Fedora has issued an advisory on December 5: https://lists.fedoraproject.org/pipermail/package-announce/2014-January/125828.html I've added patches in SVN to fix that, as well as a couple of other minor bugs: https://bugzilla.redhat.com/show_bug.cgi?id=895357 https://bugzilla.redhat.com/show_bug.cgi?id=965348 I've requested a freeze push for Cauldron. The patches are in Mageia 3 SVN also. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
net-snmp-5.7.2-13.mga4 uploaded for Cauldron. Philippe, there's a Python issue building this in Mageia 3: http://pkgsubmit.mageia.org/uploads/failure/3/core/updates_testing/20140109150915.luigiwalser.valstar.2925/log/net-snmp-5.7.2-7.1.mga3/build.0.20140109151006.log
CC: (none) => makowski.mageiaVersion: Cauldron => 3Whiteboard: MGA3TOO => (none)
Python issue building net-snmp-5.7.2-7.1.mga3 is fixed http://pkgsubmit.mageia.org/uploads/done/3/core/updates_testing/20140109193545.philippem.valstar.10577
Thanks Philippe! Advisory: ======================== Updated net-snmp packages fix security vulnerability: Net-SNMP 5.7.1 and earlier, when AgentX is registering to handle a MIB and processing GETNEXT requests, allows remote attackers to cause a denial of service (crash or infinite loop, CPU consumption, and hang) by causing the AgentX subagent to timeout (CVE-2012-6151). This update also fixes two other minor issues: IPADDRESS size in python-netsnmp on 64-bit systems and adding btrfs support to hrFSTable. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6151 https://lists.fedoraproject.org/pipermail/package-announce/2014-January/125828.html https://lists.fedoraproject.org/pipermail/package-announce/2013-January/097794.html https://lists.fedoraproject.org/pipermail/package-announce/2013-January/097794.html ======================== Updated packages in core/updates_testing: ======================== net-snmp-5.7.2-7.1.mga3 libnet-snmp30-5.7.2-7.1.mga3 libnet-snmp-devel-5.7.2-7.1.mga3 libnet-snmp-static-devel-5.7.2-7.1.mga3 net-snmp-utils-5.7.2-7.1.mga3 net-snmp-tkmib-5.7.2-7.1.mga3 net-snmp-mibs-5.7.2-7.1.mga3 net-snmp-trapd-5.7.2-7.1.mga3 perl-NetSNMP-5.7.2-7.1.mga3 python-netsnmp-5.7.2-7.1.mga3 from net-snmp-5.7.2-7.1.mga3.src.rpm
Assignee: bugsquad => qa-bugs
Procedure in bug 6076 # service snmpd start # snmpget -c public localhost system.sysDescr.0
Testing complete mga3 64 Not familiar with this at all, but the PoC doesn't cause a crash in default setup. http://sourceforge.net/p/net-snmp/bugs/2411/ The command from comment 4 gives an error which appears to complain of missing authentication which from a bit of googling appears to be compulsory with v3 so forcing an earlier version v2c and testing as below.. # service snmpd start $ snmpget -v2c -c public localhost system.sysDescr.0 SNMPv2-MIB::sysDescr.0 = STRING: Linux mega 3.10.24-server-2.mga3 #1 SMP Fri Dec 13 20:43:17 UTC 2013 x86_64 $ snmpwalk -v2c -c public localhost Shows a list of 'stuff'
Whiteboard: (none) => has_procedure mga3-64-ok
Testing complete mga3 32
Whiteboard: has_procedure mga3-64-ok => has_procedure mga3-64-ok mga3-32-ok
Advisory uploaded. Validating Could sysadmin please push from 3 core/updates_testing to updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga3-64-ok mga3-32-ok => has_procedure advisory mga3-64-ok mga3-32-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0019.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED