Your message dated Sat, 04 Jul 2026 10:02:46 +0000
with message-id <[email protected]>
and subject line Bug#1138646: fixed in fastnetmon 1.2.9-0+deb13u1
has caused the Debian Bug report #1138646,
regarding fastnetmon: CVE-2026-48689 CVE-2026-48688 CVE-2026-48696 
CVE-2026-48695 CVE-2026-48694 CVE-2026-48691 CVE-2026-48690 CVE-2026-48687 
CVE-2026-48686 CVE-2026-48685 CVE-2026-48684 CVE-2026-48683
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1138646: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138646
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: fastnetmon
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for fastnetmon.

Most of these are harmless, but two (CVE-2026-48689 and CVE-2026-48688)
are relevant.

All links to commits etc. in the
https://security-tracker.debian.org/tracker/source-package/fastnetmon
entries for each CVE.

There's also three other reports, which are not fixed upstream in
1.2.9 (but this bug only tracks the issues fixed in 1.2.9):

CVE-2026-48689[0]:
| FastNetMon Community Edition through 1.2.9 contains an off-by-one
| heap-based buffer overflow in the dynamic_binary_buffer_t class
| (src/dynamic_binary_buffer.hpp). Five methods
| (append_dynamic_buffer, append_data_as_pointer,
| append_data_as_object_ptr, memcpy_from_ptr, memcpy_from_object_ptr)
| use an incorrect bounds check of the form 'if (offset + length >
| maximum_internal_storage_size + 1)' instead of the correct 'if
| (offset + length > maximum_internal_storage_size)'. This allows
| writing exactly one byte past the end of the heap-allocated buffer.
| The class is used pervasively in BGP message encoding/decoding,
| NetFlow template processing, and Flow Spec NLRI construction. An
| attacker who can send network traffic (NetFlow, sFlow, IPFIX, or
| BGP) to a FastNetMon instance can trigger this overflow, potentially
| achieving arbitrary code execution by corrupting heap metadata.
| Notably, the append_byte() method uses the correct bounds check,
| confirming the inconsistency.

CVE-2026-48688[1]:
| FastNetMon Community Edition through 1.2.9 contains multiple out-of-
| bounds reads in the BGP MP_REACH_NLRI IPv6 attribute decoder. The
| function decode_mp_reach_ipv6() in src/bgp_protocol.cpp contains a
| TODO comment at line 156 explicitly acknowledging 'we should add
| sanity checks to avoid reads after attribute memory block.' The
| function casts raw pointers to structure types without verifying
| sufficient data exists (line 158), uses the attacker-controlled
| length_of_next_hop field to determine memcpy size (line 181), and
| computes prefix_length by dereferencing a pointer calculated from
| multiple attacker-controlled offsets without bounds validation (line
| 189). The prefix_length is then used to calculate
| number_of_bytes_required_for_prefix which becomes a memcpy length
| (line 202) with no check against remaining buffer size.


CVE-2026-48696[2]:
| FastNetMon Community Edition through 1.2.9 has a buffer overflow, a
| different vulnerability than CVE-2026-48686 and CVE-2026-48689.


CVE-2026-48695[3]:
| FastNetMon Community Edition through 1.2.9 contains an OS command
| injection vulnerability in the MikroTik router integration plugin.
| The _log() function in src/mikrotik_plugin/fastnetmon_mikrotik.php
| (lines 107-108) constructs shell commands by concatenating the $msg
| parameter directly into exec() calls: exec("echo `date` \"-
| {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). This is
| identical in pattern to the Juniper plugin vulnerability. The $msg
| variable contains unsanitized attack data from command-line
| arguments. An attacker who can influence argv[] values can inject
| arbitrary shell commands. The fix is to replace exec() with
| file_put_contents() or use escapeshellarg().


CVE-2026-48694[4]:
| FastNetMon Community Edition through 1.2.9 contains a configuration
| injection vulnerability in the Juniper router integration plugin. In
| src/juniper_plugin/fastnetmon_juniper.php, the $IP_ATTACK variable
| (received from argv[1]) is directly interpolated into Juniper
| NETCONF set-configuration commands at lines 69 and 90 without any
| validation or sanitization. Line 69:
| $conn->load_set_configuration("set routing-options static route
| {$IP_ATTACK} community 65535:666 discard"). Line 90:
| $conn->load_set_configuration("delete routing-options static route
| {$IP_ATTACK}/32"). An attacker who can control the IP address string
| can inject additional Juniper CLI configuration commands by
| embedding newline characters followed by arbitrary set/delete
| commands. This could modify the router's routing table, firewall
| filters, user accounts, or any other configuration element
| accessible via NETCONF. The impact is full router compromise.


CVE-2026-48691[5]:
| FastNetMon Community Edition through 1.2.9 contains an integer
| overflow in the BGP AS_PATH attribute encoder. In
| src/bgp_protocol.hpp, the IPv4UnicastAnnounce::get_attributes()
| function computes attribute_length as
| 'sizeof(bgp_as_path_segment_element_t) + this->as_path_asns.size() *
| sizeof(uint32_t)' and stores it in a uint8_t field (line 600-605).
| Since uint8_t can only hold values 0-255, an AS_PATH containing more
| than 63 ASNs (2 + 64*4 = 258 > 255) causes silent truncation. The
| truncated length is used for buffer sizing, while the actual data
| written is the full untruncated amount, resulting in a heap buffer
| overflow. Similarly, the path_segment_length field at line 621 is
| also uint8_t, truncating with more than 255 ASNs.


CVE-2026-48690[6]:
| FastNetMon Community Edition through 1.2.9 contains an integer
| overflow vulnerability in the packet capture buffer allocation. In
| src/packet_storage.hpp, the allocate_buffer() function computes
| memory_size_in_bytes as 'buffer_size_in_packets *
| (max_captured_packet_size + sizeof(fastnetmon_pcap_pkthdr_t)) +
| sizeof(fastnetmon_pcap_file_header_t)' using unsigned int (32-bit)
| arithmetic. With max_captured_packet_size=1500 and
| sizeof(fastnetmon_pcap_pkthdr_t)=16, each packet requires
| approximately 1516 bytes. If buffer_size_in_packets exceeds
| approximately 2,832,542, the multiplication overflows, resulting in
| a much smaller allocation than expected. Subsequent write_packet()
| calls then write past the allocated buffer, causing heap corruption.
| The buffer_size_in_packets value is derived from the
| ban_details_records_count configuration parameter, which is parsed
| using atoi() with no overflow checking.


CVE-2026-48687[7]:
| FastNetMon Community Edition through 1.2.9 contains an OS command
| injection vulnerability in the Juniper router integration plugin.
| The _log() function in src/juniper_plugin/fastnetmon_juniper.php
| (lines 117-118) constructs shell commands by concatenating the $msg
| parameter directly into exec() calls: exec("echo `date` \"-
| {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). The $msg
| variable contains unsanitized data derived from command-line
| arguments argv[1] through argv[3], which represent the attack IP
| address, direction, and power. While FastNetMon's C++ core currently
| passes IP addresses via inet_ntoa() (which only produces safe
| dotted-decimal notation), the PHP script performs no input
| validation or shell escaping. If the script is invoked directly, by
| another orchestration system, or if future code changes pass string-
| sourced IPs, arbitrary commands can be injected. The correct fix is
| to replace exec() with file_put_contents() or use escapeshellarg()
| on all parameters.


CVE-2026-48686[8]:
| FastNetMon Community Edition through 1.2.9 contains a stack-based
| buffer overflow in the BGP NLRI (Network Layer Reachability
| Information) decoder. The function
| decode_bgp_subnet_encoding_ipv4_raw() in src/bgp_protocol.cpp reads
| prefix_bit_length directly from the BGP packet (line 99) without
| validating it is <= 32 for IPv4 prefixes. This value is passed to
| how_much_bytes_we_need_for_storing_certain_subnet_mask() which
| computes ceil(prefix_bit_length / 8), returning up to 32 bytes for a
| prefix_bit_length of 255. The result is used as the length argument
| to memcpy() (line 106), which copies into a 4-byte uint32_t stack
| variable (prefix_ipv4). This causes a stack buffer overflow of up to
| 28 bytes, which can be exploited for arbitrary code execution.
| Additionally, the unvalidated prefix_bit_length is passed to
| convert_cidr_to_binary_netmask_local_function_copy() (line 111),
| where a shift of (32 - cidr) with cidr > 32 causes undefined
| behavior.


CVE-2026-48685[9]:
| FastNetMon Community Edition through 1.2.9 has out-of-bounds memory
| access because it incorrectly parses BGP path attributes with the
| extended length flag set. In src/bgp_protocol.hpp, the
| parse_raw_bgp_attribute() function correctly identifies when
| extended_length_bit is set and sets length_of_length_field to 2, but
| then reads only a single byte for the attribute value length
| (attribute_value_length = value[2] at line 173). Per RFC 4271
| Section 4.3, when the Extended Length bit is set, the Attribute
| Length field is two octets and the value should be read as a 16-bit
| big-endian integer from value[2] and value[3]. As a result, any
| attribute longer than 255 bytes has its length silently truncated to
| the low byte (e.g., 300 bytes = 0x012C is read as 0x2C = 44 bytes).
| The remaining 256 bytes are then misinterpreted as subsequent
| attributes, causing cascading parse failures and potential out-of-
| bounds memory access.


CVE-2026-48684[10]:
| FastNetMon Community Edition through 1.2.9 contains an out-of-bounds
| read in the NetFlow v9 options template parser. In
| process_netflow_v9_options_template()
| (src/netflow_plugin/netflow_v9_collector.cpp), the scope parsing
| loop (lines 224-229) iterates until scopes_offset reaches the
| attacker-controlled option_scope_length value, reading
| netflow9_template_flowset_record_t structures at each step. No
| bounds check validates that (zone_address + scopes_offset +
| sizeof(record)) stays within the flowset. The same issue affects the
| options field loop (lines 241-257) with option_length. Furthermore,
| option_scope_length is not validated to be a multiple of
| sizeof(netflow9_template_flowset_record_t), potentially causing
| misaligned reads. An attacker can trigger reads past the end of the
| UDP packet buffer.


CVE-2026-48683[11]:
| FastNetMon Community Edition through 1.2.9 contains an out-of-bounds
| read vulnerability in the NetFlow v9 data flowset processor. In
| src/netflow_plugin/netflow_v9_collector.cpp, the Data template
| branch (lines 1695-1702) iterates over flow records without
| performing a per-iteration bounds check against the packet end
| pointer. In contrast, the Options template branch (lines 1709-1719)
| correctly checks 'if (pkt + offset + field_template->total_length >
| packet_end)' before each iteration. The Data branch omits this check
| entirely. Since template definitions are sent by the network peer
| (and are unauthenticated UDP), an attacker can craft templates that
| cause the parser to read arbitrary memory past the packet buffer.
| This can leak sensitive memory contents or cause a crash.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-48689
    https://www.cve.org/CVERecord?id=CVE-2026-48689
[1] https://security-tracker.debian.org/tracker/CVE-2026-48688
    https://www.cve.org/CVERecord?id=CVE-2026-48688
[2] https://security-tracker.debian.org/tracker/CVE-2026-48696
    https://www.cve.org/CVERecord?id=CVE-2026-48696
[3] https://security-tracker.debian.org/tracker/CVE-2026-48695
    https://www.cve.org/CVERecord?id=CVE-2026-48695
[4] https://security-tracker.debian.org/tracker/CVE-2026-48694
    https://www.cve.org/CVERecord?id=CVE-2026-48694
[5] https://security-tracker.debian.org/tracker/CVE-2026-48691
    https://www.cve.org/CVERecord?id=CVE-2026-48691
[6] https://security-tracker.debian.org/tracker/CVE-2026-48690
    https://www.cve.org/CVERecord?id=CVE-2026-48690
[7] https://security-tracker.debian.org/tracker/CVE-2026-48687
    https://www.cve.org/CVERecord?id=CVE-2026-48687
[8] https://security-tracker.debian.org/tracker/CVE-2026-48686
    https://www.cve.org/CVERecord?id=CVE-2026-48686
[9] https://security-tracker.debian.org/tracker/CVE-2026-48685
    https://www.cve.org/CVERecord?id=CVE-2026-48685
[10] https://security-tracker.debian.org/tracker/CVE-2026-48684
    https://www.cve.org/CVERecord?id=CVE-2026-48684
[11] https://security-tracker.debian.org/tracker/CVE-2026-48683
    https://www.cve.org/CVERecord?id=CVE-2026-48683

Please adjust the affected versions in the BTS as needed.

--- End Message ---
--- Begin Message ---
Source: fastnetmon
Source-Version: 1.2.9-0+deb13u1
Done: Patrick Matthäi <[email protected]>

We believe that the bug you reported is fixed in the latest version of
fastnetmon, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Matthäi <[email protected]> (supplier of updated fastnetmon package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 01 Jul 2026 22:54:56 +0200
Source: fastnetmon
Binary: fastnetmon fastnetmon-dbgsym
Architecture: source amd64
Version: 1.2.9-0+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Patrick Matthäi <[email protected]>
Changed-By: Patrick Matthäi <[email protected]>
Description:
 fastnetmon - fast DDoS analyzer with sflow/netflow/mirror support (community e
Closes: 1138646
Changes:
 fastnetmon (1.2.9-0+deb13u1) trixie-security; urgency=high
 .
   * New upstream release.
     - This release fixes various security issues: CVE-2026-48689,
       CVE-2026-48688, CVE-2026-48696, CVE-2026-48695, CVE-2026-48694,
       CVE-2026-48691, CVE-2026-48690, CVE-2026-48687, CVE-2026-48686,
       CVE-2026-48685, CVE-2026-48684 and CVE-2026-48683.
       Closes: #1138646
   * Revert for trixie: Remove dh_movetousr sequence and manually set the
     systemd servicedir.
Checksums-Sha1:
 cf2d16b65d9f86d9c1fdce5f6fd5901bb083e95a 2317 fastnetmon_1.2.9-0+deb13u1.dsc
 9e3df6f71458194ac08f5360e286ea7385ebd75d 1530122 fastnetmon_1.2.9.orig.tar.gz
 2dc0d1a7e4c7214b4dc9bb869c64daf47f0081da 5064 
fastnetmon_1.2.9-0+deb13u1.debian.tar.xz
 f618232dc5069f4d771335ea65b9d515262ab188 20401772 
fastnetmon-dbgsym_1.2.9-0+deb13u1_amd64.deb
 f5aa54a79fe2b357de16957e515492cf9c21b96a 16102 
fastnetmon_1.2.9-0+deb13u1_amd64.buildinfo
 1872161211b3edddf08a5d42a86aec0b19d41a49 1439200 
fastnetmon_1.2.9-0+deb13u1_amd64.deb
Checksums-Sha256:
 633422d02492bd33ba168b31695bc6520f45b7c81a688bb60a1dcc827972628a 2317 
fastnetmon_1.2.9-0+deb13u1.dsc
 a219e6dd30ad60ed0562243c7830dba053f740c28cee9cb70ac0b78a5121e4dd 1530122 
fastnetmon_1.2.9.orig.tar.gz
 4d8768b92370bee1013948400f942914032b79fd4d5c4c6b1efad9e4c5961313 5064 
fastnetmon_1.2.9-0+deb13u1.debian.tar.xz
 e833fcfeb365ef61cc36e262871c81d6adc5695526310571459bc1e511833df8 20401772 
fastnetmon-dbgsym_1.2.9-0+deb13u1_amd64.deb
 1ffd638a91707d59e25487666a04ab7406698ab496aec9e72e4321e5daf42fdb 16102 
fastnetmon_1.2.9-0+deb13u1_amd64.buildinfo
 a537fbcc9ff1027f58e78f4e712121330e986f39a0ac7631cbd7b1df7225cc86 1439200 
fastnetmon_1.2.9-0+deb13u1_amd64.deb
Files:
 f82ae666838c816a6a7098c5cc26a168 2317 net optional 
fastnetmon_1.2.9-0+deb13u1.dsc
 ea57ea1db13ae50ce12b32d1a2945238 1530122 net optional 
fastnetmon_1.2.9.orig.tar.gz
 6bd909e2f2acc63d1d438a710f37e5ad 5064 net optional 
fastnetmon_1.2.9-0+deb13u1.debian.tar.xz
 25cb91cbadb40da5610c06adddba8e44 20401772 debug optional 
fastnetmon-dbgsym_1.2.9-0+deb13u1_amd64.deb
 63651969c696337fb5042f9c68126aab 16102 net optional 
fastnetmon_1.2.9-0+deb13u1_amd64.buildinfo
 15c1e07a873148ac7dce8eab19ac8ceb 1439200 net optional 
fastnetmon_1.2.9-0+deb13u1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAmpFgeQACgkQEtmwSpDL
2OTZ4Q/+IgrIHkNDoeOoeQGDMr6/7Mnd3EXVUHOvgnac3q7G50VrlH02+rZXY+DM
FHQRIm3+u3exxIIBCBGvHoC11mTBKWNb3XXUlpfA5EXyaK4MKInXtNi/08d5tX3S
U2N2am7IXWrvzcSSFblvuf2N3nu6P2ERe+k1t5CtnJSVdzPlSf2A55rDjGutXM8j
LsPuyzHNOu26gcK8ArgQu8SuGCnSQNUmN8pX6Ce32ixUAZ7mFM8s8zGAQpVhJH2m
sEq0VY+F/txhMZvy+gubE23Fc+gTtmLITHaK1A92Jf1spBZ/96ACB0YA67ELGDzr
ZvvHJzF4unDBDhDI6dG8OSwD7hrNf7Ze4McfAZxBzqByxaJ7W63hnvojd6WThL2g
Sml5sYlJmHHznNwlaCg1r9iX3VOc7MAdfScCjn4cvmzpxii6DAp3JyP7MMcCmtjo
TExsfve6r46S+G/6qcaLbfekv0k/Kft0FmKTlTnnwxMC02xK+QBl74ioO90n1fY4
Lh5BmVeElRucNoxyXVAARxPOXIvL0ncUMCF7/jFpg5bzgzMBG6YQgsxf2+952Euh
HZeEAES0tvyS9Vu3iRMN81jiRRNgeS+5mfqkk7l6C8z4rqX7f00KCzaNOYUO78Ck
/80HGsBXBfE6qKa8+P6Qf9uazZculjgKrfYlDJSbbzOorYelBIo=
=b5uy
-----END PGP SIGNATURE-----

Attachment: pgpd6cYpg4LW_.pgp
Description: PGP signature


--- End Message ---

Reply via email to