From patchwork Thu Aug 15 07:48:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8012 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Wky0w6mwhz3wwl for ; Thu, 15 Aug 2024 07:48:32 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Wky0s2dzgz1Fh; Thu, 15 Aug 2024 07:48:29 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Wky0s0VvPz33yC; Thu, 15 Aug 2024 07:48:29 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Wky0p3KB0z33wN for ; Thu, 15 Aug 2024 07:48:26 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Wky0m5KtKz1Fh; Thu, 15 Aug 2024 07:48:24 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1723708105; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=70Yvhr5Q93DeYt4bXje+4KU/UaSzJxXUjWuUoLYIQXk=; b=Iuv8UWCwKPrKIRSD24oHhiJ9aeh389ItsMOZiNtoanCNcIyztaXEdtAK/lPglPcyxDuXEq XWgCD5DZ3eL1sBAw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1723708105; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=70Yvhr5Q93DeYt4bXje+4KU/UaSzJxXUjWuUoLYIQXk=; b=Cu0J1d6kuQvpMo9fU93z7byThj+gEVrknIVJaaEVHV8d6YAJVYV/QA+kG2/QhQj01p4D5T 0lgy7q2mu3xPCWphF1pgrzp3LpqMSt7NlmoomoVok/XkDxL4hSzq3AEqtKaki+ouHxZm6o qD+CAUaM5mSzVSG3e/J+61OpI1yyPYmTRnyxIQi5U/6bLBmWyKHcWWjWN3byYBLGTRGfKh eghSuYaRvky9phyfoRdJkqBdNJXde+Eq63dGvYCBsxFze3Qte4f9jiONrOSysXt2MgmNp8 X8DiLFfA1symQPTzTh3OpMDXQ1Rqwnu7NFzGgA0lr2UXDoVuq2Yuu9Q/gk8HNw== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] netsnmpd: Update to version 5.9.3 Date: Thu, 15 Aug 2024 09:48:17 +0200 Message-ID: <20240815074817.2389-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: 4HR2TM4GQRTCMARMH6PATTA3GGOFQ7PZ X-Message-ID-Hash: 4HR2TM4GQRTCMARMH6PATTA3GGOFQ7PZ X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - Update from version 5.9.1 to 5.9.3 - Version 5.9.4 exists but it is indicated that SNMP over TLS and/or DTLS is not functioning properly with various versions of OpenSSL. However I could not find which versions mentioned in the News or Changelog. The problem will be fixed in a future version. There are no CVE fixes in 5.9.4, only a relatively few bug fixes so I decided to wait for the fixed version in case there are users using TLS with SNMP. - Update of rootfile - 6 CVE fixes in 5.9.3 - Changelog 5.9.3 security: - These two CVEs can be exploited by a user with read-only credentials: - CVE-2022-24805 A buffer overflow in the handling of the INDEX of NET-SNMP-VACM-MIB can cause an out-of-bounds memory access. - CVE-2022-24809 A malformed OID in a GET-NEXT to the nsVacmAccessTable can cause a NULL pointer dereference. - These CVEs can be exploited by a user with read-write credentials: - CVE-2022-24806 Improper Input Validation when SETing malformed OIDs in master agent and subagent simultaneously - CVE-2022-24807 A malformed OID in a SET request to SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an out-of-bounds memory access. - CVE-2022-24808 A malformed OID in a SET request to NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference - CVE-2022-24810 A malformed OID in a SET to the nsVacmAccessTable can cause a NULL pointer dereference. - To avoid these flaws, use strong SNMPv3 credentials and do not share them. If you must use SNMPv1 or SNMPv2c, use a complex community string and enhance the protection by restricting access to a given IP address range. - Thanks are due to Yu Zhang of VARAS@IIE and Nanyu Zhong of VARAS@IIE for reporting the following CVEs that have been fixed in this release, and to Arista Networks for providing fixes. misc: - Snmp-create-v3-user: Fix the snmpd.conf path @datadir@ is expanded in ${datarootdir} so datarootdir must be set before @datadir@ is used. general: Many bug fixes 5.9.2 skipped due to a last minute library versioning found bug -- use 5.9.3 instead Signed-off-by: Adolf Belka --- config/rootfiles/packages/netsnmpd | 11 +++++------ lfs/netsnmpd | 8 ++++---- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/config/rootfiles/packages/netsnmpd b/config/rootfiles/packages/netsnmpd index 8e1814886..510f4a0cf 100644 --- a/config/rootfiles/packages/netsnmpd +++ b/config/rootfiles/packages/netsnmpd @@ -110,7 +110,6 @@ usr/bin/traptoemail #usr/include/net-snmp/library/data_list.h #usr/include/net-snmp/library/default_store.h #usr/include/net-snmp/library/dir_utils.h -#usr/include/net-snmp/library/factory.h #usr/include/net-snmp/library/fd_event_manager.h #usr/include/net-snmp/library/file_utils.h #usr/include/net-snmp/library/getopt.h @@ -233,27 +232,27 @@ usr/bin/traptoemail #usr/lib/libnetsnmp.la #usr/lib/libnetsnmp.so usr/lib/libnetsnmp.so.40 -usr/lib/libnetsnmp.so.40.1.0 +usr/lib/libnetsnmp.so.40.2.0 #usr/lib/libnetsnmpagent.a #usr/lib/libnetsnmpagent.la #usr/lib/libnetsnmpagent.so usr/lib/libnetsnmpagent.so.40 -usr/lib/libnetsnmpagent.so.40.1.0 +usr/lib/libnetsnmpagent.so.40.2.0 #usr/lib/libnetsnmphelpers.a #usr/lib/libnetsnmphelpers.la #usr/lib/libnetsnmphelpers.so usr/lib/libnetsnmphelpers.so.40 -usr/lib/libnetsnmphelpers.so.40.1.0 +usr/lib/libnetsnmphelpers.so.40.2.0 #usr/lib/libnetsnmpmibs.a #usr/lib/libnetsnmpmibs.la #usr/lib/libnetsnmpmibs.so usr/lib/libnetsnmpmibs.so.40 -usr/lib/libnetsnmpmibs.so.40.1.0 +usr/lib/libnetsnmpmibs.so.40.2.0 #usr/lib/libnetsnmptrapd.a #usr/lib/libnetsnmptrapd.la #usr/lib/libnetsnmptrapd.so usr/lib/libnetsnmptrapd.so.40 -usr/lib/libnetsnmptrapd.so.40.1.0 +usr/lib/libnetsnmptrapd.so.40.2.0 #usr/lib/perl5/site_perl/5.36.0/xxxMACHINExxx-linux-thread-multi/Bundle usr/lib/perl5/site_perl/5.36.0/xxxMACHINExxx-linux-thread-multi/Bundle/MakefileSubs.pm #usr/lib/perl5/site_perl/5.36.0/xxxMACHINExxx-linux-thread-multi/NetSNMP diff --git a/lfs/netsnmpd b/lfs/netsnmpd index 7724cd7de..5605d6307 100644 --- a/lfs/netsnmpd +++ b/lfs/netsnmpd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2019 IPFire Team # +# Copyright (C) 2007-2024 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -26,7 +26,7 @@ include Config SUMMARY = SNMP Daemon -VER = 5.9.1 +VER = 5.9.3 THISAPP = net-snmp-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = netsnmpd -PAK_VER = 14 +PAK_VER = 15 DEPS = @@ -48,7 +48,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 6f4d5d279a81aa5f62628d3dd5221620590ad1dceec15fdc5e39705f7b08456b84aed4cf7376cbb807dd5b77dfe4162e47f2c9d29133f04ba321dfaf4aa7aaaa +$(DL_FILE)_BLAKE2 = b8e3de60e178ec16ad2848ad77f3bd4cbd35eaa9be103c0fa5d17514c29df4e69015ac53b54c9e565e3032b0c0bb47c19729e65310a6acefae901e101ea49451 install : $(TARGET)