- Update from version 5.9.1 to 5.9.3
- Version 5.9.4 exists but it is indicated that SNMP over TLS and/or DTLS is not
functioning properly with various versions of OpenSSL. However I could not find which
versions mentioned in the News or Changelog. The problem will be fixed in a future
version. There are no CVE fixes in 5.9.4, only a relatively few bug fixes so I
decided to wait for the fixed version in case there are users using TLS with SNMP.
- Update of rootfile
- 6 CVE fixes in 5.9.3
- Changelog
5.9.3
security:
- These two CVEs can be exploited by a user with read-only credentials:
- CVE-2022-24805 A buffer overflow in the handling of the INDEX of
NET-SNMP-VACM-MIB can cause an out-of-bounds memory access.
- CVE-2022-24809 A malformed OID in a GET-NEXT to the nsVacmAccessTable
can cause a NULL pointer dereference.
- These CVEs can be exploited by a user with read-write credentials:
- CVE-2022-24806 Improper Input Validation when SETing malformed
OIDs in master agent and subagent simultaneously
- CVE-2022-24807 A malformed OID in a SET request to
SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an
out-of-bounds memory access.
- CVE-2022-24808 A malformed OID in a SET request to
NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference
- CVE-2022-24810 A malformed OID in a SET to the nsVacmAccessTable
can cause a NULL pointer dereference.
- To avoid these flaws, use strong SNMPv3 credentials and do not share them.
If you must use SNMPv1 or SNMPv2c, use a complex community string
and enhance the protection by restricting access to a given IP address
range.
- Thanks are due to Yu Zhang of VARAS@IIE and Nanyu Zhong of VARAS@IIE for
reporting the following CVEs that have been fixed in this release, and
to Arista Networks for providing fixes.
misc:
- Snmp-create-v3-user: Fix the snmpd.conf path @datadir@ is
expanded in ${datarootdir} so datarootdir must be set before
@datadir@ is used.
general: Many bug fixes
5.9.2
skipped due to a last minute library versioning found bug -- use 5.9.3 instead
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 5.8 to 5.9.1
- Update rootfile
- find-dependencies run to check impact of so lib bump
no issues found
- Changelog - for more details on the Many bug fixes for 5.9.1 see the
ChangeLog file in the source tarball
The following is from the CHANGES file in the source tarball
*5.9.1*:
General: Many bug fixes
*5.9*
snmplib:
- Add IPv6 support to DTLSUDP transport
- use new netsnmp_sockaddr_storage in netsnmp_addr_pair
- add base_transport ptr for tunneled transports
- Add support for OpenSSL 1.1.1
- Dtls: overhaul of debug
- Remove inline versions of container funcs
snmpd:
- Use ETHTOOL_GLINKSETTINGS when available Newer Linux kernels
support ETHTOOL_GLINKSETTINGS. Use it when available instead of the
older and deprecated ETHTOOL_GSET. This patch avoids that the Linux
kernel reports the following kernel warning: warning: 'snmpd' uses
legacy ethtool link settings API, link modes are only partially
reported See also https://sourceforge.net/p/net-snmp/patches/1387/.
[bvanassche: reworked this patch significantly]
- Reduce the time needed to execute "pass" scripts on BSD systems See
also https://github.com/net-snmp/net-snmp/issues/8.
- [BUG 2926]: Make it possible to set agentXPingInterval for a
subagent - register agentXPingInterval for the subagent list
handler, before it was registered for snmp - added agentxTimeout to
the subagent list handler. It's now possible to set for snmpd and
the subagent. See 'man snmpd.conf' - added agentxRetries to the
subagent list handler. See 'man snmpd.conf'. It's never used in the
subagent, but it's now following the documentation Signed-off-by:
Anders Wallin <wallinux@gmail.com>
snmptrap:
- BUG: 2899: Patch from Drew Roedersheimer to set library
engineboots/time values before sending
snmptrapd:
- Add support for the latest libmysqlclient version
libsnmp:
- Scan MIB directories in alphabetical order This guarantees that
e.g. mibs/RFC1213-MIB.txt is read before mibs/SNMPv2-MIB.txt. The
order in which these MIBs is read matters because both define
sysLocation but with different attributes.
unspecified:
- [BUG 2930]: Fix a Solaris hrSWInst crash Avoid that snmpd crashes
on Solaris when querying software packages with an empty CATEGORY
field. See also https://sourceforge.net/p/net-snmp/bugs/2930/. See
also https://sourceforge.net/p/net-snmp/patches/1390/.
FreeBSD:
- Fix first byte of IF-MIB::ifPhysAddress Don't write past the
interface name, and use temporary copy instead. This fixes the
first byte of ifPhysAddress always being 0 on FreeBSD. See also
https://sourceforge.net/p/net-snmp/code/merge-requests/20/. [
bvanassche: edited patch title / added test for malloc() result /
reduced number of free(if_name) calls ]
Win32:
- BUG: 2779541 Fixed handle leak in pass_persist.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
