Univention Bugzilla – Bug 51795
net-snmp: Multiple issues (4.4)
Last modified: 2020-08-12 16:18:17 CEST
New Debian net-snmp 5.7.3+dfsg-1.7+deb9u3 fixes: This update addresses the following issue: * combination with can lead to elevated permissions to root (CVE-2020-15861)
--- mirror/ftp/4.4/unmaintained/component/4.4-5-errata/source/net-snmp_5.7.3+dfsg-1.7+deb9u2.dsc +++ apt/ucs_4.4-0-errata4.4-5/source/net-snmp_5.7.3+dfsg-1.7+deb9u3.dsc @@ -1,3 +1,11 @@ +5.7.3+dfsg-1.7+deb9u3 [Tue, 04 Aug 2020 16:15:58 +0100] Chris Lamb <lamby@debian.org>: + + * CVE-2020-15861: Prevent a privilege esclation attack due to incorrect + symlink handling. (Closes: #966599) + * CVE-2020-15862: Apply a regression from upstream by reverting the + configure-level disabling of NET-SNMP-EXTEND-MIB in favour of a C + preprocessor approach. + 5.7.3+dfsg-1.7+deb9u2 [Thu, 30 Jul 2020 11:50:04 +0100] Chris Lamb <lamby@debian.org>: * Disable NET-SNMP-EXTEND-MIB support by default as it was possible to abuse <http://10.200.17.11/4.4-5/#277012681610139990>
OK: yaml OK: announce_errata OK: patch FAIL: piuparts [4.4-5] 1a3b2b5dea Bug #51795: net-snmp 5.7.3+dfsg-1.7+deb9u3 doc/errata/staging/net-snmp.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+)
(In reply to Erik Damrose from comment #2) > FAIL: piuparts /var/lib/snmp/ expected(root, root, d 40755, 40, None) != found(#106, #107, d 40755, 40, None) After purging files have been modified: /var/lib/snmp/ owned by: libsnmp30:amd64, libsnmp-base -> This does not block the package release
<https://errata.software-univention.de/#/?erratum=4.4x706>