From ${URL} : net-snmp was found to be crashing/hanging due to the heavy load on the subagent AgentX. Here, snmpd is the master agent, AgentX is the subagent registering to handle a MIB and processing GETNEXT requests. When the subagent is under heavy load, requests start to pile up in the queue, replies from the subagent arrive too late (per log messages) and eventually the subagent is timed out. When the timeout occurs there is a high probability of either a crash (Segfault) or a hang (100% CPU utilisation, tight loop in the snmpd code) dependent on the version of the snmpd under test. This also happens when the subagent dies unexpectedly with outstanding transactions unserviced. References: http://seclists.org/oss-sec/2013/q4/398 http://sourceforge.net/p/net-snmp/bugs/2411/ Patch: http://sourceforge.net/p/net-snmp/patches/1237/?page=0 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2012-6151 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6151): Net-SNMP 5.7.1 and earlier, when AgentX is registering to handle a MIB and processing GETNEXT requests, allows remote attackers to cause a denial of service (crash or infinite loop, CPU consumption, and hang) by causing the AgentX subagent to timeout.
Bug 494574 is being stabilized now for net-analyzer/net-snmp-5.7.2-r1 does it contain the fix for this?
All other distress have this fixed in 5.7.2, please confirm that this is fixed in the current stable version so that we can release the GLSA.
sorry distributions ... hate auto spelling corrections.
The CVE said it should be good.
This issue was resolved and addressed in GLSA 201409-02 at http://security.gentoo.org/glsa/glsa-201409-02.xml by GLSA coordinator Kristian Fiskerstrand (K_F).
