[Pkg-net-snmp-devel] Bug#684388: agentx: CVE-2014-2310: Oversized Object ID
Simon Paillard
spaillard at debian.org
Wed Mar 19 14:57:12 UTC 2014
Hello Release team,
On Mon, Mar 17, 2014 at 09:46:50PM +0100, Simon Paillard wrote:
> On Thu, Mar 06, 2014 at 02:43:34PM +0100, Simon Paillard wrote:
> > On Thu, Aug 09, 2012 at 01:32:37PM +0200, Vincent Bernat wrote:
> > > AgentX support is ineffective when a manager requests unrelated OID in
> > > the same GET request. snmpd will send those unrelated variables into
> > > the same PDU to the subagent and the subagent will choke with:
> > >
> > > agentx: Oversized Object ID
> > [..]
> > > First three OID contain 11 subid while the next one has 12
> > > subid. snmpd will try several time to communicate those OID to the
> > > subagent and will give up. A manager requesting always the same OID
> > > will never get an answer.
> [..]
> > As the bugfix is already present in testing, would you consider an upload to
> > stable-proposed-updates ?
> > http://sources.debian.net/src/net-snmp/5.7.2~dfsg-8.1/agent/mibgroup/agentx/protocol.c#L1774
>
> NMU debdiff attached.
>
> I don't know if security team want this to be fixed via security updates
> (FTR Redhat considers this bug not grave,
> https://bugzilla.redhat.com/show_bug.cgi?id=1074631#c3)
debian-security team prefers this bug in stable to be addressed using a upload
in spu instead of issuing a DSA.
Do you agree with this ?
As you can see in the bug report and debdiff, the patch is very localized, and
already present in testing.
--
Simon Paillard
More information about the Pkg-net-snmp-devel
mailing list