Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20181009092102.oyyogeqoocjm6xmi@lorien.valinor.li>
Date: Tue, 9 Oct 2018 11:21:02 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: net-snmp 5.7.3 unauthenticated remote Denial of
 Service (exploit available)

Hi,

On Tue, Oct 09, 2018 at 12:31:32AM +0200, Alexander Bergmann wrote:
> Hi Magnus,
> 
> thanks for your report. I can reproduce VULN#2 (CVE-2018-18065) with our
> net-snmp-5.7.3 version (sle12/sle15). Our net-snmp-5.4.2.1 version seams
> to be unaffected.
> 
> Regarding your VULN#1 (CVE-2018-18066) I noticed that the patch was
> already applied to our code base and CVE-2015-5621 was assigned. The
> issue was already mentioned here at oss-security.
> 
> https://www.openwall.com/lists/oss-security/2015/07/31/1
> 
> I didn't check the details yet, but if the new CVE is a duplicate,
> please contact NIST about it.

Is it actually the same issue? I'm asking because for instance, there
was indeed earlier CVE-2015-5621 and CVE-2018-1000116, which both were
adressed with this same commit, but are considered two separate
issues. So if CVE-2018-18066 is different from CVE-2015-5621 or
CVE-2018-1000116, the assignment would not be a duplicate.

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.