Summary: | net-analyzer/net-snmp <5.4.1.1 truncated HMAC authentication code (CVE-2008-0960) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Matthias Geerdsen (RETIRED) <vorlon> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | normal | CC: | netmon, wolf31o2 | ||||||
Priority: | High | ||||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
URL: | http://www.ocert.org/advisories/ocert-2008-006.html | ||||||||
Whiteboard: | B3 [glsa] | ||||||||
Package list: | Runtime testing required: | --- | |||||||
Bug Depends on: | 227603 | ||||||||
Bug Blocks: | 222265 | ||||||||
Attachments: |
|
Description
Matthias Geerdsen (RETIRED)
2008-06-06 10:50:14 UTC
Created attachment 155709 [details, diff]
patch for CVE-2008-0960
pva/falco/vapier since you are all in netmon herd anyways, please prepare an ebuild with the patch and attach it here. Do not commit anything to the tree until this issue is made public. Created attachment 155745 [details, diff]
net-snmp-5.4.1-CVE-2008-0960.patch
Thank you Matthias. Attached patch was corrupted one. Attaching correct one.
BTW, I don't see any rush with this security fix. I'm going to bump net-snmp now to fix quite a number of bugs, after that I'd like to have at least 2 weeks for feedback on patches I've backported from upstream and only after that stabilize this package... Also we have another security fix for this package in queue so it's better to test stabilize them together, I suppose. Now public via URL. "Fixed version: Net-SNMP >= 5.4.1.1, >= 5.3.2.1, >= 5.2.4.1" Peter, take the time you want to test this issue, 5.4.1.1 is ready to go stable together with autoconf-2.61-r2 (which should be stabilized in bug 227603). Target keywords: net-analyzer/net-snmp-5.4.1.1: alpha amd64 arm hppa ia64 ppc64 ppc s390 sh sparc x86 x86 stable pva, I'm adding release@, or did you handle this yourself already? ppc64 stable amd64 stable alpha/ia64/sparc stable Stable for HPPA. ppc done GLSA vote, YES for me. YES too, filing request. 2008.0 is out, so no need to keep release on the CC list. GLSA 200808-02 |