I said: > I had uploaded net-snmp 5.9.3 anyway but I'll add those CVEs to the > changelog. > I'm trying to find where they've made the changes to see if it is possible > to get at least bullseye fixed. > I've had a look and believe these two commits are the fixes:
snmpd: fix bounds checking in NET-SNMP-AGENT-MIB, NET-SNMP-VACM-MIB, SNMP-VIEW-BASED-ACM-MIB, SNMP-USER-BASED-SM-MIB https://github.com/net-snmp/net-snmp/commit/67ebb43e9038b2dae6e74ae8838b36fcc10fc937 snmpd: recover SET status from delegated request https://github.com/net-snmp/net-snmp/commit/9a0cd7c00947d5e1c6ceb54558d454f87c3b8341 Both sets of commits look pretty clear and simple to implement. I've asked upstream to confirm these are the only two patches. - Craig
