Comment 1 Robert Buchholz (RETIRED) 2007-11-07 12:27:16 UTC

Netmon, please advise.

Comment 2 Martin Jackson (RETIRED) 2007-11-08 01:09:46 UTC

I don't think the CVE entry is correct.  5.4.1 had the patch in question applied already.  (Man snmpd.conf; you see the maxGetbulkRepeats and maxGetbulkResponses tunables, which are part of the patch referenced), also ds_agent.h file, etc).

I'm sure 5.3.1 is vulnerable.  It was released long before the patch was committed.

I think we should stable 5.4.1-r1 and clean up the other releases.  I don't think we need to carry that many versions of net-snmp in the tree.

Any objections?

Comment 3 Robert Buchholz (RETIRED) 2007-11-08 03:17:45 UTC

(In reply to comment #2)
> I don't think the CVE entry is correct.  5.4.1 had the patch in question
> applied already.  (Man snmpd.conf; you see the maxGetbulkRepeats and
> maxGetbulkResponses tunables, which are part of the patch referenced), also
> ds_agent.h file, etc).

5.4 is stable right now, is it affected?

Comment 4 Martin Jackson (RETIRED) 2007-11-08 03:30:38 UTC

> 5.4 is stable right now, is it affected?

Yes, it is.  The maxreps patch does apply cleanly on that version, though.

I could do a 5.4-r1 with the patch.  5.4.1 is a bit more complex to stable as it introduced python bindings, which require a dep on MIPS to be stabled first (requested, but not yet done).

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) 2007-11-08 06:46:57 UTC

Martin it's up to you what fixed version to stable, just we get one to stable:)

Comment 6 Jeroen Roovers (RETIRED) 2007-11-08 07:02:35 UTC

Er, so the target is net-analyzer/net-snmp-5.4.1-r1 now?

Comment 7 Sune Kloppenborg Jeppesen (RETIRED) 2007-11-08 07:20:32 UTC

Sorry for the spam arches. I forgot to remove you from CC when I discovered there were no clear stable candidate. UnCCing arches for now.

Netmon please advise.

Comment 8 Martin Jackson (RETIRED) 2007-11-08 12:55:09 UTC

> Netmon please advise.
> 

I think we're better off stabling 5.4.1-r1, but we need to keyword/stable dev-python/setuptools on mips first (191550).  Can someone from mips@ help with that?

If that's not viable (i.e. there's some reason we can't keyword and stable setuptools on mips), I have committed a 5.4-r1 with the maxreps patch.

Thanks, Marty

Comment 9 Robert Buchholz (RETIRED) 2007-11-08 16:59:08 UTC

MIPS, please see the blocker of this bug first.

Arches, please test and mark stable net-analyzer/net-snmp-5.4.1-r1.
Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86"

Comment 10 Markus Rothe (RETIRED) 2007-11-08 19:37:11 UTC

ppc64 stable

Comment 11 Dawid Węgliński (RETIRED) 2007-11-09 14:50:31 UTC

x86 stable

Comment 12 Raúl Porcel (RETIRED) 2007-11-09 15:10:17 UTC

alpha/ia64/sparc stable

Comment 13 Jeroen Roovers (RETIRED) 2007-11-09 18:12:10 UTC

Stable for HPPA.

Comment 14 Tobias Scherbaum (RETIRED) 2007-11-13 19:54:59 UTC

ppc stable

Comment 15 Chris Gianelloni (RETIRED) 2007-11-14 01:07:54 UTC

amd64 done

Comment 16 Robert Buchholz (RETIRED) 2007-11-14 01:30:45 UTC

Vote is open.

Martin, do I see correctly that this vulnerability can be exploited by authenticated users / hosts in usual setups? Or is the SNMP agent designed to be connected publically?

Comment 17 Robert Buchholz (RETIRED) 2007-11-16 00:15:01 UTC

According to RedHat this is a DoS for unauthenticated users.

Voting YES.

Comment 18 Pierre-Yves Rofes (RETIRED) 2007-11-18 22:35:24 UTC

yes too, request filed.

Comment 19 Joshua Kinard 2007-11-19 06:21:07 UTC

Unstable on mips.

Comment 20 Pierre-Yves Rofes (RETIRED) 2007-11-20 22:07:24 UTC

GLSA 200711-31