Hi, On Sun, Nov 13, 2022 at 08:35:33PM +0100, Moritz Mühlenhoff wrote: > Source: net-snmp > X-Debbugs-CC: t...@security.debian.org > Severity: important > Tags: security > > Hi, > > The following vulnerabilities were published for net-snmp. > > CVE-2022-44792[0]: > | handle_ipDefaultTTL in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP > | 5.8 through 5.9.3 has a NULL Pointer Exception bug that can be used by > | a remote attacker (who has write access) to cause the instance to > | crash via a crafted UDP packet, resulting in Denial of Service. > > https://github.com/net-snmp/net-snmp/issues/474 > https://gist.github.com/menglong2234/b7bc13ae1a144f47cc3c95a7ea062428 > > CVE-2022-44793[1]: > | handle_ipv6IpForwarding in agent/mibgroup/ip-mib/ip_scalars.c in Net- > | SNMP 5.4.3 through 5.9.3 has a NULL Pointer Exception bug that can be > | used by a remote attacker to cause the instance to crash via a crafted > | UDP packet, resulting in Denial of Service. > > https://github.com/net-snmp/net-snmp/issues/475 > https://gist.github.com/menglong2234/d07a65b5028145c9f4e1d1db8c4c202f > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2022-44792 > https://www.cve.org/CVERecord?id=CVE-2022-44792 > [1] https://security-tracker.debian.org/tracker/CVE-2022-44793 > https://www.cve.org/CVERecord?id=CVE-2022-44793 > > Please adjust the affected versions in the BTS as needed.
Upstream has addressed both issues with https://github.com/net-snmp/net-snmp/commit/be804106fd0771a7d05236cff36e199af077af57 . Regards, Salvatore
