Ubuntu Security Notice USN-685-1
3rd December, 2008
net-snmp vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 8.10
- Ubuntu 8.04 LTS
- Ubuntu 7.10
- Ubuntu 6.06 LTS
Software description
- net-snmp
Details
Wes Hardaker discovered that the SNMP service did not correctly validate
HMAC authentication requests. An unauthenticated remote attacker
could send specially crafted SNMPv3 traffic with a valid username
and gain access to the user's views without a valid authentication
passphrase. (CVE-2008-0960)
John Kortink discovered that the Net-SNMP Perl module did not correctly
check the size of returned values. If a user or automated system were
tricked into querying a malicious SNMP server, the application using
the Perl module could be made to crash, leading to a denial of service.
This did not affect Ubuntu 8.10. (CVE-2008-2292)
It was discovered that the SNMP service did not correctly handle large
GETBULK requests. If an unauthenticated remote attacker sent a specially
crafted request, the SNMP service could be made to crash, leading to a
denial of service. (CVE-2008-4309)
Update instructions
The problem can be corrected by updating your system to the following package version:
- Ubuntu 8.10:
- libsnmp15 5.4.1~dfsg-7.1ubuntu6.1
- Ubuntu 8.04 LTS:
- libsnmp-perl 5.4.1~dfsg-4ubuntu4.2
- libsnmp15 5.4.1~dfsg-4ubuntu4.2
- Ubuntu 7.10:
- libsnmp-perl 5.3.1-6ubuntu2.2
- libsnmp10 5.3.1-6ubuntu2.2
- Ubuntu 6.06 LTS:
- libsnmp-perl 5.2.1.2-4ubuntu2.3
- libsnmp9 5.2.1.2-4ubuntu2.3
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system upgrade is sufficient to effect the
necessary changes.