[Pkg-net-snmp-devel] Bug#963713: net-snmp: CVE-2019-20892
Andreas Hasenack
andreas at canonical.com
Thu Jun 25 22:31:13 BST 2020
Hi,
we are not happy yet with those commits because they change a struct
without bumping the soname. We are investigating how impactful that is.
On Thu, Jun 25, 2020 at 6:27 PM Salvatore Bonaccorso <carnil at debian.org>
wrote:
> Hi,
>
> On Thu, Jun 25, 2020 at 10:29:20PM +0200, Salvatore Bonaccorso wrote:
> > Source: net-snmp
> > Version: 5.8+dfsg-2
> > Severity: grave
> > Tags: security upstream
> > Justification: user security hole
> >
> > Hi,
> >
> > The following vulnerability was published for net-snmp.
> >
> > CVE-2019-20892[0]:
> > | net-snmp before 5.8.1.pre1 has a double free in
> > | usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk
> > | request. NOTE: this affects net-snmp packages shipped to end users by
> > | multiple Linux distributions, but might not affect an upstream
> > | release.
> >
> > See [1] for the CVE heads-up post, and [2] the Launchpad Bug where the
> > issue originally is tracked from. The issue can be verified with:
> >
> > | # systemctl stop snmpd.service
> > | # cat >> /var/lib/snmp/snmpd.conf << __EOF__
> > | createUser testuser SHA "testpass" AES "testpass"
> > | __EOF__
> > | # cat >> /etc/snmp/snmpd.conf << __EOF__
> > | rwuser testuser
> > | __EOF__
> > | # systemctl start snmpd.service
> > | # snmpbulkget -v3 -Cn1 -Cr1472 -l authPriv -u testuser -a SHA -A
> testpass -x AES -X testpass 127.0.0.1 1.3.6.1.2.1.1.5 1.3.6.1.2.1.1.7
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2019-20892
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20892
> > [1] https://www.openwall.com/lists/oss-security/2020/06/25/4
> > [2] https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1877027
> >
> > Please adjust the affected versions in the BTS as needed, I'm not sure
> > where the issue has been introduced, but possibly does not affect
> > indeed older suites (please do double check).
>
> In Ubuntu
> https://launchpad.net/~sergiodj/+archive/ubuntu/net-snmp-bug1877027
> was prepared containing a set of commits which seem to adress the
> issue (cf. the LP: 1877027 reference).
>
> Regards,
> Salvatore
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-net-snmp-devel/attachments/20200625/0c892fda/attachment.html>
More information about the Pkg-net-snmp-devel
mailing list