[SECURITY] [DLA 2393-1] snmptt security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2393-1] snmptt security update
From: Abhijith PA <abhijith@disroot.org>
Date: Fri, 2 Oct 2020 23:40:16 +0530
Message-id: <[🔎] 53a4a56f-80a8-ebc9-ea38-1515d6fbd377@disroot.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2393-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Abhijith PA
October 01, 2020                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : snmptt
Version        : 1.4-1+deb9u1
CVE ID         : CVE-2020-24361

It was found that SNMP Trap Translator does not drop privileges as
configured and does not properly escape shell commands in certain
functions. A remote attacker, by sending a malicious crafted SNMP trap,
could possibly execute arbitrary shell code with the privileges of the
process or cause a Denial of Service condition.

For Debian 9 stretch, this problem has been fixed in version
1.4-1+deb9u1.

We recommend that you upgrade your snmptt packages.

For the detailed security status of snmptt please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/snmptt

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl93bQEACgkQhj1N8u2c
KO9knQ/9HwMgeN0a1W8Q2fwKz/G1yuBIvjYtrUE8Xeqi3rdPWGc4rTtiN8qKUSrD
wBX+gy8KjIpR/DfFztxqE3OaWhRZV4PoLJlaWFtisxGgaMWvXPBKzsH0AI8Rx0xz
6F2JtGjUyePKFEFMkTvIHEKwmTXIBMBJdDIrh8qUtcxTlKBZWk4s4wUUPTjlfo5u
d17wG2WGxH/oJP8ljkWsemf2+GZrI9iydMHq5rHeWlMtU18t9SoLLl05EX2SPCUA
cVN2wFryxOAbAf6QMiLvMb3gQPLjZi19sZCFC8r+YgwoO6GSqFAMK/owC6bwMdYE
p+Uf12Surwo5xK9b0CBr04TYFtUJnsWSh9E7uh1qGVw5pm7OSfmv/2lKSqz+z0ar
d9JKnBFhjifGYBhw8Bli6iFfi47o8YgSSChGYs221MxLywqaaL27DI3znjPjs194
tVQoV+AEZ07KHPffVzk13r/xU+gTh4muyAb42p85IKhh48wqC6whpjYIM7heosbs
kXgzHutpLGgmkPRxrj/E5ij2UN01pINMQ2jy2rTCvtfoF6yBdiuzwxOz1o5TJDhg
DRyyThBUmZQP6gk3R/mpYlKXbWQaCtHBtOAFk5XsOyJ7Lg3ecrvQTnXXgrRrF59K
AClEcUxhoA9kik7duv+u3G/AtCLVq12ouPDYqbHtERQ8rsxlQgE=
=z42s
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2394-1] squid3 security update
Next by Date: [SECURITY] [DLA 2396-1] tigervnc security update
Previous by thread: [SECURITY] [DLA 2394-1] squid3 security update
Next by thread: [SECURITY] [DLA 2396-1] tigervnc security update
Index(es):
- Date
- Thread