Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 620
Alerts This Week
Warning Icon 1 620

Red Hat Enterprise Linux 5 RHSA-2014:0322-01 Moderate: net-snmp DoS Issues

red hat
Calendar Grey March 24, 2014
Dist Redhat Esm H88
Recent adjustments to net-snmp tackle a pair of concerns impacting Ubuntu, bolstering the security framework of the system as a whole.
Updated net-snmp packages that fix two security issues are now available for Red Hat Enterprise Linux 5

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258

Summary

The net-snmp packages provide various libraries and tools for the Simple Network Management Protocol (SNMP), including an SNMP library, an extensible agent, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which uses SNMP, and a Tk/Perl Management Information Base (MIB) browser.
A denial of service flaw was found in the way snmpd, the Net-SNMP daemon, handled subagent timeouts. A remote attacker able to trigger a subagent timeout could use this flaw to cause snmpd to loop infinitely or crash. (CVE-2012-6151)
A denial of service flaw was found in the way the snmptrapd service, which receives and logs SNMP trap messages, handled SNMP trap requests with an empty community string when the Perl handler (provided by the net-snmp-perl package) was enabled. A remote attacker could use this flaw to crash snmptrapd by sending a trap request with an empty community string. (CVE-2014-2285)
All net-snmp users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the snmpd and snmptrapd services will be restarted automatically.

References

https://access.redhat.com/security/cve/CVE-2012-6151 https://access.redhat.com/security/cve/CVE-2014-2285 https://access.redhat.com/security/updates/classification#moderate

Package List

Red Hat Enterprise Linux Desktop (v. 5 client):
Source:
i386: net-snmp-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-debuginfo-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-libs-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-perl-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-utils-5.3.2.2-22.el5_10.1.i386.rpm
x86_64: net-snmp-5.3.2.2-22.el5_10.1.x86_64.rpm net-snmp-debuginfo-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-debuginfo-5.3.2.2-22.el5_10.1.x86_64.rpm net-snmp-libs-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-libs-5.3.2.2-22.el5_10.1.x86_64.rpm net-snmp-perl-5.3.2.2-22.el5_10.1.x86_64.rpm net-snmp-utils-5.3.2.2-22.el5_10.1.x86_64.rpm
RHEL Desktop Workstation (v. 5 client):
Source:
i386: net-snmp-debuginfo-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-devel-5.3.2.2-22.el5_10.1.i386.rpm
x86_64: net-snmp-debuginfo-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-debuginfo-5.3.2.2-22.el5_10.1.x86_64.rpm net-snmp-devel-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-devel-5.3.2.2-22.el5_10.1.x86_64.rpm
Red Hat Enterprise Linux (v. 5 server):
Source:
i386: net-snmp-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-debuginfo-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-devel-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-libs-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-perl-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-utils-5.3.2.2-22.el5_10.1.i386.rpm
ia64:

Read the Full Advisory


Advisory ID: RHSA-2014:0322-01
Product: Red Hat Enterprise Linux
Issue date: 2014-03-24

Topic

Updated net-snmp packages that fix two security issues are now availablefor Red Hat Enterprise Linux 5.The Red Hat Security Response Team has rated this update as having Moderatesecurity impact. Common Vulnerability Scoring System (CVSS) base scores,which give detailed severity ratings, are available for each vulnerabilityfrom the CVE links in the References section.

Relevant Releases Architectures

RHEL Desktop Workstation (v. 5 client) - i386, x86_64

Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64

Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64

Bugs Fixed

1038007 - CVE-2012-6151 net-snmp: snmpd crashes/hangs when AgentX subagent times-out

1072778 - CVE-2014-2285 net-snmp: snmptrapd crash when using a trap with empty community string

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.