Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0125 -- [Debian] New net-snmp packages fix denial of service vulnerability 7 February 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: net-snmp Publisher: Debian Operating System: Debian GNU/Linux 4.0 Impact: Denial of Service Access: Remote/Unauthenticated CVE Names: CVE-2007-5846 Ref: ESB-2007.0931 Original Bulletin: http://www.debian.org/security/2008/dsa-1483 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Debian Security Advisory DSA-1483-1 security@debian.org http://www.debian.org/security/ Noah Meyerhans February 06, 2008 http://www.debian.org/security/faq - - ------------------------------------------------------------------------ Package : net-snmp Vulnerability : design error Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-5846 The SNMP agent (snmp_agent.c) in net-snmp before 5.4.1 allows remote attackers to cause a denial of service (CPU and memory consumption) via a GETBULK request with a large max-repeaters value. For the stable distribution (etch), this problem has been fixed in version 5.2.3-7etch2 For the unstable and testing distributions (sid and lenny, respectively), this problem has been fixed in version 5.4.1~dfsg-2 We recommend that you upgrade your net-snmp package. Upgrade instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - - ------------------------------- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/n/net-snmp/net-snmp_5.2.3-7etch2.diff.gz Size/MD5 checksum: 92129 d4395b24ac55a351ff666b146e50e7da http://security.debian.org/pool/updates/main/n/net-snmp/net-snmp_5.2.3-7etch2.dsc Size/MD5 checksum: 1038 34169ea344d11cc6acbbc79598f1afbe http://security.debian.org/pool/updates/main/n/net-snmp/net-snmp_5.2.3.orig.tar.gz Size/MD5 checksum: 4006389 ba4bc583413f90618228d0f196da8181 Architecture independent packages: http://security.debian.org/pool/updates/main/n/net-snmp/tkmib_5.2.3-7etch2_all.deb Size/MD5 checksum: 855026 9ba19bd7e95b8b786db833d088033c20 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-base_5.2.3-7etch2_all.deb Size/MD5 checksum: 1215052 492929e419a21cb45a6b9f7f892e51e5 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch2_alpha.deb Size/MD5 checksum: 836522 8f375e58599f11a92c219432c3c40a50 http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch2_alpha.deb Size/MD5 checksum: 942474 877cd68b94cc98c3ce277f81e94ad559 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch2_alpha.deb Size/MD5 checksum: 1901930 4ce94285480f0587b9c9006db0b1d892 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch2_alpha.deb Size/MD5 checksum: 2171130 b21a6b7ab1fc2084134b0746c46caaa8 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch2_alpha.deb Size/MD5 checksum: 932262 eb96a420dd3fb6b556ed8001bc44bb93 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch2_amd64.deb Size/MD5 checksum: 1892588 eed6e7f494feeb82dadfd6292aeb54f3 http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch2_amd64.deb Size/MD5 checksum: 834892 1870924c9276f277d5e61b6929bc063a http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch2_amd64.deb Size/MD5 checksum: 931080 f413808b39167a15c6d1452767537e36 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch2_amd64.deb Size/MD5 checksum: 1561022 29910b7b991cc876540f926ee5e2453a http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch2_amd64.deb Size/MD5 checksum: 919590 0962031c17b2cc752b2aa0a34224face arm architecture (ARM) http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch2_arm.deb Size/MD5 checksum: 1777992 b7bb0164b520a6240321efdafbde344b http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch2_arm.deb Size/MD5 checksum: 834966 473f0c386f9c6da35689b14ab1d379c1 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch2_arm.deb Size/MD5 checksum: 1344096 153ff9028f6accc63ed18d7bdf07485b http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch2_arm.deb Size/MD5 checksum: 927916 989b6de8d07d36bd144ca88423b8d027 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch2_arm.deb Size/MD5 checksum: 909516 6d3f6fd8e7472228f20c60be890d023e i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch2_i386.deb Size/MD5 checksum: 834156 8166a1a4c4f97fbe40efbf491b7bf72c http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch2_i386.deb Size/MD5 checksum: 917354 b894368213ab2cd00eded49533b16aa6 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch2_i386.deb Size/MD5 checksum: 1835912 c7567cd3db0d4e6536a3002eb4d8e265 http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch2_i386.deb Size/MD5 checksum: 924832 ba03a9804f155ea4a284f7643457b146 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch2_i386.deb Size/MD5 checksum: 1416974 619e4f9b2c3eb7819cd2bd524ca7554b ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch2_ia64.deb Size/MD5 checksum: 970124 3deb315b5de9afb14b52b394bae18a43 http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch2_ia64.deb Size/MD5 checksum: 962568 4c5698e042bf664eff0bfe993c192d5d http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch2_ia64.deb Size/MD5 checksum: 2281236 d4bc4f69d7e7a593335053e91a6c485d http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch2_ia64.deb Size/MD5 checksum: 842400 a950588e1b8e71079343ecd47e2d640f http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch2_ia64.deb Size/MD5 checksum: 2205332 702c89982dfae8501a048367d78161a8 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch2_mips.deb Size/MD5 checksum: 927142 5c8a6c536a3d50fd5002e12f62872224 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch2_mips.deb Size/MD5 checksum: 895056 4cbf2439096d64f153e94c2d45021310 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch2_mips.deb Size/MD5 checksum: 1717040 6d61c1ac4c4a67b69ca4d59244f4eefa http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch2_mips.deb Size/MD5 checksum: 1769510 0b2fb829d8c98099a21fe59375eaab6f http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch2_mips.deb Size/MD5 checksum: 832874 b55a90b9778923425fd4ede1403a1483 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch2_mipsel.deb Size/MD5 checksum: 1720352 83b11573a1389090c6419974438810a6 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch2_mipsel.deb Size/MD5 checksum: 894848 a85af9050de7d658d06beb78cfd331d4 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch2_mipsel.deb Size/MD5 checksum: 1755240 edbf171acb4813d6e8936f553b0c63bf http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch2_mipsel.deb Size/MD5 checksum: 832830 47e00fa0d4acad4a9adcbeab7f34a33d http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch2_mipsel.deb Size/MD5 checksum: 926346 9d81f235f0232259ac87af5d9a77a3f2 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch2_powerpc.deb Size/MD5 checksum: 941140 e45bfb918d4814fc58509576cb353855 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch2_powerpc.deb Size/MD5 checksum: 1657898 67553ac67857e5a93610fcb62a114faa http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch2_powerpc.deb Size/MD5 checksum: 927732 1c6e3bc8b903ed51301d55e5329121f0 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch2_powerpc.deb Size/MD5 checksum: 1802946 54dfa2f2746fe644f7129499eb709284 http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch2_powerpc.deb Size/MD5 checksum: 834926 c63610793fa21e534247fb4eebfcdf38 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch2_s390.deb Size/MD5 checksum: 903456 0a741302e5532e07949911f755522f47 http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch2_s390.deb Size/MD5 checksum: 835824 d3bae80f1bbf09eade1207b758945003 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch2_s390.deb Size/MD5 checksum: 1834732 cc3acadd0669ee790c77e141e73d951b http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch2_s390.deb Size/MD5 checksum: 1409706 594dae3b8a0d801bc5aa0cbe240785fc http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch2_s390.deb Size/MD5 checksum: 931154 08a5a95841d6c643660dfe8df647d9f1 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch2_sparc.deb Size/MD5 checksum: 918174 d0f688bfabae071b11d24b852e90c11b http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch2_sparc.deb Size/MD5 checksum: 1781666 ab7507949d9f8f111e530f3e0aa42e42 http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch2_sparc.deb Size/MD5 checksum: 925014 b6df8efcb3e971cb711e37f4b4d21302 http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch2_sparc.deb Size/MD5 checksum: 833856 f13884fa38c2eb1fe055e044503f3e67 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch2_sparc.deb Size/MD5 checksum: 1548582 426a31f689fb0b3b3f4777a7e6bb51db These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHqgXfYrVLjBFATsMRAh1QAJ949bquNFrGOLCWnfB6eWPuDR695gCdFC02 /C3q6l7UFMwZ2dc1FtxJztg= =5GhV - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBR6o+byh9+71yA2DNAQL3DQP+IQVAPmq02HiRJqWf9K8M2JrXFykcW5Yt eW0gbUebIdOabE5t05D1Zriu/1E+Ub9oP0jmscml8TOIM1riFRA6JE9yQhzPis5p HwW7RDeE8T7coNqJSNVwbZ/9sRNuM6JWgXr6j3QfJs4+MxAJKmD5jyCL1zue390p UhcO+1GD1O4= =3Jy+ -----END PGP SIGNATURE-----