| Summary: | net-snmp new security issue CVE-2012-6151 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | makowski.mageia, sysadmin-bugs, tmb |
| Version: | 3 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/579462/ | ||
| Whiteboard: | has_procedure advisory mga3-64-ok mga3-32-ok | ||
| Source RPM: | net-snmp-5.7.2-12.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-01-07 23:23:18 CET
David Walser
2014-01-07 23:23:30 CET
Whiteboard:
(none) =>
MGA3TOO net-snmp-5.7.2-13.mga4 uploaded for Cauldron. Philippe, there's a Python issue building this in Mageia 3: http://pkgsubmit.mageia.org/uploads/failure/3/core/updates_testing/20140109150915.luigiwalser.valstar.2925/log/net-snmp-5.7.2-7.1.mga3/build.0.20140109151006.log CC:
(none) =>
makowski.mageia Python issue building net-snmp-5.7.2-7.1.mga3 is fixed http://pkgsubmit.mageia.org/uploads/done/3/core/updates_testing/20140109193545.philippem.valstar.10577 Thanks Philippe! Advisory: ======================== Updated net-snmp packages fix security vulnerability: Net-SNMP 5.7.1 and earlier, when AgentX is registering to handle a MIB and processing GETNEXT requests, allows remote attackers to cause a denial of service (crash or infinite loop, CPU consumption, and hang) by causing the AgentX subagent to timeout (CVE-2012-6151). This update also fixes two other minor issues: IPADDRESS size in python-netsnmp on 64-bit systems and adding btrfs support to hrFSTable. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6151 https://lists.fedoraproject.org/pipermail/package-announce/2014-January/125828.html https://lists.fedoraproject.org/pipermail/package-announce/2013-January/097794.html https://lists.fedoraproject.org/pipermail/package-announce/2013-January/097794.html ======================== Updated packages in core/updates_testing: ======================== net-snmp-5.7.2-7.1.mga3 libnet-snmp30-5.7.2-7.1.mga3 libnet-snmp-devel-5.7.2-7.1.mga3 libnet-snmp-static-devel-5.7.2-7.1.mga3 net-snmp-utils-5.7.2-7.1.mga3 net-snmp-tkmib-5.7.2-7.1.mga3 net-snmp-mibs-5.7.2-7.1.mga3 net-snmp-trapd-5.7.2-7.1.mga3 perl-NetSNMP-5.7.2-7.1.mga3 python-netsnmp-5.7.2-7.1.mga3 from net-snmp-5.7.2-7.1.mga3.src.rpm Assignee:
bugsquad =>
qa-bugs Procedure in bug 6076 # service snmpd start # snmpget -c public localhost system.sysDescr.0 Testing complete mga3 64 Not familiar with this at all, but the PoC doesn't cause a crash in default setup. http://sourceforge.net/p/net-snmp/bugs/2411/ The command from comment 4 gives an error which appears to complain of missing authentication which from a bit of googling appears to be compulsory with v3 so forcing an earlier version v2c and testing as below.. # service snmpd start $ snmpget -v2c -c public localhost system.sysDescr.0 SNMPv2-MIB::sysDescr.0 = STRING: Linux mega 3.10.24-server-2.mga3 #1 SMP Fri Dec 13 20:43:17 UTC 2013 x86_64 $ snmpwalk -v2c -c public localhost Shows a list of 'stuff' Whiteboard:
(none) =>
has_procedure mga3-64-ok Testing complete mga3 32 Whiteboard:
has_procedure mga3-64-ok =>
has_procedure mga3-64-ok mga3-32-ok Advisory uploaded. Validating Could sysadmin please push from 3 core/updates_testing to updates Thanks Keywords:
(none) =>
validated_update Update pushed: http://advisories.mageia.org/MGASA-2014-0019.html Status:
NEW =>
RESOLVED |