From ${URL} : It was reported [1] that Net-SNMP releases 5.5 through 5.7.2 were vulnerable to a potential remotely-triggerable denial of service attack on the Linux platform, when the ICMP-MIB is in use. Net-SNMP 5.4.x users, and those who do not make use of the ICMP-MIB table objects, are not vulnerable. This is fixed in git [2]. [1] http://sourceforge.net/p/net-snmp/mailman/message/32026655/ [2] http://sourceforge.net/p/net-snmp/code/ci/a1fd64716f6794c55c34d77e618210238a73bfa1/ @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
*5.7.2.1* snmpd: - SECURITY: a denial of service attack vector was discovered on the linux implementation of the ICMP-MIB. This release fixes this bug and all users are encouraged to update their SNMP agent if they make use of the ICMP-MIB table objects.
The 5.7.2.1 tarball contains all of the binaries pre-built, and has some other problems. For instance, it second-guesses perl's ARCH_LIB (which is easy to fix) but more importantly, it has developed some new parallel make problems.
(In reply to Jeroen Roovers from comment #2) > The 5.7.2.1 tarball contains all of the binaries pre-built, and has some > other problems. > For instance, it second-guesses perl's ARCH_LIB (which is > easy to fix) That appears to be because it has pre-generated Makefiles in perl/. I'll roll a fresh tarball. Saves around 20 megabytes in downloading.
Arch teams, please test and mark stable: =net-analyzer/net-snmp-5.7.2.1 Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Stable for HPPA.
amd64 stable
x86 stable
sparc stable
arm stable
ppc stable
ia64 stable
alpha stable
ppc64 stable. Maintainer(s), please cleanup. Security, please vote.
Arches and Maintainer(s), Thank you for your work. Security please Vote.
GLSA vote: no
CVE-2014-2284 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2284): The Linux implementation of the ICMP-MIB in Net-SNMP 5.5 before 5.5.2.1, 5.6.x before 5.6.2.1, and 5.7.x before 5.7.2.1 does not properly validate input, which allows remote attackers to cause a denial of service via unspecified vectors.
(In reply to Mikle Kolyada from comment #15) > GLSA vote: no nvmd. Added to existing glsa draft.
This issue was resolved and addressed in GLSA 201409-02 at http://security.gentoo.org/glsa/glsa-201409-02.xml by GLSA coordinator Kristian Fiskerstrand (K_F).
