It was reported [1] that Net-SNMP releases 5.5 through 5.7.2 were vulnerable to a potential remotely-triggerable denial of service attack on the Linux platform, when the ICMP-MIB is in use. Net-SNMP 5.4.x users, and those who do not make use of the ICMP-MIB table objects, are not vulnerable. This is fixed in git [2]. [1] http://sourceforge.net/p/net-snmp/mailman/message/32026655/ [2] http://sourceforge.net/p/net-snmp/code/ci/a1fd64716f6794c55c34d77e618210238a73bfa1/
Created attachment 868119 [details] upstream patch to correct the flaw I don't like sourceforge's web interface to git so this is the actual patch in a useable form.
Created net-snmp tracking bugs for this issue: Affects: fedora-all [bug 1071753]
MITRE assigned CVE-2014-2284 to this issue: http://seclists.org/oss-sec/2014/q1/506
net-snmp-5.7.2-17.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
net-snmp-5.7.2-14.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:0321 https://rhn.redhat.com/errata/RHSA-2014-0321.html
Statement: Not vulnerable. This issue did not affect the versions of net-snmp as shipped with Red Hat Enterprise Linux 5.