[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DSA 1663-1] New net-snmp packages fix several vulnerabilities



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1663-1                  security@debian.org
http://www.debian.org/security/                          Thijs Kinkhorst
November 09, 2008                     http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : net-snmp
Vulnerability  : several
Problem type   : local (remote)
Debian-specific: no
CVE Id(s)      : CVE-2008-0960 CVE-2008-2292 CVE-2008-4309
Debian Bugs    : 485945 482333 504150

Several vulnerabilities have been discovered in NET SNMP, a suite of
Simple Network Management Protocol applications. The Common
Vulnerabilities and Exposures project identifies the following problems:
 
CVE-2008-0960
 
    Wes Hardaker reported that the SNMPv3 HMAC verification relies on
    the client to specify the HMAC length, which allows spoofing of
    authenticated SNMPv3 packets.
 
CVE-2008-2292
 
    John Kortink reported a buffer overflow in the __snprint_value
    function in snmp_get causing a denial of service and potentially
    allowing the execution of arbitrary code via a large OCTETSTRING 
    in an attribute value pair (AVP).
 
CVE-2008-4309

    It was reported that an integer overflow in the
    netsnmp_create_subtree_cache function in agent/snmp_agent.c allows   
    remote attackers to cause a denial of service attack via a crafted  
    SNMP GETBULK request.

For the stable distribution (etch), these problems has been fixed in
version 5.2.3-7etch4.
 
For the testing distribution (lenny) and unstable distribution (sid)
these problems have been fixed in version 5.4.1~dfsg-11.

We recommend that you upgrade your net-snmp package.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/n/net-snmp/net-snmp_5.2.3-7etch4.diff.gz
    Size/MD5 checksum:    94030 2ccd6191c3212980956c30de392825ec
  http://security.debian.org/pool/updates/main/n/net-snmp/net-snmp_5.2.3-7etch4.dsc
    Size/MD5 checksum:     1046 8018cc23033178515298d5583a74f9ff
  http://security.debian.org/pool/updates/main/n/net-snmp/net-snmp_5.2.3.orig.tar.gz
    Size/MD5 checksum:  4006389 ba4bc583413f90618228d0f196da8181

Architecture independent packages:

  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-base_5.2.3-7etch4_all.deb
    Size/MD5 checksum:  1214368 d579d8f28f3d704b6c09b2b480425086
  http://security.debian.org/pool/updates/main/n/net-snmp/tkmib_5.2.3-7etch4_all.deb
    Size/MD5 checksum:   855594 b5ccd827adbcefcca3557fa9ae28cc08

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_alpha.deb
    Size/MD5 checksum:  2169470 265835564ef2b0e2e86a08000461c53b
  http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_alpha.deb
    Size/MD5 checksum:   944098 5b903886ee4740842715797e3231602c
  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_alpha.deb
    Size/MD5 checksum:  1901802 5486eb1f2a5b076e5342b1dd9cbb12e2
  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_alpha.deb
    Size/MD5 checksum:   933202 e3210ba1641079e0c3aaf4a50e89aedd
  http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_alpha.deb
    Size/MD5 checksum:   835584 b14db8c5e5b5e2d34799952975f903fb

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_amd64.deb
    Size/MD5 checksum:   932008 fc79672bf64eaabd41ed1c2f4a42c7da
  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_amd64.deb
    Size/MD5 checksum:  1890766 ae3832515a97a79b31e0e7f0316356ee
  http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_amd64.deb
    Size/MD5 checksum:   835088 62867e9ba9dfca3c7e8ae575d5a478f5
  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_amd64.deb
    Size/MD5 checksum:   918844 d2d1bc5f555bc9dba153e2a9a964ffbf
  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_amd64.deb
    Size/MD5 checksum:  1557924 5c2a33a015dd44708a9cc7602ca2525c

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_arm.deb
    Size/MD5 checksum:   909974 4c1cef835efc0b7ff3fea54a618eabee
  http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_arm.deb
    Size/MD5 checksum:   835284 3ac835d926481c9e0f589b578455ddee
  http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_arm.deb
    Size/MD5 checksum:   928252 b98e98b58c61be02e477185293427d5c
  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_arm.deb
    Size/MD5 checksum:  1778292 b903adf3d1fa6e7a26f7cafb7bffdd6b
  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_arm.deb
    Size/MD5 checksum:  1344158 78b6cf6b2974983e8e3670468da73cd1

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_hppa.deb
    Size/MD5 checksum:   835940 9eeaf116e386dd7733ab2106c662dfa9
  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_hppa.deb
    Size/MD5 checksum:  1809132 78bb5f1c12b004d32fa265e6bd99ffa1
  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_hppa.deb
    Size/MD5 checksum:  1926116 71c7f3095ffe1bb22e84ade21f32b3a4
  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_hppa.deb
    Size/MD5 checksum:   935434 85deac8531b02a0fdf3c9baa21d8e4bd
  http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_hppa.deb
    Size/MD5 checksum:   935640 958cb158264f75772864cd5d5c0bf251

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_i386.deb
    Size/MD5 checksum:  1423294 f05c7491a8100684c5085588738f05b5
  http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_i386.deb
    Size/MD5 checksum:   833970 cb705c9fe9418cc9348ac935ea7b0ba2
  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_i386.deb
    Size/MD5 checksum:   920070 3df41a0c99c41d1bccf6801011cf8ed5
  http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_i386.deb
    Size/MD5 checksum:   925914 159b4244ef701edbe0fb8c9685b5b477
  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_i386.deb
    Size/MD5 checksum:  1838900 3b7ac7b8fe0da1a3909ee56aba46d464

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_ia64.deb
    Size/MD5 checksum:  2205680 6868a56b1db04627e6921bf7237939a2
  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_ia64.deb
    Size/MD5 checksum:   970440 783f0cccabfbcc63590730b3803d164d
  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_ia64.deb
    Size/MD5 checksum:  2281114 fd04b505755a3aed0fe4c9baaac84500
  http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_ia64.deb
    Size/MD5 checksum:   842690 9f9ca89c3d3ba7c46481e9cd39c242a6
  http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_ia64.deb
    Size/MD5 checksum:   962854 c8a32f808d719357a5b6350e2b60794e

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_mips.deb
    Size/MD5 checksum:   895414 5dd919d188291cb3727d39b5e06c9e26
  http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_mips.deb
    Size/MD5 checksum:   927342 28c245db4d8ea82ba4075b27d674d72a
  http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_mips.deb
    Size/MD5 checksum:   833182 0e0b21e13d77de82bed7a38d30f65e4b
  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_mips.deb
    Size/MD5 checksum:  1769524 24bdc73a3d20c4046c7741957442c713
  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_mips.deb
    Size/MD5 checksum:  1717562 977ae5c34a127d32d8f2bf222de9a431

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_mipsel.deb
    Size/MD5 checksum:  1755032 cab5c112911465a9ce23a0d2ea44ded9
  http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_mipsel.deb
    Size/MD5 checksum:   926616 2bf14a3fe74d9f2a523aacc8b04f5282
  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_mipsel.deb
    Size/MD5 checksum:   895194 b7c9ed37bf83ad92371f5472ac5d917b
  http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_mipsel.deb
    Size/MD5 checksum:   833098 08b63ba6c3becf25ba2f941a532a7b71
  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_mipsel.deb
    Size/MD5 checksum:  1720642 1ff7568eb478edee923edb76cf42e9ac

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_powerpc.deb
    Size/MD5 checksum:   941434 bbac9384bd7f88339e2b86fa665208c1
  http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_powerpc.deb
    Size/MD5 checksum:   835212 4790d79f8de7f1bee7aabf0473f25268
  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_powerpc.deb
    Size/MD5 checksum:  1657890 b91fcf52e80c7196cea0c13df9ac79ef
  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_powerpc.deb
    Size/MD5 checksum:  1803262 4d298c9509941390c7b2eb68320ad211
  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_powerpc.deb
    Size/MD5 checksum:   928170 b17966a6a61313344ac827b58f32eeef

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_s390.deb
    Size/MD5 checksum:  1409718 2a128cbdce2522ef49604255cff41af2
  http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_s390.deb
    Size/MD5 checksum:   931452 d3bb7c3a849cd2b35fa6e4acb19c318d
  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_s390.deb
    Size/MD5 checksum:  1834914 67e5b946df18b06b41b3e108d5ddc4e3
  http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_s390.deb
    Size/MD5 checksum:   836102 7a4b85e8ea0e50d7213997b5f7d6309f
  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_s390.deb
    Size/MD5 checksum:   903864 3f80e78e4e2672aacf3da0690ff24b79

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_sparc.deb
    Size/MD5 checksum:   925336 5824ea607689f3f1bd62a9e6e28f95ae
  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_sparc.deb
    Size/MD5 checksum:  1548630 1378d1cf730d3026bc1f01a4ab2ccedb
  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_sparc.deb
    Size/MD5 checksum:   918592 28a086f6aa2ee8d510b38c1a177843fc
  http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_sparc.deb
    Size/MD5 checksum:   834186 068cbf2b4774ecf9504b820db26e6f1d
  http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_sparc.deb
    Size/MD5 checksum:  1782014 d39fae5fe0d1397a2a1bd7397d6e850a


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBSRawfWz0hbPcukPfAQKr8gf/ey+YyHiWXy1vCzmmbI7Xk2ktHZCEEoBW
4fk2Yzycp7YHF7sJ6b8EIqzlBKiQSR+o+X0804loyanOuH3lBlk+zXeWisuou2jo
sjk4r4VbwUEJkIOHIRJYA3NBnFzzwl7RNkO/xc6QPXqNnYVxouB4XR8DwmwwHK1k
GIJ8TSG/o3Hxl1k77sp8d31FvHoEvSyW/u2aAlcRoEXWVCgMzpREVN/M0+O4LFRM
rrA/0meZxLy/3n9GF9Yo2OCvj5rTZ4yjY6c8iq6hwEopemQUH4OCIVsPBKMQ1uJ0
wdZEvSbQksbBy9yxy0ajeF03IxzCcJia7bBS3/g5F46WU8LUAjkUAw==
=ct1Q
-----END PGP SIGNATURE-----


Reply to: