Ubuntu has issued an advisory on August 1: https://ubuntu.com/security/notices/USN-5543-1 The issues are fixed upstream in 5.9.2. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 5.9.2Whiteboard: (none) => MGA8TOO
Another which has to be assigned globally.
Assignee: bugsquad => pkg-bugs
Fedora has issued an advisory for this today (August 9): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FX75KKGMO5XMV6JMQZF6KOG3JPFNQBY7/ They updated to 5.9.3.
Debian has issued an advisory for this on August 16: https://www.debian.org/security/2022/dsa-5209
Suggested advisory: ======================== The updated packages fix security vulnerabilities: A buffer overflow in the handling of the INDEX of NET-SNMP-VACM-MIB can cause an out-of-bounds memory access. (CVE-2022-24805) Buffer overflow and out of bounds memory access. (CVE-2022-24806) A malformed OID in a SET request to SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an out-of-bounds memory access. (CVE-2022-24807) A malformed OID in a SET request to NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference. (CVE-2022-24808) A malformed OID in a GET-NEXT to the nsVacmAccessTable can cause a NULL pointer dereference. (CVE-2022-24809) A malformed OID in a SET to the nsVacmAccessTable can cause a NULL pointer dereference. (CVE-2022-24810) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24805 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24806 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24807 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24808 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24809 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24810 https://ubuntu.com/security/notices/USN-5543-1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FX75KKGMO5XMV6JMQZF6KOG3JPFNQBY7/ https://www.debian.org/security/2022/dsa-5209 ======================== Updated packages in core/updates_testing: ======================== lib(64)net-snmp40-5.9-1.1.mga8 lib(64)net-snmp-devel-5.9-1.1.mga8 net-snmp-5.9-1.1.mga8 net-snmp-mibs-5.9-1.1.mga8 net-snmp-tkmib-5.9-1.1.mga8 net-snmp-trapd-5.9-1.1.mga8 net-snmp-utils-5.9-1.1.mga8 perl-NetSNMP-5.9-1.1.mga8 python3-netsnmp-5.9-1.1.mga8 from SRPM: net-snmp-5.9-1.1.mga8.src.rpm
Source RPM: net-snmp-5.9.1-6.mga9.src.rpm => net-snmp-5.9-1.mga8.src.rpmAssignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDWhiteboard: MGA8TOO => (none)Version: Cauldron => 8CC: (none) => nicolas.salgueroStatus comment: Fixed upstream in 5.9.2 => (none)
MGA8-64 Plasma on Acer Aspire 5253 No installation issues Ref bug 22775 for testing # systemctl start snmpd # systemctl -l status snmpd ● snmpd.service - Simple Network Management Protocol (SNMP) Daemon. Loaded: loaded (/usr/lib/systemd/system/snmpd.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2022-08-26 10:54:59 CEST; 15s ago Main PID: 13581 (snmpd) Tasks: 1 (limit: 4364) Memory: 3.5M CPU: 189ms CGroup: /system.slice/snmpd.service └─13581 /usr/sbin/snmpd -LS0-4d -f Aug 26 10:54:58 mach7.hviaene.thuis systemd[1]: Starting Simple Network Management Protocol (SNMP) Daemon.... Aug 26 10:54:59 mach7.hviaene.thuis systemd[1]: Started Simple Network Management Protocol (SNMP) Daemon.. $ snmpget -v2c -c public localhost system.sysDescr.0 SNMPv2-MIB::sysDescr.0 = STRING: Linux mach7.hviaene.thuis 5.15.62-server-1.mga8 #1 SMP Sun Aug 21 17:26:50 UTC 2022 x86_64 [tester8@mach7 ~]$ snmpwalk -v2c -c public localhost SNMPv2-MIB::sysDescr.0 = STRING: Linux mach7.hviaene.thuis 5.15.62-server-1.mga8 #1 SMP Sun Aug 21 17:26:50 UTC 2022 x86_64 SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (7535) 0:01:15.35 SNMPv2-MIB::sysContact.0 = STRING: Root <root@localhost> (configure /etc/snmp/snmp.local.conf) SNMPv2-MIB::sysName.0 = STRING: mach7.hviaene.thuis SNMPv2-MIB::sysLocation.0 = STRING: Unknown (edit /etc/snmp/snmpd.conf) SNMPv2-MIB::sysORLastChange.0 = Timeticks: (6) 0:00:00.06 SNMPv2-MIB::sysORID.1 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance SNMPv2-MIB::sysORID.2 = OID: SNMP-MPD-MIB::snmpMPDCompliance SNMPv2-MIB::sysORID.3 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance SNMPv2-MIB::sysORID.4 = OID: SNMPv2-MIB::snmpMIB SNMPv2-MIB::sysORID.5 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup SNMPv2-MIB::sysORID.6 = OID: TCP-MIB::tcpMIB SNMPv2-MIB::sysORID.7 = OID: UDP-MIB::udpMIB SNMPv2-MIB::sysORID.8 = OID: IP-MIB::ip SNMPv2-MIB::sysORID.9 = OID: SNMP-NOTIFICATION-MIB::snmpNotifyFullCompliance SNMPv2-MIB::sysORID.10 = OID: NOTIFICATION-LOG-MIB::notificationLogMIB SNMPv2-MIB::sysORDescr.1 = STRING: The SNMP Management Architecture MIB. SNMPv2-MIB::sysORDescr.2 = STRING: The MIB for Message Processing and Dispatching. SNMPv2-MIB::sysORDescr.3 = STRING: The management information definitions for the SNMP User-based Security Model. SNMPv2-MIB::sysORDescr.4 = STRING: The MIB module for SNMPv2 entities SNMPv2-MIB::sysORDescr.5 = STRING: View-based Access Control Model for SNMP. SNMPv2-MIB::sysORDescr.6 = STRING: The MIB module for managing TCP implementations SNMPv2-MIB::sysORDescr.7 = STRING: The MIB module for managing UDP implementations SNMPv2-MIB::sysORDescr.8 = STRING: The MIB module for managing IP and ICMP implementations SNMPv2-MIB::sysORDescr.9 = STRING: The MIB modules for managing SNMP Notification, plus filtering. SNMPv2-MIB::sysORDescr.10 = STRING: The MIB module for logging SNMP Notifications. SNMPv2-MIB::sysORUpTime.1 = Timeticks: (5) 0:00:00.05 SNMPv2-MIB::sysORUpTime.2 = Timeticks: (5) 0:00:00.05 SNMPv2-MIB::sysORUpTime.3 = Timeticks: (5) 0:00:00.05 SNMPv2-MIB::sysORUpTime.4 = Timeticks: (5) 0:00:00.05 SNMPv2-MIB::sysORUpTime.5 = Timeticks: (5) 0:00:00.05 SNMPv2-MIB::sysORUpTime.6 = Timeticks: (5) 0:00:00.05 SNMPv2-MIB::sysORUpTime.7 = Timeticks: (5) 0:00:00.05 SNMPv2-MIB::sysORUpTime.8 = Timeticks: (5) 0:00:00.05 SNMPv2-MIB::sysORUpTime.9 = Timeticks: (6) 0:00:00.06 SNMPv2-MIB::sysORUpTime.10 = Timeticks: (6) 0:00:00.06 HOST-RESOURCES-MIB::hrSystemUptime.0 = Timeticks: (298094) 0:49:40.94 HOST-RESOURCES-MIB::hrSystemUptime.0 = No more variables left in this MIB View (It is past the end of the MIB tree) Looks similar to refered bug 22775, thus OK'ing.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 4.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0311.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED