Hi, we are not happy yet with those commits because they change a struct without bumping the soname. We are investigating how impactful that is.
On Thu, Jun 25, 2020 at 6:27 PM Salvatore Bonaccorso <car...@debian.org> wrote: > Hi, > > On Thu, Jun 25, 2020 at 10:29:20PM +0200, Salvatore Bonaccorso wrote: > > Source: net-snmp > > Version: 5.8+dfsg-2 > > Severity: grave > > Tags: security upstream > > Justification: user security hole > > > > Hi, > > > > The following vulnerability was published for net-snmp. > > > > CVE-2019-20892[0]: > > | net-snmp before 5.8.1.pre1 has a double free in > > | usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk > > | request. NOTE: this affects net-snmp packages shipped to end users by > > | multiple Linux distributions, but might not affect an upstream > > | release. > > > > See [1] for the CVE heads-up post, and [2] the Launchpad Bug where the > > issue originally is tracked from. The issue can be verified with: > > > > | # systemctl stop snmpd.service > > | # cat >> /var/lib/snmp/snmpd.conf << __EOF__ > > | createUser testuser SHA "testpass" AES "testpass" > > | __EOF__ > > | # cat >> /etc/snmp/snmpd.conf << __EOF__ > > | rwuser testuser > > | __EOF__ > > | # systemctl start snmpd.service > > | # snmpbulkget -v3 -Cn1 -Cr1472 -l authPriv -u testuser -a SHA -A > testpass -x AES -X testpass 127.0.0.1 1.3.6.1.2.1.1.5 1.3.6.1.2.1.1.7 > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2019-20892 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20892 > > [1] https://www.openwall.com/lists/oss-security/2020/06/25/4 > > [2] https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1877027 > > > > Please adjust the affected versions in the BTS as needed, I'm not sure > > where the issue has been introduced, but possibly does not affect > > indeed older suites (please do double check). > > In Ubuntu > https://launchpad.net/~sergiodj/+archive/ubuntu/net-snmp-bug1877027 > was prepared containing a set of commits which seem to adress the > issue (cf. the LP: 1877027 reference). > > Regards, > Salvatore > >
