Debian Security Advisory
DSA-1663-1 net-snmp -- several vulnerabilities
- Date Reported:
- 09 Nov 2008
- Affected Packages:
- net-snmp
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 485945, Bug 482333, Bug 504150.
In Mitre's CVE dictionary: CVE-2008-0960, CVE-2008-2292, CVE-2008-4309. - More information:
-
Several vulnerabilities have been discovered in NET SNMP, a suite of Simple Network Management Protocol applications. The Common Vulnerabilities and Exposures project identifies the following problems:
- CVE-2008-0960
Wes Hardaker reported that the SNMPv3 HMAC verification relies on the client to specify the HMAC length, which allows spoofing of authenticated SNMPv3 packets.
- CVE-2008-2292
John Kortink reported a buffer overflow in the __snprint_value function in snmp_get causing a denial of service and potentially allowing the execution of arbitrary code via a large OCTETSTRING in an attribute value pair (AVP).
- CVE-2008-4309
It was reported that an integer overflow in the netsnmp_create_subtree_cache function in agent/snmp_agent.c allows remote attackers to cause a denial of service attack via a crafted SNMP GETBULK request.
For the stable distribution (etch), these problems has been fixed in version 5.2.3-7etch4.
For the testing distribution (lenny) and unstable distribution (sid) these problems have been fixed in version 5.4.1~dfsg-11.
We recommend that you upgrade your net-snmp package.
- CVE-2008-0960
- Fixed in:
-
Debian GNU/Linux 4.0 (etch)
- Source:
- http://security.debian.org/pool/updates/main/n/net-snmp/net-snmp_5.2.3-7etch4.diff.gz
- http://security.debian.org/pool/updates/main/n/net-snmp/net-snmp_5.2.3-7etch4.dsc
- http://security.debian.org/pool/updates/main/n/net-snmp/net-snmp_5.2.3.orig.tar.gz
- http://security.debian.org/pool/updates/main/n/net-snmp/net-snmp_5.2.3-7etch4.dsc
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-base_5.2.3-7etch4_all.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/tkmib_5.2.3-7etch4_all.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/tkmib_5.2.3-7etch4_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_alpha.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_alpha.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_alpha.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_alpha.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_alpha.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_alpha.deb
- AMD64:
- http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_amd64.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_amd64.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_amd64.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_amd64.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_amd64.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_amd64.deb
- ARM:
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_arm.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_arm.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_arm.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_arm.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_arm.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_arm.deb
- HP Precision:
- http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_hppa.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_hppa.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_hppa.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_hppa.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_hppa.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_hppa.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_i386.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_i386.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_i386.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_i386.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_i386.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_ia64.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_ia64.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_ia64.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_ia64.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_ia64.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_ia64.deb
- Big-endian MIPS:
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_mips.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_mips.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_mips.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_mips.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_mips.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_mips.deb
- Little-endian MIPS:
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_mipsel.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_mipsel.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_mipsel.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_mipsel.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_mipsel.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_powerpc.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_powerpc.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_powerpc.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_powerpc.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_powerpc.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_s390.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_s390.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_s390.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_s390.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_s390.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_sparc.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_sparc.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_sparc.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_sparc.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_sparc.deb
- http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_sparc.deb
MD5 checksums of the listed files are available in the original advisory.