A DoS security issue in net-snmp was fixed upstream: https://bugzilla.redhat.com/show_bug.cgi?id=1212408 A CVE was requested in this thread: http://openwall.com/lists/oss-security/2015/04/16/15 Mageia 4 and Mageia 5 are affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Still no response to the CVE request. Upstream patch checked into Mageia 4 and Cauldron SVN. Freeze push requested.
Patched packages uploaded for Mageia 4 and Cauldron. Testing Procedure: https://bugs.mageia.org/show_bug.cgi?id=12236#c5 Advisory: ======================== Updated net-snmp packages fix security vulnerability: It was discovered that the snmp_pdu_parse() function could leave incompletely parsed varBind variables in the list of variables. A remote, unauthenticated attacker could exploit this flaw to cause a crash or, potentially, execute arbitrary code. References: https://bugzilla.redhat.com/show_bug.cgi?id=1212408 ======================== Updated packages in core/updates_testing: ======================== net-snmp-5.7.2-13.3.mga4 libnet-snmp30-5.7.2-13.3.mga4 libnet-snmp-devel-5.7.2-13.3.mga4 libnet-snmp-static-devel-5.7.2-13.3.mga4 net-snmp-utils-5.7.2-13.3.mga4 net-snmp-tkmib-5.7.2-13.3.mga4 net-snmp-mibs-5.7.2-13.3.mga4 net-snmp-trapd-5.7.2-13.3.mga4 perl-NetSNMP-5.7.2-13.3.mga4 python-netsnmp-5.7.2-13.3.mga4 from net-snmp-5.7.2-13.3.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => has_procedure
Works fine in VBox i586 (32-bit) and x86-64 (64-bit) VMs. Adding MGA-OKs.
CC: (none) => shlomifWhiteboard: has_procedure => MGA4-64-OK has_procedure MGA4-32-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks!
Keywords: (none) => validated_updateWhiteboard: MGA4-64-OK has_procedure MGA4-32-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0187.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/643228/
This has finally been assigned CVE-2015-5621: http://openwall.com/lists/oss-security/2015/07/31/1
Summary: net-snmp new DoS security issue => net-snmp new DoS security issue (CVE-2015-5621)
URL: http://lwn.net/Vulnerabilities/643228/ => http://lwn.net/Vulnerabilities/654880/