Bug 363631 (CVE-2007-5846) - CVE-2007-5846 net-snmp remote DoS via udp packet
Summary: CVE-2007-5846 net-snmp remote DoS via udp packet
Status: CLOSED ERRATA
Alias: CVE-2007-5846
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Jan Safranek
QA Contact:
URL:
Whiteboard: reported=20071102,source=it,impact=im...
Keywords: Security
Depends On: 366591 366601 366611 366621 366631 411721
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-11-02 11:59 UTC by Jatin Nansi
Modified: 2018-10-19 22:12 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-14 12:39:37 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:1045 normal SHIPPED_LIVE Moderate: net-snmp security update 2007-11-15 17:09:59 UTC

Comment 9 Mark J. Cox 2007-11-05 11:27:56 UTC
A customer has reported that a certain udp packet can cause net-snmp to crash
(after using a lot of CPU/memory).  This was traced to the following issue
already fixed upstream in net-snmp:

http://sourceforge.net/tracker/index.php?func=detail&aid=1712988&group_id=12694&atid=112694

A remote attacker who can connect to the snmpd UDP port (161 by default) could
send a malicious package causing snmpd to crash, a denial of service.

CVE name applied for (as public issue)

Verified this issue affects rhel4,5.  Issue may affect rhel3 (testing so far
inconclusive).  We will create an async security update to address this issue.

Comment 10 Mark J. Cox 2007-11-07 09:31:21 UTC
now public via CVE, removing embargo.

Comment 16 Red Hat Product Security 2008-01-14 12:39:37 UTC
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2007-1045.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-3019
  Fedora 8 ships with fixed upstream version net-snmp-5.4.1


Note You need to log in before you can comment on or make changes to this bug.