Bug 31388

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

handle_ipDefaultTTL in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP 5.8 through 5.9.3 has a NULL Pointer Exception bug that can be used by a remote attacker (who has write access) to cause the instance to crash via a crafted UDP packet, resulting in Denial of Service. (CVE-2022-44792)

handle_ipv6IpForwarding in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP 5.4.3 through 5.9.3 has a NULL Pointer Exception bug that can be used by a remote attacker to cause the instance to crash via a crafted UDP packet, resulting in Denial of Service. (CVE-2022-44793)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44792
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44793
https://ubuntu.com/security/notices/USN-5795-1
========================

Updated packages in core/updates_testing:
========================
lib(64)net-snmp40-5.9-1.2.mga8
lib(64)net-snmp-devel-5.9-1.2.mga8
net-snmp-5.9-1.2.mga8
net-snmp-mibs-5.9-1.2.mga8
net-snmp-tkmib-5.9-1.2.mga8
net-snmp-trapd-5.9-1.2.mga8
net-snmp-utils-5.9-1.2.mga8
perl-NetSNMP-5.9-1.2.mga8
python3-netsnmp-5.9-1.2.mga8

from SRPM:
net-snmp-5.9-1.2.mga8.src.rpm

Status comment: Patches available from upstream and Ubuntu => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 8
CC: (none) => nicolas.salguero
Whiteboard: MGA8TOO => (none)
Assignee: bugsquad => qa-bugs

MGA8-64 MATE on Acer Aspire 5253
No installation issues
Ref bug 30697 Comment 5 for testing 
# systemctl start snmpd
# systemctl -l status snmpd
● snmpd.service - Simple Network Management Protocol (SNMP) Daemon.
     Loaded: loaded (/usr/lib/systemd/system/snmpd.service; disabled; vendor preset: disabled)
     Active: active (running) since Mon 2023-01-16 11:52:58 CET; 17s ago
   Main PID: 12485 (snmpd)
      Tasks: 1 (limit: 4364)
     Memory: 3.7M
        CPU: 193ms
     CGroup: /system.slice/snmpd.service
             └─12485 /usr/sbin/snmpd -LS0-4d -f

Jan 16 11:52:56 mach7.hviaene.thuis systemd[1]: Starting Simple Network Management Protocol (SNMP) Daemon....
Jan 16 11:52:58 mach7.hviaene.thuis systemd[1]: Started Simple Network Management Protocol (SNMP) Daemon..


$ snmpget -v2c -c public localhost system.sysDescr.0
SNMPv2-MIB::sysDescr.0 = STRING: Linux mach7.hviaene.thuis 5.15.82-server-1.mga8 #1 SMP Thu Dec 8 23:38:11 UTC 2022 x86_64
$ snmpwalk -v2c -c public localhost
SNMPv2-MIB::sysDescr.0 = STRING: Linux mach7.hviaene.thuis 5.15.82-server-1.mga8 #1 SMP Thu Dec 8 23:38:11 UTC 2022 x86_64
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (9672) 0:01:36.72
SNMPv2-MIB::sysContact.0 = STRING: Root <root@localhost> (configure /etc/snmp/snmp.local.conf)
SNMPv2-MIB::sysName.0 = STRING: mach7.hviaene.thuis
SNMPv2-MIB::sysLocation.0 = STRING: Unknown (edit /etc/snmp/snmpd.conf)
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (6) 0:00:00.06
etc .....
at the end:
HOST-RESOURCES-MIB::hrSystemUptime.0 = Timeticks: (351025) 0:58:30.25
HOST-RESOURCES-MIB::hrSystemUptime.0 = No more variables left in this MIB View (It is past the end of the MIB tree)

looks OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Validating. Advisory in comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0015.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED