oss-sec mailing list archives

Re: net-snmp 5.7.3 unauthenticated remote Denial of Service (exploit available)

From: Magnus Klaaborg Stubman <magnus () stubman eu>
Date: Wed, 10 Oct 2018 08:38:50 +0200

Hi guys,

Yesterday I submitted a change request asking MITRE to mark CVE-2018-18066 as a duplicate of CVE-2015-5621.
Thank you for bringing the issue to my attention!

Magnus

On 9 Oct 2018, at 11.21, Salvatore Bonaccorso <carnil () debian org> wrote:

Hi,

On Tue, Oct 09, 2018 at 12:31:32AM +0200, Alexander Bergmann wrote:

Hi Magnus,

thanks for your report. I can reproduce VULN#2 (CVE-2018-18065) with our
net-snmp-5.7.3 version (sle12/sle15). Our net-snmp-5.4.2.1 version seams
to be unaffected.

Regarding your VULN#1 (CVE-2018-18066) I noticed that the patch was
already applied to our code base and CVE-2015-5621 was assigned. The
issue was already mentioned here at oss-security.

https://www.openwall.com/lists/oss-security/2015/07/31/1

I didn't check the details yet, but if the new CVE is a duplicate,
please contact NIST about it.


Is it actually the same issue? I'm asking because for instance, there
was indeed earlier CVE-2015-5621 and CVE-2018-1000116, which both were
adressed with this same commit, but are considered two separate
issues. So if CVE-2018-18066 is different from CVE-2015-5621 or
CVE-2018-1000116, the assignment would not be a duplicate.

Regards,
Salvatore

Current thread:

net-snmp 5.7.3 unauthenticated remote Denial of Service (exploit available) Magnus Klaaborg Stubman (Oct 08)
- Re: net-snmp 5.7.3 unauthenticated remote Denial of Service (exploit available) Alexander Bergmann (Oct 08)
  - Re: net-snmp 5.7.3 unauthenticated remote Denial of Service (exploit available) Salvatore Bonaccorso (Oct 09)
    - Re: net-snmp 5.7.3 unauthenticated remote Denial of Service (exploit available) Magnus Klaaborg Stubman (Oct 10)