oss-sec mailing list archives
Re: CVE request for two net-snmp remote DoS flaws
From: cve-assign () mitre org
Date: Wed, 5 Mar 2014 14:08:31 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
1. net-snmp: denial of service flaw in Linux implementation of ICMP-MIB
https://bugzilla.redhat.com/show_bug.cgi?id=1070396 http://sourceforge.net/p/net-snmp/code/ci/a1fd64716f6794c55c34d77e618210238a73bfa1/
A first look at the patch suggests that it's about missing input validation, and not also about independently exploitable off-by-one errors in the sizes of data structures. In other words, although something like: - struct icmp_msg_mib vals[255]; + struct icmp_msg_mib vals[256]; would often be an independent security fix (255 is an unusual size), here it's not a security fix relative to the original code. If other analysis shows that that's incorrect, we'll add another CVE ID. Use CVE-2014-2284 for the missing input validation.
2. net-snmp: snmptrapd crash when using a trap with empty community string https://bugzilla.redhat.com/show_bug.cgi?id=1072778 https://bugzilla.redhat.com/show_bug.cgi?id=1072044 http://sourceforge.net/p/net-snmp/patches/1275/
Use CVE-2014-2285. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTF3S0AAoJEKllVAevmvms15wH/A2vbg+phBFo/ChivsN7fVRJ iVCRCFG7b81xVeZmnMPE0EM1YXaGefG9cYdKmRtnaCO5p2anuuJgzpjB+rE37C7a T2+rZIrhmkyOYmxUoebGrzwAqU7l0IqLfP5GOZJ8vbuaVyMWd8VJ6nlzmq8kF1yZ fGToucAz2jsDKOctGs6R8GGkKjNI5WdpgxkgQ6rrEdW0VfQzW7uz0AcgdXtmHjx1 DerxDuhQxTGGrT+salAa3n8eNV7kBmfsroR72gv7agdW2hZ7E74c5CZG8hfwmNgN qcijF53zMJ46+u5nbm84ic7Rtopms/edABSd/DmZVHRGEs+ZILpvcWX47nX3wAM= =BxeE -----END PGP SIGNATURE-----
Current thread:
- CVE request for two net-snmp remote DoS flaws Huzaifa Sidhpurwala (Mar 05)
- Re: CVE request for two net-snmp remote DoS flaws cve-assign (Mar 05)