-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 29 May 2026 15:18:47 +0200 Source: lwip Architecture: source Version: 2.2.1+dfsg1-1+deb13u1 Distribution: trixie Urgency: medium Maintainer: Joan Lledó Changed-By: Joan Lledó Changes: lwip (2.2.1+dfsg1-1+deb13u1) trixie; urgency=medium . * Fix CVE-2026-8836: snmpv3: fix handling packets with invalid msgAuthenticationParameters length * A remote attacker can send a crafted msgAuthenticationParameters field to overflow a stack buffer in snmp_parse_inbound_frame(). * Re-enables the bounds check on msgAuthenticationParameters length in snmp_parse_inbound_frame() and clamps the copy length to SNMP_V3_MAX_AUTH_PARAM_LENGTH instead of using the attacker-controlled TLV value length * https://savannah.nongnu.org/bugs/?68194 Checksums-Sha1: e283b4c1ebbbaccbf54e4508b84cdb677ef6acaa 2118 lwip_2.2.1+dfsg1-1+deb13u1.dsc e588ea850293bb0d60f47b6938bdc179896d407b 14948 lwip_2.2.1+dfsg1-1+deb13u1.debian.tar.xz f5f0818f342f397af0c0c29b04ca614f9c860609 8199 lwip_2.2.1+dfsg1-1+deb13u1_amd64.buildinfo Checksums-Sha256: 07ecb7122b2882a5265c6d1413947dd9a054d5ae25150b7042885d3f3d0b5aad 2118 lwip_2.2.1+dfsg1-1+deb13u1.dsc faa343b3c76d69080240ae1323932b7348fa1d0042f6ad29bd286246660720a9 14948 lwip_2.2.1+dfsg1-1+deb13u1.debian.tar.xz 1b195840ff921ae56c653d329b91f8a063da80658c6e9c6403f8aff1a4280c3d 8199 lwip_2.2.1+dfsg1-1+deb13u1_amd64.buildinfo Files: d446d5e6146541ee209050b52b78097a 2118 libs optional lwip_2.2.1+dfsg1-1+deb13u1.dsc e09d40e6e146e8374b22ccc51d9c6a4f 14948 libs optional lwip_2.2.1+dfsg1-1+deb13u1.debian.tar.xz 23ef0f0ac4a110567c3e8615ba224416 8199 libs optional lwip_2.2.1+dfsg1-1+deb13u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJLBAEBCgA1FiEEitwNudTbNE2R94iMoZnXa8pGkeMFAmpZBbgXHGpsbGVkb21A bWVtYmVyLmZzZi5vcmcACgkQoZnXa8pGkeM1ow/8CjyE2aSnBEQ7TYOBzP9WN9dt BXz2/aPsKZM2clg+ClsNaQca1c3VNHabwq52In0q//Vp6ycxbZWt9PKlYVrAqECf O/2aMbpY13ak4W2R8Px4XISMNaOCZCLdxTsEfGcfFg1xS/1NiymiiGikIoraIvap iS37NNIXLfrNX0+FD+FWRp3PLVr/U+WDtMhoEWVmTI/19S2UJ0CxufXi7ZOLJEoD nX1wuuevwKJf75eCLYxeUq40AOl3XwvyZMItjxlGa5BFEO8vXi3/DyWnCD4UNF4e 2oM6Tqkdr1KgArBAjp7U9CFgOZrxsfMLG7Dp3dzAZ3CTd9/9hY3vyiHd/P0Lx61m ry3nR5O1jlKgG5gc/gdrHMWAbNSD3ohdunYV2AVF87NiK4QhP7iIXbdYccx8RJs0 HW3yuUtCipO91tQA0RiUWXvU7IMmy9zteFCQ9bJF2nmnSbS8cCj3lmIcP5iEe64x 2G5XPoFzPvT7EoJM7O8gmGDYuppn3VI5D+rddHQcpXcwKtZIQtSIKrPPDnnl4EjU RmyKp2ITKEO9mJN1EqZAJD5ckc4rp/LJmZzokWofeheZ1tj8dHaEWe6b9DWo1pvF TTW8Waa/oVGbvQPmNj8aUxHME0vtOITKexp2RGsibUAk4XTXRdN5cbcFqIBh3xfr BiMUgIHxJfkSfmmkucs= =bBmo -----END PGP SIGNATURE-----