From ${URL} : A remote denial-of-service flaw was found in the way snmptrapd handled certain SNMP traps when started with the "-OQ" option. If an attacker sent an SNMP trap containing a variable with a NULL type where an integer variable type was expected, it would cause snmptrapd to crash. http://sourceforge.net/p/net-snmp/code/ci/7f4a7b891332899cea26e95be0337aae01648742/ @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Arch teams, please test and mark stable: =net-analyzer/net-snmp-5.7.3_pre5-r1 Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Stable for HPPA.
amd64 stable
x86 stable
arm stable
alpha stable
ia64 stable
ppc64 stable
ppc stable
sparc stable. Maintainer(s), please cleanup. Security, please vote.
Arches and Maintainer(s), Thank you for your work. GLSA Vote: Yes
CVE-2014-3565 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3565): snmplib/mib.c in net-snmp 5.7.0 and earlier, when the -OQ option is used, allows remote attackers to cause a denial of service (snmptrapd crash) via a crafted SNMP trap message, which triggers a conversion to the variable type designated in the MIB file, as demonstrated by a NULL type in an ifMtu trap message.
GLSA Vote: Yes, new request filed
This issue was resolved and addressed in GLSA 201507-17 at https://security.gentoo.org/glsa/201507-17 by GLSA coordinator Mikle Kolyada (Zlogene).
