-----  B a l a B i t   S e c u r i t y   A d v i s o r y   ( B B S A )  -----
PACKAGE             : ucd-snmp
AFFECTED VERSION    : <= 4.2.3-2.zorpos3
FIXED               : 4.2.3-2.zorpos3
SUMMARY             : buffer overflow
TYPE                : remote
AFFECTED            : ZorpOS 3.0
ZORP-OS SPECIFIC    : NO
BBSA-AUTHOR         : Tamás Pál <tamas.pal@balabit.hu>
BBSA-ID             : BBSA-2008-026
BBSA-ADDRESS        : advisory@balabit.hu
GNUPG FINGERPRINT   : 933E 6763 D32D A01C 1A75  F228 9CB1 81C7 D91E 8915
CVE                 : CVE-2008-2292
DATE                : May 29, 2008
-----------------------------------------------------------------------------

BACKGROUND:

  Buffer overflow in the __snprint_value function in snmp_get in Net-SNMP
  5.1.4, 5.2.4, and 5.4.1, as used in SNMP.xs for Perl, allows remote
  attackers to cause a denial of service (crash) and possibly execute
  arbitrary code via a large OCTETSTRING in an attribute value pair.

SOLUTION:

  We recommend that you update the affected packages immediately.

  Upgrading using apt:
  ~~~~~~~~~~~~~~~~~~~~
  Add the following line to /etc/apt/sources.list (if it doesn't
  contain this line already)

  ZorpOS version 3.0:

    Add the following line to /etc/apt/sources.list (if it doesn't
    contain this line already)

    deb https://USERNAME:PASSWORD@apt.balabit.hu/zorp-os \
      zorp-os-3.0/3.0security zorp-os zorp-os-extra

  then issue the following commands as root:

  apt-get update

  apt-get -u upgrade

  The latest upgrades will be downloaded and installed.

REFERENCES:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2292