Bug 12880 - net-snmp new denial of service security issues (CVE-2014-2284, CVE-2014-2285)
: net-snmp new denial of service security issues (CVE-2014-2284, CVE-2014-2285)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/589937/
: MGA3TOO has_procedure advisory mga3-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-02-26 02:46 CET by David Walser
Modified: 2014-03-07 17:05 CET (History)
2 users (show)

See Also:
Source RPM: net-snmp-5.7.2-14.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-02-26 02:46:22 CET
Upstream has announced a new version that fixes a security issue:
http://freecode.com/projects/net-snmp/releases/361848

The text there matches that in the CHANGES and NEWS files in the upstream tarball:
"A denial of service attack vector was discovered in the Linux implementation of the ICMP-MIB. This release fixes this bug, and all users are encouraged to update their SNMP agent if they make use of the ICMP-MIB table objects."

I don't recall seeing a CVE request for this issue.

The upstream commit is here:
http://sourceforge.net/p/net-snmp/code/ci/a1fd64716f6794c55c34d77e618210238a73bfa1/

I have checked the patch into Mageia 3, Mageia 4, and Cauldron SVN.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-03-05 12:37:57 CET
CVE request for this issue, as well as another:
http://www.openwall.com/lists/oss-security/2014/03/05/2
Comment 2 David Walser 2014-03-05 21:54:23 CET
For posterity, the issue in the initial report on this bug was fixed upstream in 5.7.2.1 upstream.

There is another denial of service issue in snmptrapd fixed with a patch upstream:
http://sourceforge.net/p/net-snmp/patches/1275/

Both of these issues have been assigned CVEs:
http://openwall.com/lists/oss-security/2014/03/05/9

More information is available on the RedHat bugs linked in that message.

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated net-snmp packages fix security vulnerabilities:

Remotely exploitable denial of service vulnerability in Net-SNMP, in the
Linux implementation of the ICMP-MIB, making the SNMP agent vulnerable if it
is making use of the ICMP-MIB table objects (CVE-2014-2284).

Remotely exploitable denial of service vulnerability in Net-SNMP, in
snmptrapd, due to how it handles trap requests with an empty community string
when the perl handler is enabled (CVE-2014-2285).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2284
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2285
http://freecode.com/projects/net-snmp/releases/361848
http://openwall.com/lists/oss-security/2014/03/05/9
https://bugzilla.redhat.com/show_bug.cgi?id=1070396
https://bugzilla.redhat.com/show_bug.cgi?id=1072778
========================

Updated packages in core/updates_testing:
========================
net-snmp-5.7.2-7.2.mga3
libnet-snmp30-5.7.2-7.2.mga3
libnet-snmp-devel-5.7.2-7.2.mga3
libnet-snmp-static-devel-5.7.2-7.2.mga3
net-snmp-utils-5.7.2-7.2.mga3
net-snmp-tkmib-5.7.2-7.2.mga3
net-snmp-mibs-5.7.2-7.2.mga3
net-snmp-trapd-5.7.2-7.2.mga3
perl-NetSNMP-5.7.2-7.2.mga3
python-netsnmp-5.7.2-7.2.mga3
net-snmp-5.7.2-13.1.mga4
libnet-snmp30-5.7.2-13.1.mga4
libnet-snmp-devel-5.7.2-13.1.mga4
libnet-snmp-static-devel-5.7.2-13.1.mga4
net-snmp-utils-5.7.2-13.1.mga4
net-snmp-tkmib-5.7.2-13.1.mga4
net-snmp-mibs-5.7.2-13.1.mga4
net-snmp-trapd-5.7.2-13.1.mga4
perl-NetSNMP-5.7.2-13.1.mga4
python-netsnmp-5.7.2-13.1.mga4

from SRPMS:
net-snmp-5.7.2-7.2.mga3.src.rpm
net-snmp-5.7.2-13.1.mga4.src.rpm
Comment 3 claire robinson 2014-03-06 17:28:57 CET
Procedure: https://bugs.mageia.org/show_bug.cgi?id=12236#c5
Comment 4 claire robinson 2014-03-06 17:46:12 CET
Advisory uploaded.
Comment 5 claire robinson 2014-03-07 13:08:29 CET
Testing complete mga4 32 & 64
Comment 6 claire robinson 2014-03-07 13:58:19 CET
Testing complete mga3 32 & 64

Validating

Could sysadmin please push to 3 & 4 updates

Thanks
Comment 7 Thomas Backlund 2014-03-07 15:20:58 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0122.html

Note You need to log in before you can comment on or make changes to this bug.