Univention Bugzilla – Bug 46770
net-snmp: Multiple issues (4.2)
Last modified: 2018-05-08 14:57:09 CEST
New Debian net-snmp 5.7.2.1+dfsg-1+deb8u1+b1 fixes: This update addresses the following issues: * The snmp_pdu_parse function in net-snmp does not remove the varBind variable in a netsnmp_variable_list item when parsing of the SNMP PDU fails, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted packet. (CVE-2015-5621) * NET-SNMP contains a heap corruption vulnerability in the UDP protocol handler that can result in command execution. (CVE-2018-1000116) CVE-2015-5621 net-snmp: snmp_pdu_parse() incompletely parsed varBinds left in list of variables CVE-2018-1000116 net-snmp: Heap corruption in snmp_pdu_parse function in snmplib/snmp_api.c
[4.2-3] f04a8b3983 Bug #46770: net-snmp_5.7.2.1+dfsg-1+deb8u1+b1
Annoucne will fail as this is a BINNMU in Debian: [FAIL] changes.valid: Mismatching binary package version: 5.7.2.1+dfsg-1+deb8u1+b1 != tkmib 5.7.2.1+dfsg-1+deb8u1 from net-snmp 5.7.2.1+dfsg-1+deb8u1
* No UCS specific patches * Comparison to previously shipped version ok * Binary package update Ok * Advisory Ok
(In reply to Philipp Hahn from comment #2) > Annoucne will fail as this is a BINNMU in Debian: > [FAIL] changes.valid: Mismatching binary package version: > 5.7.2.1+dfsg-1+deb8u1+b1 != tkmib 5.7.2.1+dfsg-1+deb8u1 from net-snmp > 5.7.2.1+dfsg-1+deb8u1 This was an error in the YAML file: I specified the binary package version containing the additional '+b1' binNMU suffix instead of the source package version. [4.2-3] 3dffe676bb Bug #46770: net-snmp 5.7.2.1+dfsg-1+deb8u1--- doc/errata/staging/net-snmp.yaml | 2 +-
<http://errata.software-univention.de/ucs/4.2/384.html>