DSA 1663-1: New net-snmp packages fix several vulnerabilities
Posted on: 11/09/2008 11:55 AM

The Debian Security Team published a new security update for Debian GNU/Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1663-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
November 09, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : net-snmp
Vulnerability : several
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2008-0960 CVE-2008-2292 CVE-2008-4309
Debian Bugs : 485945 482333 504150

Several vulnerabilities have been discovered in NET SNMP, a suite of
Simple Network Management Protocol applications. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2008-0960

Wes Hardaker reported that the SNMPv3 HMAC verification relies on
the client to specify the HMAC length, which allows spoofing of
authenticated SNMPv3 packets.

CVE-2008-2292

John Kortink reported a buffer overflow in the __snprint_value
function in snmp_get causing a denial of service and potentially
allowing the execution of arbitrary code via a large OCTETSTRING
in an attribute value pair (AVP).

CVE-2008-4309

It was reported that an integer overflow in the
netsnmp_create_subtree_cache function in agent/snmp_agent.c allows
remote attackers to cause a denial of service attack via a crafted
SNMP GETBULK request.

For the stable distribution (etch), these problems has been fixed in
version 5.2.3-7etch4.

For the testing distribution (lenny) and unstable distribution (sid)
these problems have been fixed in version 5.4.1~dfsg-11.

We recommend that you upgrade your net-snmp package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

http://security.debian.org/pool/updates/main/n/net-snmp/net-snmp_5.2.3-7etch4.diff.gz
Size/MD5 checksum: 94030 2ccd6191c3212980956c30de392825ec
http://security.debian.org/pool/updates/main/n/net-snmp/net-snmp_5.2.3-7etch4.dsc
Size/MD5 checksum: 1046 8018cc23033178515298d5583a74f9ff
http://security.debian.org/pool/updates/main/n/net-snmp/net-snmp_5.2.3.orig.tar.gz
Size/MD5 checksum: 4006389 ba4bc583413f90618228d0f196da8181

Architecture independent packages:

http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-base_5.2.3-7etch4_all.deb
Size/MD5 checksum: 1214368 d579d8f28f3d704b6c09b2b480425086
http://security.debian.org/pool/updates/main/n/net-snmp/tkmib_5.2.3-7etch4_all.deb
Size/MD5 checksum: 855594 b5ccd827adbcefcca3557fa9ae28cc08

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_alpha.deb
Size/MD5 checksum: 2169470 265835564ef2b0e2e86a08000461c53b
http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_alpha.deb
Size/MD5 checksum: 944098 5b903886ee4740842715797e3231602c
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_alpha.deb
Size/MD5 checksum: 1901802 5486eb1f2a5b076e5342b1dd9cbb12e2
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_alpha.deb
Size/MD5 checksum: 933202 e3210ba1641079e0c3aaf4a50e89aedd
http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_alpha.deb
Size/MD5 checksum: 835584 b14db8c5e5b5e2d34799952975f903fb

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_amd64.deb
Size/MD5 checksum: 932008 fc79672bf64eaabd41ed1c2f4a42c7da
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_amd64.deb
Size/MD5 checksum: 1890766 ae3832515a97a79b31e0e7f0316356ee
http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_amd64.deb
Size/MD5 checksum: 835088 62867e9ba9dfca3c7e8ae575d5a478f5
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_amd64.deb
Size/MD5 checksum: 918844 d2d1bc5f555bc9dba153e2a9a964ffbf
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_amd64.deb
Size/MD5 checksum: 1557924 5c2a33a015dd44708a9cc7602ca2525c

arm architecture (ARM)

http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_arm.deb
Size/MD5 checksum: 909974 4c1cef835efc0b7ff3fea54a618eabee
http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_arm.deb
Size/MD5 checksum: 835284 3ac835d926481c9e0f589b578455ddee
http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_arm.deb
Size/MD5 checksum: 928252 b98e98b58c61be02e477185293427d5c
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_arm.deb
Size/MD5 checksum: 1778292 b903adf3d1fa6e7a26f7cafb7bffdd6b
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_arm.deb
Size/MD5 checksum: 1344158 78b6cf6b2974983e8e3670468da73cd1

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_hppa.deb
Size/MD5 checksum: 835940 9eeaf116e386dd7733ab2106c662dfa9
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_hppa.deb
Size/MD5 checksum: 1809132 78bb5f1c12b004d32fa265e6bd99ffa1
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_hppa.deb
Size/MD5 checksum: 1926116 71c7f3095ffe1bb22e84ade21f32b3a4
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_hppa.deb
Size/MD5 checksum: 935434 85deac8531b02a0fdf3c9baa21d8e4bd
http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_hppa.deb
Size/MD5 checksum: 935640 958cb158264f75772864cd5d5c0bf251

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_i386.deb
Size/MD5 checksum: 1423294 f05c7491a8100684c5085588738f05b5
http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_i386.deb
Size/MD5 checksum: 833970 cb705c9fe9418cc9348ac935ea7b0ba2
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_i386.deb
Size/MD5 checksum: 920070 3df41a0c99c41d1bccf6801011cf8ed5
http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_i386.deb
Size/MD5 checksum: 925914 159b4244ef701edbe0fb8c9685b5b477
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_i386.deb
Size/MD5 checksum: 1838900 3b7ac7b8fe0da1a3909ee56aba46d464

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_ia64.deb
Size/MD5 checksum: 2205680 6868a56b1db04627e6921bf7237939a2
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_ia64.deb
Size/MD5 checksum: 970440 783f0cccabfbcc63590730b3803d164d
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_ia64.deb
Size/MD5 checksum: 2281114 fd04b505755a3aed0fe4c9baaac84500
http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_ia64.deb
Size/MD5 checksum: 842690 9f9ca89c3d3ba7c46481e9cd39c242a6
http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_ia64.deb
Size/MD5 checksum: 962854 c8a32f808d719357a5b6350e2b60794e

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_mips.deb
Size/MD5 checksum: 895414 5dd919d188291cb3727d39b5e06c9e26
http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_mips.deb
Size/MD5 checksum: 927342 28c245db4d8ea82ba4075b27d674d72a
http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_mips.deb
Size/MD5 checksum: 833182 0e0b21e13d77de82bed7a38d30f65e4b
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_mips.deb
Size/MD5 checksum: 1769524 24bdc73a3d20c4046c7741957442c713
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_mips.deb
Size/MD5 checksum: 1717562 977ae5c34a127d32d8f2bf222de9a431

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_mipsel.deb
Size/MD5 checksum: 1755032 cab5c112911465a9ce23a0d2ea44ded9
http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_mipsel.deb
Size/MD5 checksum: 926616 2bf14a3fe74d9f2a523aacc8b04f5282
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_mipsel.deb
Size/MD5 checksum: 895194 b7c9ed37bf83ad92371f5472ac5d917b
http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_mipsel.deb
Size/MD5 checksum: 833098 08b63ba6c3becf25ba2f941a532a7b71
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_mipsel.deb
Size/MD5 checksum: 1720642 1ff7568eb478edee923edb76cf42e9ac

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_powerpc.deb
Size/MD5 checksum: 941434 bbac9384bd7f88339e2b86fa665208c1
http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_powerpc.deb
Size/MD5 checksum: 835212 4790d79f8de7f1bee7aabf0473f25268
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_powerpc.deb
Size/MD5 checksum: 1657890 b91fcf52e80c7196cea0c13df9ac79ef
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_powerpc.deb
Size/MD5 checksum: 1803262 4d298c9509941390c7b2eb68320ad211
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_powerpc.deb
Size/MD5 checksum: 928170 b17966a6a61313344ac827b58f32eeef

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_s390.deb
Size/MD5 checksum: 1409718 2a128cbdce2522ef49604255cff41af2
http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_s390.deb
Size/MD5 checksum: 931452 d3bb7c3a849cd2b35fa6e4acb19c318d
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_s390.deb
Size/MD5 checksum: 1834914 67e5b946df18b06b41b3e108d5ddc4e3
http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_s390.deb
Size/MD5 checksum: 836102 7a4b85e8ea0e50d7213997b5f7d6309f
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_s390.deb
Size/MD5 checksum: 903864 3f80e78e4e2672aacf3da0690ff24b79

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_sparc.deb
Size/MD5 checksum: 925336 5824ea607689f3f1bd62a9e6e28f95ae
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_sparc.deb
Size/MD5 checksum: 1548630 1378d1cf730d3026bc1f01a4ab2ccedb
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_sparc.deb
Size/MD5 checksum: 918592 28a086f6aa2ee8d510b38c1a177843fc
http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_sparc.deb
Size/MD5 checksum: 834186 068cbf2b4774ecf9504b820db26e6f1d
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_sparc.deb
Size/MD5 checksum: 1782014 d39fae5fe0d1397a2a1bd7397d6e850a


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show lt;pkggt;' and http://packages.debian.org/lt;pkggt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBSRawfWz0hbPcukPfAQKr8gf/ey+YyHiWXy1vCzmmbI7Xk2ktHZCEEoBW
4fk2Yzycp7YHF7sJ6b8EIqzlBKiQSR+o+X0804loyanOuH3lBlk+zXeWisuou2jo
sjk4r4VbwUEJkIOHIRJYA3NBnFzzwl7RNkO/xc6QPXqNnYVxouB4XR8DwmwwHK1k
GIJ8TSG/o3Hxl1k77sp8d31FvHoEvSyW/u2aAlcRoEXWVCgMzpREVN/M0+O4LFRM
rrA/0meZxLy/3n9GF9Yo2OCvj5rTZ4yjY6c8iq6hwEopemQUH4OCIVsPBKMQ1uJ0
wdZEvSbQksbBy9yxy0ajeF03IxzCcJia7bBS3/g5F46WU8LUAjkUAw==
=ct1Q
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_1663_1_new_net_snmp_packages_fix_several_vulnerabilities.html)