** Please note that this issue is confidential at the moment and no information
should be disclosed until it is made public **
We have been contacted by CERT/CC about the following issue:
According to net-snmp project:
"The quick technical summary is that the SNMPv3 packet contains a
truncated HMAC authentication code. The author that wrote the code
very very long ago to check that HMAC code used the length of the
packet's version of the HMAC code to do the check. Thus if you send a
single byte HMAC code, it'll only check it against the first byte of
HMAC output. Thus it's fairly easy to spoof an authenticated SNMPv3
Created attachment 155709 [details, diff]
patch for CVE-2008-0960
pva/falco/vapier since you are all in netmon herd anyways, please prepare an ebuild with the patch and attach it here.
Do not commit anything to the tree until this issue is made public.
Created attachment 155745 [details, diff]
Thank you Matthias. Attached patch was corrupted one. Attaching correct one.
BTW, I don't see any rush with this security fix. I'm going to bump net-snmp now to fix quite a number of bugs, after that I'd like to have at least 2 weeks for feedback on patches I've backported from upstream and only after that stabilize this package... Also we have another security fix for this package in queue so it's better to test stabilize them together, I suppose.
Now public via URL.
Net-SNMP >= 22.214.171.124, >= 126.96.36.199, >= 188.8.131.52"
Peter, take the time you want to test this issue,
184.108.40.206 is ready to go stable together with autoconf-2.61-r2 (which should be stabilized in bug 227603).
net-analyzer/net-snmp-220.127.116.11: alpha amd64 arm hppa ia64 ppc64 ppc s390 sh sparc x86
pva, I'm adding release@, or did you handle this yourself already?
Stable for HPPA.
GLSA vote, YES for me.
YES too, filing request.
2008.0 is out, so no need to keep release on the CC list.