Skip to content

Commit ce66eb9

Browse files
committed
updates to CHANGES/NEWS
1 parent a8ea1e4 commit ce66eb9

File tree

2 files changed

+50
-5
lines changed

2 files changed

+50
-5
lines changed

Diff for: CHANGES

+26-4
Original file line numberDiff line numberDiff line change
@@ -4,10 +4,28 @@ a summary of the major changes, and the ChangeLog file for a comprehensive
44
listing of all changes made to the code.
55

66
*5.9.2*:
7-
misc:
8-
- snmp-create-v3-user: Fix the snmpd.conf path @datadir@ is
9-
expanded in ${datarootdir} so datarootdir must be set before
10-
@datadir@ is used.
7+
security:
8+
- These two CVEs can be exploited by a user with read-only credentials:
9+
- CVE-2022-24805 A buffer overflow in the handling of the INDEX of
10+
NET-SNMP-VACM-MIB can cause an out-of-bounds memory access.
11+
- CVE-2022-24809 A malformed OID in a GET-NEXT to the nsVacmAccessTable
12+
can cause a NULL pointer dereference.
13+
- These CVEs can be exploited by a user with read-write credentials:
14+
- CVE-2022-24806 Improper Input Validation when SETing malformed
15+
OIDs in master agent and subagent simultaneously
16+
- CVE-2022-24807 A malformed OID in a SET request to
17+
SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an
18+
out-of-bounds memory access.
19+
- CVE-2022-24808 A malformed OID in a SET request to
20+
NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference
21+
- CVE-2022-24810 A malformed OID in a SET to the nsVacmAccessTable
22+
can cause a NULL pointer dereference.
23+
- To avoid these flaws, use strong SNMPv3 credentials and do not share them.
24+
If you must use SNMPv1 or SNMPv2c, use a complex community string
25+
and enhance the protection by restricting access to a given IP address range.
26+
- Thanks are due to Yu Zhang of VARAS@IIE and Nanyu Zhong of VARAS@IIE for
27+
reporting the following CVEs that have been fixed in this release, and
28+
to Arista Networks for providing fixes.
1129

1230
Windows:
1331
- WinExtDLL: Fix multiple compiler warnings
@@ -27,6 +45,10 @@ listing of all changes made to the code.
2745
- Moved transport code into a separate subdirectory in snmplib
2846
- Snmplib: remove inline versions of container funcs".
2947

48+
misc:
49+
- snmp-create-v3-user: Fix the snmpd.conf path @datadir@ is
50+
expanded in ${datarootdir} so datarootdir must be set before
51+
@datadir@ is used.
3052

3153
*5.9.1*:
3254
General: Many bug fixes

Diff for: NEWS

+24-1
Original file line numberDiff line numberDiff line change
@@ -4,13 +4,36 @@ that have been fixed/applied, and the ChangeLog file for a comprehensive
44
listing of all changes made to the code.
55

66
*5.9.2*:
7-
general: Many bug fixes
7+
security:
8+
- These two CVEs can be exploited by a user with read-only credentials:
9+
- CVE-2022-24805 A buffer overflow in the handling of the INDEX of
10+
NET-SNMP-VACM-MIB can cause an out-of-bounds memory access.
11+
- CVE-2022-24809 A malformed OID in a GET-NEXT to the nsVacmAccessTable
12+
can cause a NULL pointer dereference.
13+
- These CVEs can be exploited by a user with read-write credentials:
14+
- CVE-2022-24806 Improper Input Validation when SETing malformed
15+
OIDs in master agent and subagent simultaneously
16+
- CVE-2022-24807 A malformed OID in a SET request to
17+
SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an
18+
out-of-bounds memory access.
19+
- CVE-2022-24808 A malformed OID in a SET request to
20+
NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference
21+
- CVE-2022-24810 A malformed OID in a SET to the nsVacmAccessTable
22+
can cause a NULL pointer dereference.
23+
- To avoid these flaws, use strong SNMPv3 credentials and do not share them.
24+
If you must use SNMPv1 or SNMPv2c, use a complex community string
25+
and enhance the protection by restricting access to a given IP address range.
26+
- Thanks are due to Yu Zhang of VARAS@IIE and Nanyu Zhong of VARAS@IIE for
27+
reporting the following CVEs that have been fixed in this release, and
28+
to Arista Networks for providing fixes.
829

930
misc:
1031
- Snmp-create-v3-user: Fix the snmpd.conf path @datadir@ is
1132
expanded in ${datarootdir} so datarootdir must be set before
1233
@datadir@ is used.
1334

35+
general: Many bug fixes
36+
1437
*5.9.1*:
1538
General: Many bug fixes
1639

0 commit comments

Comments
 (0)