stabilize them together, I suppose.
Now public via URL. "Fixed version: Net-SNMP >= 5.4.1.1, >= 5.3.2.1, >= 5.2.4.1" Peter, take the time you want to test this issue,
5.4.1.1 is ready to go stable together with autoconf-2.61-r2 (which should be stabilized in bug 227603). Target keywords: net-analyzer/net-snmp-5.4.1.1: alpha amd64 arm hppa ia64 ppc64 ppc s390 sh sparc x86
x86 stable
pva, I'm adding release@, or did you handle this yourself already?
ppc64 stable
amd64 stable
alpha/ia64/sparc stable
Stable for HPPA.
ppc done
GLSA vote, YES for me.
YES too, filing request.
2008.0 is out, so no need to keep release on the CC list.
GLSA 200808-02