Your message dated Thu, 12 Jun 2008 21:02:21 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#485945: fixed in net-snmp 5.4.1~dfsg-8.1
has caused the Debian Bug report #485945,
regarding net-snmp: CVE-2008-0960 spoofing of authenticated SNMPv3 packets
because only length of HMAC code is is taken into account for checks
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
485945: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=485945
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: net-snmp
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for net-snmp.
CVE-2008-0960[0]:
| SNMPv3 HMAC verification in (1) Net-SNMP 5.2.x before 5.2.4.1, 5.3.x
| before 5.3.2.1, and 5.4.x before 5.4.1.1; (2) UCD-SNMP; (3) eCos; (4)
| Juniper Session and Resource Control (SRC) C-series 1.0.0 through
| 2.0.0; (5) NetApp (aka Network Appliance) Data ONTAP 7.3RC1 and
| 7.3RC2; (6) SNMP Research before 16.2; and (7) multiple Cisco IOS,
| CatOS, ACE, and Nexus products; relies on the client to specify the
| HMAC length, which makes it easier for remote attackers to bypass SNMP
| authentication via a length value of 1, which only checks the first
| byte.
Upstream patch:
http://sourceforge.net/tracker/download.php?group_id=12694&atid=456380&file_id=280776&aid=1989089
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0960
http://security-tracker.debian.net/tracker/CVE-2008-0960
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgp02JHDYKNJt.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: net-snmp
Source-Version: 5.4.1~dfsg-8.1
We believe that the bug you reported is fixed in the latest version of
net-snmp, which is due to be installed in the Debian FTP archive:
libsnmp-base_5.4.1~dfsg-8.1_all.deb
to pool/main/n/net-snmp/libsnmp-base_5.4.1~dfsg-8.1_all.deb
libsnmp-dev_5.4.1~dfsg-8.1_amd64.deb
to pool/main/n/net-snmp/libsnmp-dev_5.4.1~dfsg-8.1_amd64.deb
libsnmp-perl_5.4.1~dfsg-8.1_amd64.deb
to pool/main/n/net-snmp/libsnmp-perl_5.4.1~dfsg-8.1_amd64.deb
libsnmp-python_5.4.1~dfsg-8.1_amd64.deb
to pool/main/n/net-snmp/libsnmp-python_5.4.1~dfsg-8.1_amd64.deb
libsnmp15_5.4.1~dfsg-8.1_amd64.deb
to pool/main/n/net-snmp/libsnmp15_5.4.1~dfsg-8.1_amd64.deb
net-snmp_5.4.1~dfsg-8.1.diff.gz
to pool/main/n/net-snmp/net-snmp_5.4.1~dfsg-8.1.diff.gz
net-snmp_5.4.1~dfsg-8.1.dsc
to pool/main/n/net-snmp/net-snmp_5.4.1~dfsg-8.1.dsc
snmp_5.4.1~dfsg-8.1_amd64.deb
to pool/main/n/net-snmp/snmp_5.4.1~dfsg-8.1_amd64.deb
snmpd_5.4.1~dfsg-8.1_amd64.deb
to pool/main/n/net-snmp/snmpd_5.4.1~dfsg-8.1_amd64.deb
tkmib_5.4.1~dfsg-8.1_all.deb
to pool/main/n/net-snmp/tkmib_5.4.1~dfsg-8.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated net-snmp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 12 Jun 2008 22:22:52 +0200
Source: net-snmp
Binary: snmpd snmp libsnmp-base libsnmp15 libsnmp-dev libsnmp-perl
libsnmp-python tkmib
Architecture: source all amd64
Version: 5.4.1~dfsg-8.1
Distribution: unstable
Urgency: high
Maintainer: Net-SNMP Packaging Team <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
libsnmp-base - SNMP (Simple Network Management Protocol) MIBs and documentation
libsnmp-dev - SNMP (Simple Network Management Protocol) development files
libsnmp-perl - SNMP (Simple Network Management Protocol) Perl5 support
libsnmp-python - SNMP (Simple Network Management Protocol) Python support
libsnmp15 - SNMP (Simple Network Management Protocol) library
snmp - SNMP (Simple Network Management Protocol) applications
snmpd - SNMP (Simple Network Management Protocol) agents
tkmib - SNMP (Simple Network Management Protocol) MIB browser
Closes: 485945
Changes:
net-snmp (5.4.1~dfsg-8.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* This update fixes the following security issue:
- CVE-2008-0960: The authentication code relies on the client specified
HMAC length which makes it easier for an attacker to match a correct HMAC
and authentication if a single byte HMAC is supplied (Closes: #485945)
Checksums-Sha1:
50d4c2845174b089972a7df66d476b8ad3f22728 1795 net-snmp_5.4.1~dfsg-8.1.dsc
f63af0961c588d92e77fd003d093474ba34cc950 79704 net-snmp_5.4.1~dfsg-8.1.diff.gz
a1996ecef6edbccbf6bc79d5c9fa0a1283c63859 1377786
libsnmp-base_5.4.1~dfsg-8.1_all.deb
d29f8b37d93b262b0c6fa3a5e788f3aeb13ea482 943590 tkmib_5.4.1~dfsg-8.1_all.deb
fffe7287285509aca3eb9958604d94c44f589023 957164 snmpd_5.4.1~dfsg-8.1_amd64.deb
cb40c77be6af59b77355f69329a40a3f919c27f1 1045034 snmp_5.4.1~dfsg-8.1_amd64.deb
4a4af227b2f31fc4341980d7b7d62a04bbfbfee1 2172178
libsnmp15_5.4.1~dfsg-8.1_amd64.deb
c5894a4f6338383d7daaaadc4d735fbca9979a53 2685226
libsnmp-dev_5.4.1~dfsg-8.1_amd64.deb
de8ee4a528125c0071b559169a79c9969faabdd3 1025408
libsnmp-perl_5.4.1~dfsg-8.1_amd64.deb
ccba75ee240bcbd26e11a838e60cfaff7180cb72 920236
libsnmp-python_5.4.1~dfsg-8.1_amd64.deb
Checksums-Sha256:
3d2cd2c29786d511925605edf14f008ca01017191375231dd4d7093400c005a7 1795
net-snmp_5.4.1~dfsg-8.1.dsc
4319d96d838c8118bbab2854a02284f0d0c324408a121babb595c6d4cf525e6d 79704
net-snmp_5.4.1~dfsg-8.1.diff.gz
7b2339d9d0a6843bdd6e2b016fdc4ee37afaa32ef607e20b7ff8833db3cbda7c 1377786
libsnmp-base_5.4.1~dfsg-8.1_all.deb
ba370c66adaf9592064b6ac800abf45fde1e5863a133afbc60f5cdc279863b99 943590
tkmib_5.4.1~dfsg-8.1_all.deb
c5955d170a734906f0fe081038cebbad5c4a1cda383d7f7734cde87da2e0285b 957164
snmpd_5.4.1~dfsg-8.1_amd64.deb
3118b1eb9ef30c45db7b477bb8d97b3774c1b1d28759cc4076d99f4ca2277d87 1045034
snmp_5.4.1~dfsg-8.1_amd64.deb
6604187c43dc644454469553e33c8107d4e7eee8c16adafe75479409168faf1a 2172178
libsnmp15_5.4.1~dfsg-8.1_amd64.deb
90783634c71fa8eab3ad32ea37178eb569a730c86fc6634886356f94a11b3535 2685226
libsnmp-dev_5.4.1~dfsg-8.1_amd64.deb
c0d4fb6b3176a93334f8dd9cb3542be7f492b3cf98c9915b494f75cdacc86851 1025408
libsnmp-perl_5.4.1~dfsg-8.1_amd64.deb
80038b8d751f877c642899789c3b514b93a226722e1bd8499f4d42161504dba6 920236
libsnmp-python_5.4.1~dfsg-8.1_amd64.deb
Files:
0dffb63a8d930f12673bd5f3acd9f4fd 1795 net optional net-snmp_5.4.1~dfsg-8.1.dsc
7d5a0e544ca6f51b23dffe93d658d7b3 79704 net optional
net-snmp_5.4.1~dfsg-8.1.diff.gz
87f1aed1cb77c6b389869dbb32f6ef2f 1377786 libs optional
libsnmp-base_5.4.1~dfsg-8.1_all.deb
962a09f0b6c59d8eb168b0a2b9a8038a 943590 net optional
tkmib_5.4.1~dfsg-8.1_all.deb
3f1dc2ade65ab96059df3e4d951c7636 957164 net optional
snmpd_5.4.1~dfsg-8.1_amd64.deb
f158e760b18c837571d1c2d1e3c8913e 1045034 net optional
snmp_5.4.1~dfsg-8.1_amd64.deb
582ae9fbf5f1e9ab68714213a4e67da6 2172178 libs optional
libsnmp15_5.4.1~dfsg-8.1_amd64.deb
bd37c0801845ec8f891e0991564cf2de 2685226 libdevel optional
libsnmp-dev_5.4.1~dfsg-8.1_amd64.deb
098e415cab079f5544176dae6ba02783 1025408 perl optional
libsnmp-perl_5.4.1~dfsg-8.1_amd64.deb
089613ef3b66312fb555d7fbdca97da3 920236 python optional
libsnmp-python_5.4.1~dfsg-8.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkhRiOUACgkQHYflSXNkfP+iQwCfSqAEQVRBTJi9By/lzqhL6uT0
erEAnjdEMTt55SgP9iDRFxfadrtuPqbg
=kZ7e
-----END PGP SIGNATURE-----
--- End Message ---
