Summary: | net-analyzer/net-snmp < 5.4.1-r1 GETBULK Remote DoS (CVE-2007-5846) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | netmon |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/27558/ | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 191550 | ||
Bug Blocks: |
Description
Robert Buchholz (RETIRED)
2007-11-07 12:25:38 UTC
Netmon, please advise. I don't think the CVE entry is correct. 5.4.1 had the patch in question applied already. (Man snmpd.conf; you see the maxGetbulkRepeats and maxGetbulkResponses tunables, which are part of the patch referenced), also ds_agent.h file, etc). I'm sure 5.3.1 is vulnerable. It was released long before the patch was committed. I think we should stable 5.4.1-r1 and clean up the other releases. I don't think we need to carry that many versions of net-snmp in the tree. Any objections? (In reply to comment #2) > I don't think the CVE entry is correct. 5.4.1 had the patch in question > applied already. (Man snmpd.conf; you see the maxGetbulkRepeats and > maxGetbulkResponses tunables, which are part of the patch referenced), also > ds_agent.h file, etc). 5.4 is stable right now, is it affected? > 5.4 is stable right now, is it affected?
Yes, it is. The maxreps patch does apply cleanly on that version, though.
I could do a 5.4-r1 with the patch. 5.4.1 is a bit more complex to stable as it introduced python bindings, which require a dep on MIPS to be stabled first (requested, but not yet done).
Martin it's up to you what fixed version to stable, just we get one to stable:) Er, so the target is net-analyzer/net-snmp-5.4.1-r1 now? Sorry for the spam arches. I forgot to remove you from CC when I discovered there were no clear stable candidate. UnCCing arches for now. Netmon please advise. > Netmon please advise.
>
I think we're better off stabling 5.4.1-r1, but we need to keyword/stable dev-python/setuptools on mips first (191550). Can someone from mips@ help with that?
If that's not viable (i.e. there's some reason we can't keyword and stable setuptools on mips), I have committed a 5.4-r1 with the maxreps patch.
Thanks, Marty
MIPS, please see the blocker of this bug first. Arches, please test and mark stable net-analyzer/net-snmp-5.4.1-r1. Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86" ppc64 stable x86 stable alpha/ia64/sparc stable Stable for HPPA. ppc stable amd64 done Vote is open. Martin, do I see correctly that this vulnerability can be exploited by authenticated users / hosts in usual setups? Or is the SNMP agent designed to be connected publically? According to RedHat this is a DoS for unauthenticated users. Voting YES. yes too, request filed. Unstable on mips. GLSA 200711-31 |