[SECURITY] [DLA 2299-1] net-snmp security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2299-1] net-snmp security update
From: "Chris Lamb" <lamby@debian.org>
Date: Thu, 30 Jul 2020 11:59:06 +0100
Message-id: <[🔎] 159610648098.3815835.13866899159466839389@tinycat.chris-lamb.co.uk>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : net-snmp
Version        : 5.7.3+dfsg-1.7+deb9u2
Debian Bug     : #965166

A privilege escalation vulnerability vulnerability was discovered in
Net-SNMP, a set of tools for collecting and organising information
about devices on computer networks.

Upstream notes that:

* It is still possible to enable this MIB via the
  --with-mib-modules configure option.

* Another MIB that provides similar functionality, namely
  ucd-snmp/extensible, is disabled by default.

* The security risk of ucd-snmp/pass and ucd-snmp/pass_persist is
  lower since these modules only introduce a security risk if the
  invoked scripts are exploitable.


For Debian 9 "Stretch", this issue has been fixed in net-snmp version
5.7.3+dfsg-1.7+deb9u2.

We recommend that you upgrade your net-snmp packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl8ipu4ACgkQHpU+J9Qx
HliITw/9H3ImNPiBifHl3+3YhLaFME7/0QbkBK9LEJZHz2MEg2bjNUOQFbVFbQ7u
0ZAW2q6KbWqM48bczv48ZgBs2Zu/2igcuiHyCjYN78B6sPeKkqUyeobnpu3bvzV5
ArMs7PWKJbQHaSbrn7UAEtT6lKajDGBMkyeF8XTXhBKDJfC1OYGzi4NErNW6Ek9e
7t0iEXvnsXdyUAF+WlHdvortQg1kT6/fYx4Yg/6soYfREHbLukrC8D7wnnik1Ssz
J/m85FXqFitZEpKXBEqPFqdHaykoYVoFehXavIEOtLGMSmuW+eXLqNUiQW5jL0jY
tv6Cf5IdU81Gc1XXHuJ+Yg/Yz+w7YkHiYX+VWQMdvYp2mF70AKrafEtwWXZ8ZKca
lK4N1lLmtbTJmdxEMAyTFeyEH0U5s/UkKCG07coa58uLY56u69FOcUiHpbASAeLp
iGLafbByqXvkuD996FWl32E12uhYajtGJo/2k9WiQgQwf3kmlFyosqGj6kdX5NtP
QmWXNTzIpB2hn4zoSsB5dpBDJksClhqd8a37xdiBa15qp0jb1Vw0+mbh/oILzSuu
pvFbLf5VuZoPMSV5IC46lRAFpJr7GleXuaXmIwhZe8hF7v4zTfHhQVc7Q2jWwBzt
CbK/+1jDDXUwAUpnjP1HnQ1ZFQ8kOgDdgVw/9AcbI6v1T/A862s=
=5KZK
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2298-1] libapache2-mod-auth-openidc security update
Next by Date: [SECURITY] [DLA 2300-1] kdepim-runtime security update
Previous by thread: [SECURITY] [DLA 2298-1] libapache2-mod-auth-openidc security update
Next by thread: [SECURITY] [DLA 2300-1] kdepim-runtime security update
Index(es):
- Date
- Thread