+*5.9.2*: + security: + - These two CVEs can be exploited by a user with read-only credentials: + - CVE-2022-24805 A buffer overflow in the handling of the INDEX of + NET-SNMP-VACM-MIB can cause an out-of-bounds memory access. + - CVE-2022-24809 A malformed OID in a GET-NEXT to the nsVacmAccessTable + can cause a NULL pointer dereference. + - These CVEs can be exploited by a user with read-write credentials: + - CVE-2022-24806 Improper Input Validation when SETing malformed + OIDs in master agent and subagent simultaneously + - CVE-2022-24807 A malformed OID in a SET request to + SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an + out-of-bounds memory access. + - CVE-2022-24808 A malformed OID in a SET request to + NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference + - CVE-2022-24810 A malformed OID in a SET to the nsVacmAccessTable + can cause a NULL pointer dereference. + - To avoid these flaws, use strong SNMPv3 credentials and do not share them. + If you must use SNMPv1 or SNMPv2c, use a complex community string + and enhance the protection by restricting access to a given IP address range. + - Thanks are due to Yu Zhang of VARAS@IIE and Nanyu Zhong of VARAS@IIE for + reporting the following CVEs that have been fixed in this release, and + to Arista Networks for providing fixes.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b2f6635d7773958a92d502d57fabd9edfa185d59 commit b2f6635d7773958a92d502d57fabd9edfa185d59 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-07-01 08:38:00 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-07-01 08:40:38 +0000 net-analyzer/net-snmp: add 5.9.2 Bug: https://bugs.gentoo.org/855500 Signed-off-by: Sam James <sam@gentoo.org> net-analyzer/net-snmp/Manifest | 1 + .../files/net-snmp-5.9.2-fix-LDFLAGS.patch | 18 ++ ...-snmp-99999999.ebuild => net-snmp-5.9.2.ebuild} | 29 ++- net-analyzer/net-snmp/net-snmp-9999.ebuild | 224 +++++++++++++++++++++ 4 files changed, 263 insertions(+), 9 deletions(-)
GLSA request filed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a22e450ef84569ec67a970a6ea88ae5b017ee6b6 commit a22e450ef84569ec67a970a6ea88ae5b017ee6b6 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-10-22 02:29:21 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-22 02:29:21 +0000 net-analyzer/net-snmp: drop 5.9.1-r2 Bug: https://bugs.gentoo.org/855500 Signed-off-by: John Helmert III <ajak@gentoo.org> net-analyzer/net-snmp/Manifest | 1 - net-analyzer/net-snmp/net-snmp-5.9.1-r2.ebuild | 218 ------------------------- 2 files changed, 219 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=aa0a501598ae2bbf234180c0680abfbf0846cfac commit aa0a501598ae2bbf234180c0680abfbf0846cfac Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-31 01:24:42 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-31 01:40:16 +0000 [ GLSA 202210-29 ] Net-SNMP: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/855500 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-29.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+)
GLSA released, all done!