From bugzilla@redhat.com Tue Dec 2 15:47:43 2003 From: bugzilla@redhat.com To: redhat-watch-list@redhat.com, bugtraq@securityfocus.com, full-disclosure@lists.netsys.com Date: Tue, 2 Dec 2003 12:37 -0500 Subject: [Full-Disclosure] [RHSA-2003:335-01] Updated Net-SNMP packages fix security and other bugs -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated Net-SNMP packages fix security and other bugs Advisory ID: RHSA-2003:335-01 Issue date: 2003-12-02 Updated on: 2003-12-02 Product: Red Hat Linux Keywords: ucd-snmp Cross references: Obsoletes: RHSA-2003:228 CVE Names: CAN-2003-0935 - --------------------------------------------------------------------- 1. Topic: Updated Net-SNMP packages are available to correct a security vulnerability and other bugs. 2. Relevant releases/architectures: Red Hat Linux 8.0 - i386 Red Hat Linux 9 - i386 3. Problem description: The Net-SNMP project includes various Simple Network Management Protocol (SNMP) tools. A security issue in Net-SNMP versions before 5.0.9 could allow an existing user/community to gain access to data in MIB objects that were explicitly excluded from their view. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0935 to this issue. Users of Net-SNMP are advised upgrade to these errata packages containing Net-SNMP 5.0.9 which is not vulnerable to this issue. In addition, Net-SNMP 5.0.9 fixes a number of other minor bugs. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. RPMs required: Red Hat Linux 8.0: SRPMS: ftp://updates.redhat.com/8.0/en/os/SRPMS/net-snmp-5.0.9-2.80.1.src.rpm i386: ftp://updates.redhat.com/8.0/en/os/i386/net-snmp-5.0.9-2.80.1.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/net-snmp-devel-5.0.9-2.80.1.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/net-snmp-perl-5.0.9-2.80.1.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/net-snmp-utils-5.0.9-2.80.1.i386.rpm Red Hat Linux 9: SRPMS: ftp://updates.redhat.com/9/en/os/SRPMS/net-snmp-5.0.9-2.90.1.src.rpm i386: ftp://updates.redhat.com/9/en/os/i386/net-snmp-5.0.9-2.90.1.i386.rpm ftp://updates.redhat.com/9/en/os/i386/net-snmp-devel-5.0.9-2.90.1.i386.rpm ftp://updates.redhat.com/9/en/os/i386/net-snmp-perl-5.0.9-2.90.1.i386.rpm ftp://updates.redhat.com/9/en/os/i386/net-snmp-utils-5.0.9-2.90.1.i386.rpm 6. Verification: MD5 sum Package Name - -------------------------------------------------------------------------- 67d440e6f8a4c80f8a784b9379b0a729 8.0/en/os/SRPMS/net-snmp-5.0.9-2.80.1.src.rpm 8010acf4d3288e4fcb4aa27a969d5a80 8.0/en/os/i386/net-snmp-5.0.9-2.80.1.i386.rpm 4076d0807c65958adae8d9817f368214 8.0/en/os/i386/net-snmp-devel-5.0.9-2.80.1.i386.rpm 521cf4af9fecdbf5000262c9493a085e 8.0/en/os/i386/net-snmp-perl-5.0.9-2.80.1.i386.rpm 2346cea65b945ffae9f1f9f51596af51 8.0/en/os/i386/net-snmp-utils-5.0.9-2.80.1.i386.rpm 94392aa55c263bdcbb6449c1d3a11f64 9/en/os/SRPMS/net-snmp-5.0.9-2.90.1.src.rpm 919a0e6b483c3c2d535d9882c98d3dde 9/en/os/i386/net-snmp-5.0.9-2.90.1.i386.rpm 944e33a996abef958f336c23adc04c9a 9/en/os/i386/net-snmp-devel-5.0.9-2.90.1.i386.rpm 13a537163ee51961f014c87652ebc95c 9/en/os/i386/net-snmp-perl-5.0.9-2.90.1.i386.rpm e006694219c4e02ab63b7759bfeda409 9/en/os/i386/net-snmp-utils-5.0.9-2.90.1.i386.rpm These packages are GPG signed by Red Hat for security. Our key is available from https://www.redhat.com/security/keys.html You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum 7. References: http://sourceforge.net/forum/forum.php?forum_id=308015 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0935 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/solutions/security/news/contact.html Copyright 2003 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/zM20XlSAg2UNWIIRAj38AJkBxIhjyaziPIP/pXLBrsMrUX+ilwCeI74T dorA+zBqNuBRn17VBcdyeDQ= =4pXp -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html