From ${URL} : It was reported [1],[2]that the AgentX subagent of net-snmp could be stalled when a manager sent a multi-object request with a different number subids. This could lead to a denial of service. This has been corrected upstream in version 5.4.4 [3]; [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684388 [2] http://seclists.org/oss-sec/2014/q1/513 [3] http://sourceforge.net/p/net-snmp/patches/1113/ @security: please file the request for the GLSA.
(In reply to Agostino Sarubbo from comment #0) > From ${URL} : > > It was reported [1],[2]that the AgentX subagent of net-snmp could be stalled > when a manager sent a > multi-object request with a different number subids. This could lead to a > denial of service. > > This has been corrected upstream in version 5.4.4 [3]; And the full quotation is: " This has been corrected upstream in version 5.4.4 [3]; only earlier versiona[sic] are affected. This means that Fedora and Red Hat Enterprise Linux 6 are not affected, however Red Hat Enterprise Linux 5 does ship a vulnerable version (5.3.x). " 5.3.x left the tree in 2007, 5.4.x in 2012. Ad [3]: The patch is from 2010 and was accepted in 5.3.x and later. The first clean version to enter the tree was probably 5.6.1 which never went stable, but 5.7.2_rc1 did in 2012 (bug #431752). So it's basically a bug in RH and Debian.
CVE-2014-2310 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2310): The AgentX subagent in Net-SNMP before 5.4.4 allows remote attackers to cause a denial of service (hang) by sending a multi-object request with an Object ID (OID) containing more subids than previous requests, a different vulnerability than CVE-2012-6151.
Maintainers, thank you for your confirmation work. No GLSA needed since we are not vulnerable, closing.
