Bug#1016139: marked as done (net-snmp: CVE-2022-24810 CVE-2022-24809 CVE-2022-24808 CVE-2022-24807 CVE-2022-24806 CVE-2022-24805)

[Debian Bug Tracking System]

Your message dated Mon, 22 Aug 2022 06:20:03 +0000
with message-id <e1oq0n5-00gilx...@fasolo.debian.org>
and subject line Bug#1016139: fixed in net-snmp 5.9+dfsg-4+deb11u1
has caused the Debian Bug report #1016139,
regarding net-snmp: CVE-2022-24810 CVE-2022-24809 CVE-2022-24808 CVE-2022-24807 
CVE-2022-24806 CVE-2022-24805
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1016139: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016139
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: net-snmp
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for net-snmp.

5.9.3 fixes the following issues:

- These two CVEs can be exploited by a user with read-only credentials:
    - CVE-2022-24805 A buffer overflow in the handling of the INDEX of
      NET-SNMP-VACM-MIB can cause an out-of-bounds memory access.
    - CVE-2022-24809 A malformed OID in a GET-NEXT to the nsVacmAccessTable
      can cause a NULL pointer dereference.
    - These CVEs can be exploited by a user with read-write credentials:
        - CVE-2022-24806 Improper Input Validation when SETing malformed
          OIDs in master agent and subagent simultaneously
        - CVE-2022-24807 A malformed OID in a SET request to
          SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an
          out-of-bounds memory access.
        - CVE-2022-24808 A malformed OID in a SET request to
          NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference
        - CVE-2022-24810 A malformed OID in a SET to the nsVacmAccessTable
          can cause a NULL pointer dereference.
   - To avoid these flaws, use strong SNMPv3 credentials and do not share them.
     If you must use SNMPv1 or SNMPv2c, use a complex community string
     and enhance the protection by restricting access to a given IP address 
range.
   - Thanks are due to Yu Zhang of VARAS@IIE and Nanyu Zhong of VARAS@IIE for
     reporting the following CVEs that have been fixed in this release, and
     to Arista Networks for providing fixes.

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

Source: net-snmp
Source-Version: 5.9+dfsg-4+deb11u1
Done: Craig Small <csm...@debian.org>

We believe that the bug you reported is fixed in the latest version of
net-snmp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1016...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csm...@debian.org> (supplier of updated net-snmp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 15 Aug 2022 20:12:22 +1000
Source: net-snmp
Binary: libnetsnmptrapd40 libnetsnmptrapd40-dbgsym libsnmp-base libsnmp-dev 
libsnmp-perl libsnmp-perl-dbgsym libsnmp40 libsnmp40-dbgsym snmp snmp-dbgsym 
snmpd snmpd-dbgsym snmptrapd snmptrapd-dbgsym tkmib
Architecture: source amd64 all
Version: 5.9+dfsg-4+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Net-SNMP Packaging Team <pkg-net-snmp-de...@lists.alioth.debian.org>
Changed-By: Craig Small <csm...@debian.org>
Description:
 libnetsnmptrapd40 - SNMP (Simple Network Management Protocol) trap library
 libsnmp-base - SNMP configuration script, MIBs and documentation
 libsnmp-dev - SNMP (Simple Network Management Protocol) development files
 libsnmp-perl - SNMP (Simple Network Management Protocol) Perl5 support
 libsnmp40  - SNMP (Simple Network Management Protocol) library
 snmp       - SNMP (Simple Network Management Protocol) applications
 snmpd      - SNMP (Simple Network Management Protocol) agents
 snmptrapd  - Net-SNMP notification receiver
 tkmib      - SNMP (Simple Network Management Protocol) MIB browser
Closes: 1016139
Changes:
 net-snmp (5.9+dfsg-4+deb11u1) bullseye-security; urgency=high
 .
   * Backport upstream security patches from v5.9.3 Closes: #1016139
   * snmpd_fix_bounds_checking: CVE-2022-24805, CVE-2022-24809
   * snmpd_recover_set_status: CVE-2022-24806, CVE-2022-24807, CVE-2022-24808,
     CVE-2022-24810
Checksums-Sha1:
 34adad2a02ffee5ab332106681d9f338f543afd0 2851 net-snmp_5.9+dfsg-4+deb11u1.dsc
 6f4e33a72ff64b78e2593585cb7c73e649066a9f 3513780 net-snmp_5.9+dfsg.orig.tar.xz
 be115560971f50c8e0a9aa741812eba92c46cda8 69952 
net-snmp_5.9+dfsg-4+deb11u1.debian.tar.xz
 e72e896903151690a1177ae4b54edf4925543581 58472 
libnetsnmptrapd40-dbgsym_5.9+dfsg-4+deb11u1_amd64.deb
 0faee4369a599a5e6ec9af56a9c6e76d78e7c55a 23028 
libnetsnmptrapd40_5.9+dfsg-4+deb11u1_amd64.deb
 48bf6396703e25f0f3134f95aaa79ad1e3df6e5b 1736068 
libsnmp-base_5.9+dfsg-4+deb11u1_all.deb
 09dbada3bb47e9f5a26416bc0ed24d83cd5a7200 1197048 
libsnmp-dev_5.9+dfsg-4+deb11u1_amd64.deb
 657a8020eefa5cbf0bb1b65688ab2cc95bfc5b78 210460 
libsnmp-perl-dbgsym_5.9+dfsg-4+deb11u1_amd64.deb
 fb3e3d5c38ff17c806d59ca186939eb9ac7094d6 1720732 
libsnmp-perl_5.9+dfsg-4+deb11u1_amd64.deb
 93bac8d0ae3f9622e3ad27a693955be684f33d90 2102380 
libsnmp40-dbgsym_5.9+dfsg-4+deb11u1_amd64.deb
 d82e9bbde6512a892f09d31a93f7403026de18d9 2551296 
libsnmp40_5.9+dfsg-4+deb11u1_amd64.deb
 351743abecf985762f5666deaab8cb97d6d876eb 10955 
net-snmp_5.9+dfsg-4+deb11u1_amd64.buildinfo
 94efc9577b89303b687f07eaa0911919dcda2c91 222868 
snmp-dbgsym_5.9+dfsg-4+deb11u1_amd64.deb
 13b84e2c7178be81b0d396b6820e23db0fdb7f89 172148 
snmp_5.9+dfsg-4+deb11u1_amd64.deb
 71c435dbbf6a2aa399fd3eaed3f0a249758d7ee2 20480 
snmpd-dbgsym_5.9+dfsg-4+deb11u1_amd64.deb
 b7ca8845f38860ed428c9735862cf53ae5520933 57356 
snmpd_5.9+dfsg-4+deb11u1_amd64.deb
 abc25cba2c43f0fd07598623688dafa4ab548a26 23388 
snmptrapd-dbgsym_5.9+dfsg-4+deb11u1_amd64.deb
 41804888bf0ab4da60aa0df0d1e6d9fb0d45f51c 24160 
snmptrapd_5.9+dfsg-4+deb11u1_amd64.deb
 0156a5c6045c1a1b2f8e4f5582f3c0256e0a3dec 1635412 
tkmib_5.9+dfsg-4+deb11u1_all.deb
Checksums-Sha256:
 88e406faab0274693e443e064208f2e12e8fe99d8ead45170aec3572aff2e64b 2851 
net-snmp_5.9+dfsg-4+deb11u1.dsc
 a153d0e867ded287285335e5055e67e0177959315f02ae6995401ddf9b10c8e8 3513780 
net-snmp_5.9+dfsg.orig.tar.xz
 3f2e8d4ac4c6ae7550c101923c169d6bddc9e1e01053ed6bc7ad86b807426dff 69952 
net-snmp_5.9+dfsg-4+deb11u1.debian.tar.xz
 66910eb556294f07a9da1867ca100fa01600e61ef9360647c0faeb839d1e31d8 58472 
libnetsnmptrapd40-dbgsym_5.9+dfsg-4+deb11u1_amd64.deb
 04752ab58ac1b673c45aaf5c255def6fc63da0f841eb61aa9ca67fdbb167783a 23028 
libnetsnmptrapd40_5.9+dfsg-4+deb11u1_amd64.deb
 29db55df63efb10bd43d4f8a074a1373b2307268add4bd3b215d832dd482fcb5 1736068 
libsnmp-base_5.9+dfsg-4+deb11u1_all.deb
 44c896b3b61b81e417edaeebe8ce9a8df1bb46e5fea5b40b760d559e82ce3cbb 1197048 
libsnmp-dev_5.9+dfsg-4+deb11u1_amd64.deb
 ccb4efea8357270ef3ab4b2ff2c801172850382275cb11311880692647468bf0 210460 
libsnmp-perl-dbgsym_5.9+dfsg-4+deb11u1_amd64.deb
 2e53a58e461dd8d87dc9b791adcdf2ebe7357f875c71bed150d73a9133e75bb3 1720732 
libsnmp-perl_5.9+dfsg-4+deb11u1_amd64.deb
 0bf43e952e571320f92b0e827620c6b2a6e25c3830765c24cdae115d406a9823 2102380 
libsnmp40-dbgsym_5.9+dfsg-4+deb11u1_amd64.deb
 0205d651830b864955e27e5e01cb40271fcb9d9606cd9a0d3ad0cf192d9a9a0b 2551296 
libsnmp40_5.9+dfsg-4+deb11u1_amd64.deb
 4d2fe13b1cdbfdea05392223fd703314000ba1ba488b3633d089c4b7546a9308 10955 
net-snmp_5.9+dfsg-4+deb11u1_amd64.buildinfo
 3ad760394ce0b2633f2b4ab10b3b7fae040d1652f93b4b88e6a3918f476277c4 222868 
snmp-dbgsym_5.9+dfsg-4+deb11u1_amd64.deb
 8f6882c285d2e0492b897aa42f62201b0f927102774c96afbfc647042aa67b66 172148 
snmp_5.9+dfsg-4+deb11u1_amd64.deb
 e60919e95d24a9512ec9c21fc9558291183da39d74e7d3a30802884e5ff6b51a 20480 
snmpd-dbgsym_5.9+dfsg-4+deb11u1_amd64.deb
 f63900553b9057718f5a12bada81a9e3812b9c51495389723bfca4899988d110 57356 
snmpd_5.9+dfsg-4+deb11u1_amd64.deb
 f23db4b4af9fceaa2c48246ed57f27176c633b2045f9df006bc0a2d63a5d073a 23388 
snmptrapd-dbgsym_5.9+dfsg-4+deb11u1_amd64.deb
 25a538409d46f2bc32a89dc492ed8b5e2911a75719f481f02cdf55f3f94b5e85 24160 
snmptrapd_5.9+dfsg-4+deb11u1_amd64.deb
 8ede3d86c9120cce5b8b63b045bf12eb3a39b259f1ce6db416869ade68fbd597 1635412 
tkmib_5.9+dfsg-4+deb11u1_all.deb
Files:
 a36ed553b5034b7400d9e9a8d529b27e 2851 net optional 
net-snmp_5.9+dfsg-4+deb11u1.dsc
 6c2d346ce3320e8999500497e9bacc99 3513780 net optional 
net-snmp_5.9+dfsg.orig.tar.xz
 a3e626b1ed5adc26430e1727d81641df 69952 net optional 
net-snmp_5.9+dfsg-4+deb11u1.debian.tar.xz
 e391173c5c671ac381a7f312dff1e648 58472 debug optional 
libnetsnmptrapd40-dbgsym_5.9+dfsg-4+deb11u1_amd64.deb
 041fae83e0698b28326e193a90463fa4 23028 libs optional 
libnetsnmptrapd40_5.9+dfsg-4+deb11u1_amd64.deb
 6fee268c7b63176bc2925c3ddcd3377f 1736068 libs optional 
libsnmp-base_5.9+dfsg-4+deb11u1_all.deb
 365123e5caaefcc9341e00d24406cb41 1197048 libdevel optional 
libsnmp-dev_5.9+dfsg-4+deb11u1_amd64.deb
 3a0771de7684dfa3e58a48a1c957fde3 210460 debug optional 
libsnmp-perl-dbgsym_5.9+dfsg-4+deb11u1_amd64.deb
 8a61ce3bc88a11838b0d14e9deb6aded 1720732 perl optional 
libsnmp-perl_5.9+dfsg-4+deb11u1_amd64.deb
 386f106822103483f3239bea907f54fb 2102380 debug optional 
libsnmp40-dbgsym_5.9+dfsg-4+deb11u1_amd64.deb
 110c9a6901ebecebdde2752884094091 2551296 libs optional 
libsnmp40_5.9+dfsg-4+deb11u1_amd64.deb
 9886bf35125d4bd659e5a0c49aaa7758 10955 net optional 
net-snmp_5.9+dfsg-4+deb11u1_amd64.buildinfo
 38840bb164405e8a60d7cbdb401839e9 222868 debug optional 
snmp-dbgsym_5.9+dfsg-4+deb11u1_amd64.deb
 b811faaf75ea31a3e695c6ed642625d6 172148 net optional 
snmp_5.9+dfsg-4+deb11u1_amd64.deb
 988a62deb13996a55b0bf072d31ad35a 20480 debug optional 
snmpd-dbgsym_5.9+dfsg-4+deb11u1_amd64.deb
 02144fe59ac463231507e55f703f19e4 57356 net optional 
snmpd_5.9+dfsg-4+deb11u1_amd64.deb
 89348c1f0c853a77831f3dae87c59c4a 23388 debug optional 
snmptrapd-dbgsym_5.9+dfsg-4+deb11u1_amd64.deb
 ede96e4f17c43e032277b00718dfa430 24160 net optional 
snmptrapd_5.9+dfsg-4+deb11u1_amd64.deb
 2b03d48f3dc816cb60f45d7b8bbe1a6e 1635412 net optional 
tkmib_5.9+dfsg-4+deb11u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAmL6MW0ACgkQAiFmwP88
hON9Jg/9EX6EpReVDQUWx0rOprIlAdZgY2B0Y1qwbO3NpguyZKYAjOh7YathfVIH
1fAm9WmZm67pSX1JNIxYs775MMXzTWP+8gGgWVTZpHz5BPutB0Jqt0ike3FsLLHk
ikJeSfF62yqsJxCSRhbPoD0YEZVGWN8LLJOR59aIm48TDWeHTQ3h5v7uzejEHPQN
SkYaxHN3PBe9SsrNPzISYP47zo8a280U2yKWfRznikkEEUeSftNjJ4cRLd8t21Gk
vzeDcrkeu7DAavyKNlZ6NNz5kqzKVqnxYr8OZ4Tb2nb4lNc5w+s76hCIVr86jM1x
NSZwjiaKD043dcLIX/T0p2Plae0Tp/3syaJDWFdoJAzpLxPSGACsjSu6iNJKO1lb
P1jouGqKMyKL2PATZH2lMZZGEP9wXIVsK9gKuxJLT9UClBqxNE1dvzx8M7AlVWpx
dkFJlnR2SAuBmcXDsjQk+0YvI1k/gHJ+9f9R979xqz/T/AUncKQvozokgaUTq6O1
ZUJDRZHIl6bk1g02mQ9tRopCh0BacQUNMZMmX1PtezHb2oT/vz5MJonE8wxRUgNx
hJNE6LPENz39589ZRJxGsTDU7mLXSWgLh6MR1dP/h23MEln63a6YhbJoRIPVACHB
d9WzCMRImnjxzfDOJtMbmcVYoA4KSTi6Fy+UR0vETGQ6plZTS8Q=
=ylVq
-----END PGP SIGNATURE-----

--- End Message ---