[Ticket#2020070701000015] Security issues in net-snmp #145
Comments
|
Last time a Net-SNMP security bug was reported it turned out to be a bug in a MIB that is not used that widely (commit 06c09a1). Do we really need the security level of encrypted email? How about sharing a Google doc with the core developers instead of using encrypted email to disclose the discovered vulnerabilities? |
|
Dear Mr. Van Assche, thank you very much for your immediate response. If you provide a mail address, we can share our findings using our web-based platform. Kind regards, |
|
Please use the following address for the disclosure: bart.vanassche@gmail.com. If anyone else wants to gain access to the disclosure report, please request access. |
|
The project owner and I can both receive pgp encrypted with the project signing key sent to our admin list: pub rsa4096/ACB19FD6 2017-10-29 [SC] [expires: 2022-10-28] |
|
@usdResponsibleDisclosure, do you agree that one of the two reported vulnerabilities has been fixed by commit 4fd9a45? |
|
Any update on this? |
|
Candidate fixes for all reported vulnerabilities by USD AG have been checked in on the v5.8 and master branches. |
|
Hi @thesamesam communication on this was moved to a private channel, thus there were no activities in this issue publicly available but @bvanassche took further actions as described above. Best regards |
Dear all,
In the course of a penetration test performed by our security analysts, we have noticed some security vulnerabilities in net-snmp.
Your deprecated bug tracker (http://www.net-snmp.org/bugs/) redirects to Github. Sadly, Github does not support creating private issues for security relevant bugs.
We would like to send you the findings in an encrypted manner to enable you to mitigate them.
For encrypted communication, we can offer a web-based platform hosted by us, or we can offer to encrypt our e-mails via S/MIME or PGP. Please let us know which method fits you best. In order to transmit our findings via email, we will need either a public S/MIME certificate or your public PGP key of an active and trustworthy contributor of this project.
As stated in our Responsible Disclosure Guideline (see https://www.usd.de/wp-content/uploads/2017/10/usd-Responsible-Disclosure-EN.pdf), we will treat the vulnerabilities as confidential. We will grant you a time frame of 60 days to release a patch. After that deadline, we will reserve the right to publish the vulnerabilities.
Sincerely,
usd responsible disclosure team
About usd AG
usd AG protects companies from hackers and criminals. As an accredited auditor, we consult and certify companies worldwide. Our work is as dynamic and diverse as current threats. We review IT systems, applications and processes for security vulnerabilities and help with their mitigation. With our Security Trainings, we raise security awareness; the CST Academy promotes an active dialogue and a transfer of knowledge.
www.usd.de
more security. usd
..........................................................................
Registered office: 63263 Neu-Isenburg
Local court of Offenbach: HRB 34667
Executive Board: Andreas Duchmann, Manfred Tubach (CEO)
Chairman supervisory board: Dr. Dietmar Kirchner
VAT ID: DE 163774242
..........................................................................
The text was updated successfully, but these errors were encountered: