Your message dated Thu, 28 Jul 2022 20:58:24 +1000
with message-id
<caly8cw4vo1tmkmxtzf+euvxho4n_ywsjfl1k3jico8xqaqb...@mail.gmail.com>
and subject line Fixed in net-snmp 5.9.3+dfsg-1
has caused the Debian Bug report #1016139,
regarding net-snmp: CVE-2022-24810 CVE-2022-24809 CVE-2022-24808 CVE-2022-24807
CVE-2022-24806 CVE-2022-24805
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1016139: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016139
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: net-snmp
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for net-snmp.
5.9.3 fixes the following issues:
- These two CVEs can be exploited by a user with read-only credentials:
- CVE-2022-24805 A buffer overflow in the handling of the INDEX of
NET-SNMP-VACM-MIB can cause an out-of-bounds memory access.
- CVE-2022-24809 A malformed OID in a GET-NEXT to the nsVacmAccessTable
can cause a NULL pointer dereference.
- These CVEs can be exploited by a user with read-write credentials:
- CVE-2022-24806 Improper Input Validation when SETing malformed
OIDs in master agent and subagent simultaneously
- CVE-2022-24807 A malformed OID in a SET request to
SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an
out-of-bounds memory access.
- CVE-2022-24808 A malformed OID in a SET request to
NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference
- CVE-2022-24810 A malformed OID in a SET to the nsVacmAccessTable
can cause a NULL pointer dereference.
- To avoid these flaws, use strong SNMPv3 credentials and do not share them.
If you must use SNMPv1 or SNMPv2c, use a complex community string
and enhance the protection by restricting access to a given IP address
range.
- Thanks are due to Yu Zhang of VARAS@IIE and Nanyu Zhong of VARAS@IIE for
reporting the following CVEs that have been fixed in this release, and
to Arista Networks for providing fixes.
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: net-snmp
Version: 5.9.3+dfsg-1
I had uploaded net-snmp 5.9.3 anyway but I'll add those CVEs to the
changelog.
I'm trying to find where they've made the changes to see if it is possible
to get at least bullseye fixed.
--- End Message ---
