v1.4.1 - July 21st, 2020 * Fixed a security issue with EXEC / PREXEC / unknown_trap_exec that could allow malicious shell code to be executed. * Fixed a bug with EXEC / PREXEC / unknown_trap_exec that caused commands to be run as root instead of the user defined in daemon_uid. * Added the snmptt.ini option daemon_gid to allow the gid to be set in addition to the uid. Defaults to 'nobody' if not defined.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b2e5927463dcd8e1cb8fb49e14cb9636631a8039 commit b2e5927463dcd8e1cb8fb49e14cb9636631a8039 Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2020-07-22 06:55:06 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2020-07-22 07:04:50 +0000 net-analyzer/snmptt: Version 1.4.1 Package-Manager: Portage-3.0.0, Repoman-2.3.23 Bug: https://bugs.gentoo.org/733478 Closes: https://bugs.gentoo.org/show_bug.cgi?id=433443 Signed-off-by: Jeroen Roovers <jer@gentoo.org> net-analyzer/snmptt/Manifest | 1 + net-analyzer/snmptt/snmptt-1.4.1.ebuild | 60 +++++++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+)
x86 stable. Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ec104869262c49683a690bfa0b2409c48afe2a1e commit ec104869262c49683a690bfa0b2409c48afe2a1e Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2020-07-25 09:36:58 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2020-07-25 09:38:16 +0000 net-analyzer/snmptt: Old Package-Manager: Portage-3.0.0, Repoman-2.3.23 Bug: https://bugs.gentoo.org/733478 Signed-off-by: Jeroen Roovers <jer@gentoo.org> net-analyzer/snmptt/Manifest | 1 - net-analyzer/snmptt/snmptt-1.4.ebuild | 52 ----------------------------------- 2 files changed, 53 deletions(-)
We need to stabilise 1.4.2 instead. 1.4.1 has been yanked due to a problem and the maintainer put out 1.4.2 shortly after instead.
x86 stable. I guess we should cleanup again in case the problem was an incomplete fix.
Cleanup done in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dd84225dcdea15ae58eab5f1542e6c0663b756d9.
This issue was resolved and addressed in GLSA 202007-63 at https://security.gentoo.org/glsa/202007-63 by GLSA coordinator Sam James (sam_c).
Assigned: CVE-2020-24361 Description: "SNMPTT before 1.4.2 allows attackers to execute shell code via EXEC, PREXEC, or unknown_trap_exec."
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=9e88e4d3add589d3e6068027d614349f1675a506 commit 9e88e4d3add589d3e6068027d614349f1675a506 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-08-16 05:37:37 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-08-16 05:37:37 +0000 [ GLSA 202007-63 ] Add now-assigned CVE-2020-24361 Bug: https://bugs.gentoo.org/733478 Signed-off-by: Sam James <sam@gentoo.org> glsa-202007-63.xml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)