[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
Launchpad has imported 3 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=485211. If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. On 2009-02-12T12:42:00+00:00 Jan wrote: A possibility of sensitive host information disclosure was found in the implementation of SNMP protocol as defined in RFC 1065, RFC 1066, and RFC 1067. If the snmpd deamon was running on the host, it served the SNMP queries regardless of the fact, the IP address of the requester was not mentioned in the list of hosts allowed to issue / request SNMP MIB objects information. Remote attacker could use this flaw to gain host related sensitive information via performing a SNMP query. References: http://bugs.gentoo.org/show_bug.cgi?id=250429 Upstream patch: http://net-snmp.svn.sourceforge.net/viewvc/net-snmp?view=rev=17367 Reply at: https://bugs.launchpad.net/ubuntu/+source/net- snmp/+bug/331410/comments/0 On 2009-02-12T16:11:50+00:00 Jan wrote: Common Vulnerabilities and Exposures assigned an identifier CVE-2008-6123 to the following vulnerability: The netsnmp_udp_fmtaddr function (snmplib/snmpUDPDomain.c) in net-snmp 5.0.9 through 5.4.2, when using TCP wrappers for client authorization, does not properly parse hosts.allow rules, which allows remote attackers to bypass intended access restrictions and execute SNMP queries, related to "source/destination IP address confusion." References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6123 http://www.openwall.com/lists/oss-security/2009/02/12/2 http://bugs.gentoo.org/show_bug.cgi?id=250429 http://net-snmp.svn.sourceforge.net/viewvc/net-snmp?view=rev=17367 :http://net-snmp.svn.sourceforge.net/viewvc/net-snmp/trunk/net-snmp/snmplib/snmpUDPDomain.c?r1=17325=17367=17367 Reply at: https://bugs.launchpad.net/ubuntu/+source/net- snmp/+bug/331410/comments/1 On 2009-03-26T15:47:52+00:00 errata-xmlrpc wrote: This issue has been addressed in following products: Red Hat Enterprise Linux 3 Via RHSA-2009:0295 https://rhn.redhat.com/errata/RHSA-2009-0295.html Reply at: https://bugs.launchpad.net/ubuntu/+source/net- snmp/+bug/331410/comments/11 ** Changed in: net-snmp (Fedora) Status: Confirmed => Fix Released ** Changed in: net-snmp (Fedora) Importance: Unknown => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/331410 Title: CVE-2008-6123: not fixed in latest security releases To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/331410/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
** Changed in: net-snmp (Gentoo Linux) Importance: Unknown = Low -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to net-snmp in ubuntu. https://bugs.launchpad.net/bugs/331410 Title: CVE-2008-6123: not fixed in latest security releases -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
** Changed in: net-snmp (Gentoo Linux) Importance: Unknown = Low -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/331410 Title: CVE-2008-6123: not fixed in latest security releases -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
** Changed in: net-snmp (Ubuntu Lucid) Status: Fix Committed = Fix Released -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to net-snmp in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
https://lists.ubuntu.com/archives/ubuntu-security- announce/2010-June/001098.html -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to net-snmp in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
** Changed in: net-snmp (Ubuntu Lucid) Status: Fix Committed = Fix Released -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
https://lists.ubuntu.com/archives/ubuntu-security- announce/2010-June/001098.html -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
i sent the following email nearly 48 hours ago to secur...@ubuntu.com and have received no response or even an acknowledgment, so i'm following up as a comment to this bug. (i also sent the bug to debian's pkg-net-snmp-de...@lists.alioth.debian.org, but it never made it through to the archives, so i just added a comment to debian's bug #516801.) i'll attach the below referenced patch to this bug (#331410). SUMMARY --- snmpd in lucid (5.4.2.1~dfsg0ubuntu1-0ubuntu2) is vulnerable to CVE-2008-6123 contrary to what its changelog says. the attached patch was applied to the aforementioned version, compiled in a pbuilder lucid chroot (on lenny), and the resulting packages (libsnmp-base, libsnmp15, snmp, snmpd) were successfully tested on lucid-i386. i also downloaded sid's 5.4.2.1~dfsg-5 source and it appears to be vulnerable based on its snmplib/snmpUDPDomain.c and the lack of any applicable patch(es) in debian/patches. REFERENCES -- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6123 http://net-snmp.svn.sourceforge.net/viewvc/net-snmp?view=revrevision=17367 http://net-snmp.svn.sourceforge.net/viewvc/net-snmp/branches/V5-4-patches/net-snmp/snmplib/snmpUDPDomain.c?r1=17367r2=17366pathrev=17367 BACKGROUND -- i recently upgraded a netbook from hardy to lucid by installing lucid to a new hard drive and copying/merging the old configuration. after installing snmpd and merging/copying the associated configuration files (/etc/default/snmpd, /etc/snmp/snmpd.conf, /etc/hosts.allow, /etc/hosts.deny) it rejected connections from my cacti installation residing on the network (the only IP allowed to connect to it based on the tcp-wrapper's ACL). i also noticed that the syslog output was incorrect: snmpd[$PID]: Connection from UDP: [$LOCAL_IP]-[$REMOTE_IP]:-13093 REFUSED yes, the remote port is negative due to %hd in the packages' snmplib/snmpUDPDomain.c, but is %hu upstream and fixed in the attached patch. PROBLEM --- snmpd improperly applies tcp-wrapper ACLs because it calls tcp-wrapper's hosts_ctl (see netsnmp_agent_check_packet() in agent/snmp_agent.c) with it's local IP address as the client_addr (instead of the snmp client's remote IP address) because of incorrect string assembly (see netsnmp_udp_fmtaddr() in snmplib/snmpUDPDomain.c). SOLUTION searching for snmpd bugs related to tcp wrappers, i found debian bug #516801. i downloaded and browsed the ubuntu source package, reviewed agent/snmp_agent.c where tcp-wrappers' hosts_ctl() is called, backtracked to snmplib/snmpUDPDomain.c where the string is constructed that snmp_agent.c deconstructs for hosts_ctl(), and verified that upstream's CVE-2008-6123 patch for v5.4 is still applicable (though compensating for %hd in debian/ubuntu source). i added the patch to the package using quilt, rebuilt the package, installed it, and it works correctly: snmpd[$PID]: Connection from UDP: [$REMOTE_IP]:53735-[$LOCAL_IP] thanks for providing the net-snmp packages! ** Bug watch added: Debian Bug tracker #516801 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516801 -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to net-snmp in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
** Patch added: patch for net-snmp package in lucid (built tested) http://launchpadlibrarian.net/49534438/CVE-2008-6123-ubuntu-lucid.patch -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to net-snmp in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
** Patch added: patch for net-snmp package in lucid (built tested) http://launchpadlibrarian.net/49534440/CVE-2008-6123-ubuntu-lucid.patch -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to net-snmp in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
Hi! Thanks for the report. It looks like this wasn't triaged correctly when we first looked at it. We'll get this fixed and published. Thanks for the patches and for testing it. ** Also affects: net-snmp (Ubuntu Karmic) Importance: Undecided Status: New ** Also affects: net-snmp (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: net-snmp (Ubuntu Maverick) Importance: Undecided Assignee: Stephan Hermann (shermann) Status: Confirmed ** Changed in: net-snmp (Ubuntu Karmic) Status: New = Invalid ** Changed in: net-snmp (Ubuntu Lucid) Status: New = Triaged ** Changed in: net-snmp (Ubuntu Maverick) Importance: Undecided = Medium ** Changed in: net-snmp (Ubuntu Maverick) Status: Confirmed = Triaged ** Changed in: net-snmp (Ubuntu Maverick) Assignee: Stephan Hermann (shermann) = (unassigned) ** Changed in: net-snmp (Ubuntu Lucid) Importance: Undecided = Medium -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to net-snmp in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
Ah-ha, I see the problem now. This vulnerability was introduced after all the versions of net-snmp that were in the archive at the time the CVE was published. At some point Debian packaged the 5.4.x series from a point that did not include the fix, which is why only Lucid and later have the problem. ** Changed in: net-snmp (Ubuntu Maverick) Status: Triaged = Fix Released ** Changed in: net-snmp (Ubuntu Lucid) Status: Triaged = Fix Committed -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to net-snmp in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
I changed the status to confirmed. I have this bug on my machine. Apport bug report: ProblemType: Bug Architecture: amd64 Date: Tue Jun 1 11:32:16 2010 Dependencies: adduser 3.112ubuntu1 base-files 5.0.0ubuntu20 base-passwd 3.5.22 coreutils 7.4-2ubuntu2 debconf 1.5.28ubuntu4 debconf-i18n 1.5.28ubuntu4 debianutils 3.2.2 dpkg 1.15.5.6ubuntu4 findutils 4.4.2-1ubuntu1 gawk 1:3.1.6.dfsg-4build1 gcc-4.4-base 4.4.3-4ubuntu5 libacl1 2.2.49-2 libattr1 1:2.4.44-1 libc-bin 2.11.1-0ubuntu7.1 libc6 2.11.1-0ubuntu7.1 libdb4.8 4.8.24-1ubuntu1 libgcc1 1:4.4.3-4ubuntu5 liblocale-gettext-perl 1.05-6 libncurses5 5.7+20090803-2ubuntu3 libpam-modules 1.1.1-2ubuntu2 libpam0g 1.1.1-2ubuntu2 libperl5.10 5.10.1-8ubuntu2 libselinux1 2.0.89-4 libsensors4 1:3.1.2-2 libsnmp-base 5.4.2.1~dfsg0ubuntu1-0ubuntu2 libsnmp15 5.4.2.1~dfsg0ubuntu1-0ubuntu2 libssl0.9.8 0.9.8k-7ubuntu8 libstdc++6 4.4.3-4ubuntu5 libtext-charwidth-perl 0.04-6 libtext-iconv-perl 1.7-2 libtext-wrapi18n-perl 0.06-7 libwrap0 7.6.q-18 lsb-base 4.0-0ubuntu8 lzma 4.43-14ubuntu2 make 3.81-7ubuntu1 makedev 2.3.1-89ubuntu1 ncurses-bin 5.7+20090803-2ubuntu3 passwd 1:4.1.4.2-1ubuntu2 perl-base 5.10.1-8ubuntu2 sed 4.2.1-6 sensible-utils 0.0.1ubuntu3 tzdata 2010i-1 wget 1.12-1.1ubuntu2 zlib1g 1:1.2.3.3.dfsg-15ubuntu1 DistroRelease: Ubuntu 10.04 InstallationMedia: Ubuntu-Server 10.04 Lucid Lynx - Beta amd64 (20100406.1) Package: snmpd 5.4.2.1~dfsg0ubuntu1-0ubuntu2 PackageArchitecture: amd64 ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash ProcVersionSignature: Ubuntu 2.6.32-22.33-server 2.6.32.11+drm33.2 SourcePackage: net-snmp Tags: lucid Uname: Linux 2.6.32-22-server x86_64 ** Changed in: net-snmp (Ubuntu) Status: Invalid = Confirmed -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to net-snmp in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
I changed the status to confirmed. I have this bug on my machine. Apport bug report: ProblemType: Bug Architecture: amd64 Date: Tue Jun 1 11:32:16 2010 Dependencies: adduser 3.112ubuntu1 base-files 5.0.0ubuntu20 base-passwd 3.5.22 coreutils 7.4-2ubuntu2 debconf 1.5.28ubuntu4 debconf-i18n 1.5.28ubuntu4 debianutils 3.2.2 dpkg 1.15.5.6ubuntu4 findutils 4.4.2-1ubuntu1 gawk 1:3.1.6.dfsg-4build1 gcc-4.4-base 4.4.3-4ubuntu5 libacl1 2.2.49-2 libattr1 1:2.4.44-1 libc-bin 2.11.1-0ubuntu7.1 libc6 2.11.1-0ubuntu7.1 libdb4.8 4.8.24-1ubuntu1 libgcc1 1:4.4.3-4ubuntu5 liblocale-gettext-perl 1.05-6 libncurses5 5.7+20090803-2ubuntu3 libpam-modules 1.1.1-2ubuntu2 libpam0g 1.1.1-2ubuntu2 libperl5.10 5.10.1-8ubuntu2 libselinux1 2.0.89-4 libsensors4 1:3.1.2-2 libsnmp-base 5.4.2.1~dfsg0ubuntu1-0ubuntu2 libsnmp15 5.4.2.1~dfsg0ubuntu1-0ubuntu2 libssl0.9.8 0.9.8k-7ubuntu8 libstdc++6 4.4.3-4ubuntu5 libtext-charwidth-perl 0.04-6 libtext-iconv-perl 1.7-2 libtext-wrapi18n-perl 0.06-7 libwrap0 7.6.q-18 lsb-base 4.0-0ubuntu8 lzma 4.43-14ubuntu2 make 3.81-7ubuntu1 makedev 2.3.1-89ubuntu1 ncurses-bin 5.7+20090803-2ubuntu3 passwd 1:4.1.4.2-1ubuntu2 perl-base 5.10.1-8ubuntu2 sed 4.2.1-6 sensible-utils 0.0.1ubuntu3 tzdata 2010i-1 wget 1.12-1.1ubuntu2 zlib1g 1:1.2.3.3.dfsg-15ubuntu1 DistroRelease: Ubuntu 10.04 InstallationMedia: Ubuntu-Server 10.04 Lucid Lynx - Beta amd64 (20100406.1) Package: snmpd 5.4.2.1~dfsg0ubuntu1-0ubuntu2 PackageArchitecture: amd64 ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash ProcVersionSignature: Ubuntu 2.6.32-22.33-server 2.6.32.11+drm33.2 SourcePackage: net-snmp Tags: lucid Uname: Linux 2.6.32-22-server x86_64 ** Changed in: net-snmp (Ubuntu) Status: Invalid = Confirmed -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
i sent the following email nearly 48 hours ago to secur...@ubuntu.com and have received no response or even an acknowledgment, so i'm following up as a comment to this bug. (i also sent the bug to debian's pkg-net-snmp-de...@lists.alioth.debian.org, but it never made it through to the archives, so i just added a comment to debian's bug #516801.) i'll attach the below referenced patch to this bug (#331410). SUMMARY --- snmpd in lucid (5.4.2.1~dfsg0ubuntu1-0ubuntu2) is vulnerable to CVE-2008-6123 contrary to what its changelog says. the attached patch was applied to the aforementioned version, compiled in a pbuilder lucid chroot (on lenny), and the resulting packages (libsnmp-base, libsnmp15, snmp, snmpd) were successfully tested on lucid-i386. i also downloaded sid's 5.4.2.1~dfsg-5 source and it appears to be vulnerable based on its snmplib/snmpUDPDomain.c and the lack of any applicable patch(es) in debian/patches. REFERENCES -- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6123 http://net-snmp.svn.sourceforge.net/viewvc/net-snmp?view=revrevision=17367 http://net-snmp.svn.sourceforge.net/viewvc/net-snmp/branches/V5-4-patches/net-snmp/snmplib/snmpUDPDomain.c?r1=17367r2=17366pathrev=17367 BACKGROUND -- i recently upgraded a netbook from hardy to lucid by installing lucid to a new hard drive and copying/merging the old configuration. after installing snmpd and merging/copying the associated configuration files (/etc/default/snmpd, /etc/snmp/snmpd.conf, /etc/hosts.allow, /etc/hosts.deny) it rejected connections from my cacti installation residing on the network (the only IP allowed to connect to it based on the tcp-wrapper's ACL). i also noticed that the syslog output was incorrect: snmpd[$PID]: Connection from UDP: [$LOCAL_IP]-[$REMOTE_IP]:-13093 REFUSED yes, the remote port is negative due to %hd in the packages' snmplib/snmpUDPDomain.c, but is %hu upstream and fixed in the attached patch. PROBLEM --- snmpd improperly applies tcp-wrapper ACLs because it calls tcp-wrapper's hosts_ctl (see netsnmp_agent_check_packet() in agent/snmp_agent.c) with it's local IP address as the client_addr (instead of the snmp client's remote IP address) because of incorrect string assembly (see netsnmp_udp_fmtaddr() in snmplib/snmpUDPDomain.c). SOLUTION searching for snmpd bugs related to tcp wrappers, i found debian bug #516801. i downloaded and browsed the ubuntu source package, reviewed agent/snmp_agent.c where tcp-wrappers' hosts_ctl() is called, backtracked to snmplib/snmpUDPDomain.c where the string is constructed that snmp_agent.c deconstructs for hosts_ctl(), and verified that upstream's CVE-2008-6123 patch for v5.4 is still applicable (though compensating for %hd in debian/ubuntu source). i added the patch to the package using quilt, rebuilt the package, installed it, and it works correctly: snmpd[$PID]: Connection from UDP: [$REMOTE_IP]:53735-[$LOCAL_IP] thanks for providing the net-snmp packages! ** Bug watch added: Debian Bug tracker #516801 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516801 -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
** Patch added: patch for net-snmp package in lucid (built tested) http://launchpadlibrarian.net/49534438/CVE-2008-6123-ubuntu-lucid.patch -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
** Patch added: patch for net-snmp package in lucid (built tested) http://launchpadlibrarian.net/49534440/CVE-2008-6123-ubuntu-lucid.patch -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
Hi! Thanks for the report. It looks like this wasn't triaged correctly when we first looked at it. We'll get this fixed and published. Thanks for the patches and for testing it. ** Also affects: net-snmp (Ubuntu Karmic) Importance: Undecided Status: New ** Also affects: net-snmp (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: net-snmp (Ubuntu Maverick) Importance: Undecided Assignee: Stephan Hermann (shermann) Status: Confirmed ** Changed in: net-snmp (Ubuntu Karmic) Status: New = Invalid ** Changed in: net-snmp (Ubuntu Lucid) Status: New = Triaged ** Changed in: net-snmp (Ubuntu Maverick) Importance: Undecided = Medium ** Changed in: net-snmp (Ubuntu Maverick) Status: Confirmed = Triaged ** Changed in: net-snmp (Ubuntu Maverick) Assignee: Stephan Hermann (shermann) = (unassigned) ** Changed in: net-snmp (Ubuntu Lucid) Importance: Undecided = Medium -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
Ah-ha, I see the problem now. This vulnerability was introduced after all the versions of net-snmp that were in the archive at the time the CVE was published. At some point Debian packaged the 5.4.x series from a point that did not include the fix, which is why only Lucid and later have the problem. ** Changed in: net-snmp (Ubuntu Maverick) Status: Triaged = Fix Released ** Changed in: net-snmp (Ubuntu Lucid) Status: Triaged = Fix Committed -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
** Changed in: net-snmp (Gentoo Linux) Status: In Progress = Fix Released -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to net-snmp in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
** Changed in: net-snmp (Gentoo Linux) Status: In Progress = Fix Released -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
** Changed in: net-snmp (Gentoo Linux) Status: Confirmed = In Progress -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to net-snmp in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
** Changed in: net-snmp (Gentoo Linux) Status: Confirmed = In Progress -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
The CVE-2008-6123 security issue was introduced in the following commit: http://net-snmp.svn.sourceforge.net/viewvc/net-snmp?view=revrevision=16654 So, the issue was introduced in 5.2.5, 5.3.2 and 5.4.2. None of our releases are impacted by this. dapper: 5.2.1.2-4ubuntu2.3 gutsy: 5.3.1-6ubuntu2.2 hardy: 5.4.1~dfsg-4ubuntu4.2, intrepid: 5.4.1~dfsg-7.1ubuntu6.1 jaunty: 5.4.1~dfsg-12ubuntu1 Closing as invalid. Feel free to open again if this is incorrect. ** Changed in: net-snmp (Ubuntu Gutsy) Status: In Progress = Invalid ** Changed in: net-snmp (Ubuntu Hardy) Status: In Progress = Invalid ** Changed in: net-snmp (Ubuntu Dapper) Status: New = Invalid ** Changed in: net-snmp (Ubuntu Intrepid) Status: In Progress = Invalid ** Changed in: net-snmp (Ubuntu Jaunty) Status: In Progress = Invalid -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to net-snmp in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
The CVE-2008-6123 security issue was introduced in the following commit: http://net-snmp.svn.sourceforge.net/viewvc/net-snmp?view=revrevision=16654 So, the issue was introduced in 5.2.5, 5.3.2 and 5.4.2. None of our releases are impacted by this. dapper: 5.2.1.2-4ubuntu2.3 gutsy: 5.3.1-6ubuntu2.2 hardy: 5.4.1~dfsg-4ubuntu4.2, intrepid: 5.4.1~dfsg-7.1ubuntu6.1 jaunty: 5.4.1~dfsg-12ubuntu1 Closing as invalid. Feel free to open again if this is incorrect. ** Changed in: net-snmp (Ubuntu Gutsy) Status: In Progress = Invalid ** Changed in: net-snmp (Ubuntu Hardy) Status: In Progress = Invalid ** Changed in: net-snmp (Ubuntu Dapper) Status: New = Invalid ** Changed in: net-snmp (Ubuntu Intrepid) Status: In Progress = Invalid ** Changed in: net-snmp (Ubuntu Jaunty) Status: In Progress = Invalid -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
Thanks for the debdiffs. The dapper debdiff is incorrect and needs several other commits so *data will actually contain what is needed. Further, I tried to reproduce based on the Gentoo bug, but was unable to so far. Stephan, do you have a working reproducer? ** Changed in: net-snmp (Ubuntu Dapper) Status: In Progress = New -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to net-snmp in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
Thanks for the debdiffs. The dapper debdiff is incorrect and needs several other commits so *data will actually contain what is needed. Further, I tried to reproduce based on the Gentoo bug, but was unable to so far. Stephan, do you have a working reproducer? ** Changed in: net-snmp (Ubuntu Dapper) Status: In Progress = New -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
** Attachment added: dapper debdiff http://launchpadlibrarian.net/22903935/dapper_net-snmp_5.2.1.2-4ubuntu2.4.debdiff ** Changed in: net-snmp (Ubuntu Dapper) Assignee: (unassigned) = Stephan Hermann (shermann) Status: Confirmed = In Progress -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
** Attachment added: gutsy debdiff http://launchpadlibrarian.net/22904269/gutsy_net-snmp_5.3.1-6ubuntu2.3.debdiff ** Changed in: net-snmp (Ubuntu Gutsy) Assignee: (unassigned) = Stephan Hermann (shermann) Status: Confirmed = In Progress -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
** Visibility changed to: Public -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to net-snmp in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
** Attachment added: jaunty debdiff (can be uploaded to main) http://launchpadlibrarian.net/22865434/jaunty_net-snmp_5.4.1%7Edfsg-12ubuntu2.debdiff -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to net-snmp in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
** Changed in: net-snmp (Ubuntu Dapper) Status: New = Confirmed ** Changed in: net-snmp (Ubuntu Gutsy) Status: New = Confirmed ** Changed in: net-snmp (Ubuntu Hardy) Status: New = In Progress ** Changed in: net-snmp (Ubuntu Intrepid) Status: New = In Progress ** Changed in: net-snmp (Ubuntu Hardy) Assignee: (unassigned) = Stephan Hermann (shermann) ** Changed in: net-snmp (Ubuntu Intrepid) Assignee: (unassigned) = Stephan Hermann (shermann) -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to net-snmp in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
** Visibility changed to: Public -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
** Changed in: net-snmp (Ubuntu) Assignee: (unassigned) = Stephan Hermann (shermann) Status: New = In Progress ** Attachment added: hardy debdiff http://launchpadlibrarian.net/22865260/hardy_net-snmp_5.4.1%7Edfsg-4ubuntu4.3.debdiff -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
** Attachment added: intrepid debdiff http://launchpadlibrarian.net/22865262/intrepid_net-snmp_5.4.1%7Edfsg-7.1ubuntu6.2.debdiff -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
** Attachment added: jaunty debdiff (can be uploaded to main) http://launchpadlibrarian.net/22865434/jaunty_net-snmp_5.4.1%7Edfsg-12ubuntu2.debdiff -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 331410] Re: CVE-2008-6123: not fixed in latest security releases
** Changed in: net-snmp (Ubuntu Dapper) Status: New = Confirmed ** Changed in: net-snmp (Ubuntu Gutsy) Status: New = Confirmed ** Changed in: net-snmp (Ubuntu Hardy) Status: New = In Progress ** Changed in: net-snmp (Ubuntu Intrepid) Status: New = In Progress ** Changed in: net-snmp (Ubuntu Hardy) Assignee: (unassigned) = Stephan Hermann (shermann) ** Changed in: net-snmp (Ubuntu Intrepid) Assignee: (unassigned) = Stephan Hermann (shermann) -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs