From patchwork Wed Jul 1 11:34:43 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 9992 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "YR2" (not verified)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4gqyc93d3Mz3wqC for ; Wed, 01 Jul 2026 11:35:05 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [IPv6:2001:678:b28::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "YE1" (not verified)) by mail01.ipfire.org (Postfix) with ESMTPS id 4gqyc23PGvz6sN for ; Wed, 01 Jul 2026 11:34:58 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4gqyc03PgFz33Dm for ; Wed, 01 Jul 2026 11:34:56 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1 raw public key) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "YR2" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4gqybv6Cmzz32ds for ; Wed, 01 Jul 2026 11:34:51 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4gqybt3KZMz3gb; Wed, 01 Jul 2026 11:34:50 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1782905690; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rD2XHPVqAC466glIIBRmm5XM+UlYWUR1cVdKAL/dXGE=; b=EbQXiPUDHSd2MSpPF5fzkrNNlEAFfaBfCFBt3yfzd9CTeez7P4qO2lQ5VMPuZeTlV+i6Ha Vrahcv6v/qgSsdAQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1782905690; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rD2XHPVqAC466glIIBRmm5XM+UlYWUR1cVdKAL/dXGE=; b=sKlTB6o0Vrsl1rCqUkxWmXE/YWI6AFqjstEQN3yVGE9lj5xDNERCIkU/y0OvPBs0NRfxtU TmzpxFutNAUMxyKm8fqgGIuVcwpTxGp6PkzEGMs6t89RDTZ7aEhn7oHFN+HCWZqLsXtaTX vA/S1H5XMNXNnXtOs515e7Tt612K61570GiFj+icYy2lvjdmaP1o01JmI30HSFh38p1ZyF /NkhsILCW2tqwovD+o3vqcQRnVZLHY1YWH45veUw7V7YWQCuKKxKiYna07iY3bcBSqZWg4 j/FwJFZHVA0WaXbVHF40MPHq2BvULVIOOAWjLQbSMHYBRu87bH5V/rf+QNuedA== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH] netsnmpd: Update to version 5.9.5.2 Date: Wed, 1 Jul 2026 13:34:43 +0200 Message-ID: <20260701113444.3425761-4-adolf.belka@ipfire.org> In-Reply-To: <20260701113444.3425761-1-adolf.belka@ipfire.org> References: <20260701113444.3425761-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - Update from version 5.9.3 to 5.9.5.2 - Update of rootfile - Move the symlink generation and removal from the lfs to the instal/uninstall pak file to be aligned with the majority of packages. - Version 5.9.4 has the note IMPORTANT: SNMP over TLS and/or DTLS are not functioning properly in this release with various versions of OpenSSL and will be fixed in a future release. - This issue has been in place since Aug 2023 and does not look to have been fixed as far as I have been able to tell. The developers also say that this tool should only be used on trusted local networks anyway. Additionally version 5.9.5 has a CVE fix. Based on this I am submitting the update patch for review and decision. I think it is better to do the update because it does not look like the OpenSSL issue will be fixed anytime soon. It doesn't appear that anyone is working on it. https://github.com/net-snmp/net-snmp/issues/828 - Changelog 5.9.5.2 building: - Fix an issue with needing limits.h included. - update to autoconf 2.72 5.9.5.1 Only a version numbering fix. 5.9.5 snmptrapd: - fixed a critical vulnerability (CVE-2025-68615) which can be triggered by a specially crafted trap snmplib: - Add support for IPV6_RECVPKTINFO - Port the SSH domain transport to FreeBSD - Improve error handling in parse_enumlist and other parsing functions - Filter out non-ASCII characters from output - Fix multiple memory leaks in MIB parsing, OID handling, and transport filters - Fix multiple buffer overflows triggered when creating ASN packets - Fix handling of large/negative values (integer underflows/overflows) - Fix segmentation faults when `varbind` cannot be constructed or buf is null - Fix crash in netsnmp_parse_args when passing invalid argument lists - Fix SNMPv3 multithreading support for snmp_sess_open() snmpd: - Make UCD-SNMP::dskTable dynamic if includeAllDisks is set.") added a verification that drops all filesystems not present in other_fs[] table. So add 'ubifs' in other_fs[] to fix it. - Fix SIGHUP handling for engineID changes and agent port changes - Fix a use-after-free in unregister_mib_context() - Fix regression of memory leak when using RPMDB macros - Improve cache management: clear timer_id on stop, keep cache flags unchanged - Always open libkvm in "safe mode" on FreeBSD - Fix crash when snmptrapd subagent terminates the TCP connection apps: - snmpusm: Improve error handling and fix memory leaks - sshtosnmp: Avoid EINVAL when passing credentials over SSH unix domain socket - snmptest: Plug a possible memory leak - snmpget: Avoid leak if parsing OID fails MIBs: - EtherLike-MIB: Optimize Linux implementation to use netlink statistics - IP-MIB: Add Linux 6.7 compatibility for parsing /proc/net/snmp - LM-SENSORS-MIB: Support negative temperatures - SNMP-TLS-TM-MIB: Update to RFC 9456 and allow TLS protocols higher than TLS1.0 - HOST-RESOURCES-MIB: Add support for RPM SQLite DB background building: - Add support for Windows on ARM - Support OpenBSD 8, FreeBSD 15/16, and DragonflyBSD - Fix build for OS/X versions prior to 10.6.0 - Windows: Bump OpenSSL version and fix library paths - MinGW64: Switch from pkg-config to pkgconf - Add --with-wolfssl Add support for building and linking with the wolfSSL library instead of OpenSSL. Other changes that have been included in this patch are: - Only enable AES support if EVP_aes_128_cfb() is available. - Add support for detecting SSL functions if these have been defined as macros. 5.9.4 IMPORTANT: SNMP over TLS and/or DTLS are not functioning properly in this release with various versions of OpenSSL and will be fixed in a future release. libsnmp: - Remove the SNMP_SWIPE_MEM() macro Remove this macro since it is not used in the Net-SNMP code base. - DISPLAY-HINT fixes - Miscellanious improvements to the transports - Handle multiple oldEngineID configuration lines - fixes for DNS names longer than 63 characters agent: - Added a ignoremount configuration option for the HOST-MIB - disallow SETs with a NULL varbind - fix the --enable-minimalist build apps: - snmpset: allow SET with NULL varbind for testing - snmptrapd: improved MySQL logging code general: - configure: Remove -Wno-deprecated as it is no longer needed - miscellanious ther bug fixes, build fixes and cleanups Signed-off-by: Adolf Belka --- config/rootfiles/packages/netsnmpd | 26 +++++++++--------- lfs/netsnmpd | 42 ++++++++++++++---------------- src/paks/netsnmpd/install.sh | 8 +++++- src/paks/netsnmpd/uninstall.sh | 5 +++- 4 files changed, 42 insertions(+), 39 deletions(-) diff --git a/config/rootfiles/packages/netsnmpd b/config/rootfiles/packages/netsnmpd index 510f4a0cf..34e4eb30a 100644 --- a/config/rootfiles/packages/netsnmpd +++ b/config/rootfiles/packages/netsnmpd @@ -1,7 +1,4 @@ etc/rc.d/init.d/netsnmpd -etc/rc.d/rc0.d/K02netsnmpd -etc/rc.d/rc3.d/S65netsnmpd -etc/rc.d/rc6.d/K02netsnmpd etc/snmpd.conf usr/bin/agentxtrap usr/bin/checkbandwidth @@ -130,7 +127,6 @@ usr/bin/traptoemail #usr/include/net-snmp/library/snmp.h #usr/include/net-snmp/library/snmpAliasDomain.h #usr/include/net-snmp/library/snmpCallbackDomain.h -#usr/include/net-snmp/library/snmpIPBaseDomain.h #usr/include/net-snmp/library/snmpIPv4BaseDomain.h #usr/include/net-snmp/library/snmpIPv6BaseDomain.h #usr/include/net-snmp/library/snmpSocketBaseDomain.h @@ -214,6 +210,8 @@ usr/bin/traptoemail #usr/include/net-snmp/system/openbsd4.h #usr/include/net-snmp/system/openbsd5.h #usr/include/net-snmp/system/openbsd6.h +#usr/include/net-snmp/system/openbsd7.h +#usr/include/net-snmp/system/openbsd8.h #usr/include/net-snmp/system/osf5.h #usr/include/net-snmp/system/solaris.h #usr/include/net-snmp/system/solaris2.3.h @@ -231,28 +229,28 @@ usr/bin/traptoemail #usr/lib/libnetsnmp.a #usr/lib/libnetsnmp.la #usr/lib/libnetsnmp.so -usr/lib/libnetsnmp.so.40 -usr/lib/libnetsnmp.so.40.2.0 +usr/lib/libnetsnmp.so.45 +usr/lib/libnetsnmp.so.45.0.0 #usr/lib/libnetsnmpagent.a #usr/lib/libnetsnmpagent.la #usr/lib/libnetsnmpagent.so -usr/lib/libnetsnmpagent.so.40 -usr/lib/libnetsnmpagent.so.40.2.0 +usr/lib/libnetsnmpagent.so.45 +usr/lib/libnetsnmpagent.so.45.0.0 #usr/lib/libnetsnmphelpers.a #usr/lib/libnetsnmphelpers.la #usr/lib/libnetsnmphelpers.so -usr/lib/libnetsnmphelpers.so.40 -usr/lib/libnetsnmphelpers.so.40.2.0 +usr/lib/libnetsnmphelpers.so.45 +usr/lib/libnetsnmphelpers.so.45.0.0 #usr/lib/libnetsnmpmibs.a #usr/lib/libnetsnmpmibs.la #usr/lib/libnetsnmpmibs.so -usr/lib/libnetsnmpmibs.so.40 -usr/lib/libnetsnmpmibs.so.40.2.0 +usr/lib/libnetsnmpmibs.so.45 +usr/lib/libnetsnmpmibs.so.45.0.0 #usr/lib/libnetsnmptrapd.a #usr/lib/libnetsnmptrapd.la #usr/lib/libnetsnmptrapd.so -usr/lib/libnetsnmptrapd.so.40 -usr/lib/libnetsnmptrapd.so.40.2.0 +usr/lib/libnetsnmptrapd.so.45 +usr/lib/libnetsnmptrapd.so.45.0.0 #usr/lib/perl5/site_perl/5.36.0/xxxMACHINExxx-linux-thread-multi/Bundle usr/lib/perl5/site_perl/5.36.0/xxxMACHINExxx-linux-thread-multi/Bundle/MakefileSubs.pm #usr/lib/perl5/site_perl/5.36.0/xxxMACHINExxx-linux-thread-multi/NetSNMP diff --git a/lfs/netsnmpd b/lfs/netsnmpd index 5605d6307..a27440cff 100644 --- a/lfs/netsnmpd +++ b/lfs/netsnmpd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2024 IPFire Team # +# Copyright (C) 2007-2026 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -26,7 +26,7 @@ include Config SUMMARY = SNMP Daemon -VER = 5.9.3 +VER = 5.9.5.2 THISAPP = net-snmp-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = netsnmpd -PAK_VER = 15 +PAK_VER = 16 DEPS = @@ -48,7 +48,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = b8e3de60e178ec16ad2848ad77f3bd4cbd35eaa9be103c0fa5d17514c29df4e69015ac53b54c9e565e3032b0c0bb47c19729e65310a6acefae901e101ea49451 +$(DL_FILE)_BLAKE2 = 417b337ac32d19db55494b97742fab6f28fc64d488896efd943d6f65ca563b0385d6160923d064e3bf04e3197790c7834d7b644973a426dfa3cb7e81f6465c4c install : $(TARGET) @@ -84,22 +84,21 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) $(UPDATE_AUTOMAKE) cd $(DIR_APP) && ./configure \ - --prefix=/usr \ - --with-default-snmp-version="2" \ - --with-sys-contact="root@" \ - --with-sys-location="localhost" \ - --with-logfile="/var/log/snmpd.log" \ - --with-persistent-directory="/var/net-snmp" \ - --with-mib-modules="host agentx smux \ - ucd-snmp/diskio tcp-mib udp-mib mibII/mta_sendmail \ - ip-mib/ipv4InterfaceTable ip-mib/ipv6InterfaceTable \ - ip-mib/ipAddressPrefixTable/ipAddressPrefixTable \ - ip-mib/ipDefaultRouterTable/ipDefaultRouterTable \ - ip-mib/ipv6ScopeZoneIndexTable ip-mib/ipIfStatsTable \ - sctp-mib rmon-mib etherlike-mib ucd-snmp/lmsensorsMib" - --libdir=/usr/lib \ - --sysconfdir="/etc" - + --prefix=/usr \ + --with-default-snmp-version="2" \ + --with-sys-contact="root@" \ + --with-sys-location="localhost" \ + --with-logfile="/var/log/snmpd.log" \ + --with-persistent-directory="/var/net-snmp" \ + --with-mib-modules="host agentx smux \ + ucd-snmp/diskio tcp-mib udp-mib mibII/mta_sendmail \ + ip-mib/ipv4InterfaceTable ip-mib/ipv6InterfaceTable \ + ip-mib/ipAddressPrefixTable/ipAddressPrefixTable \ + ip-mib/ipDefaultRouterTable/ipDefaultRouterTable \ + ip-mib/ipv6ScopeZoneIndexTable ip-mib/ipIfStatsTable \ + sctp-mib rmon-mib etherlike-mib ucd-snmp/lmsensorsMib" + --libdir=/usr/lib \ + --sysconfdir="/etc" cd $(DIR_APP) && make #$(MAKETUNING) cd $(DIR_APP) && make install install -v -m 644 $(DIR_SRC)/config/netsnmpd/snmpd.conf /etc/snmpd.conf @@ -109,8 +108,5 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # install initscripts $(call INSTALL_INITSCRIPTS,$(SERVICES)) - ln -sf ../init.d/netsnmpd /etc/rc.d/rc3.d/S65netsnmpd - ln -sf ../init.d/netsnmpd /etc/rc.d/rc0.d/K02netsnmpd - ln -sf ../init.d/netsnmpd /etc/rc.d/rc6.d/K02netsnmpd @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/src/paks/netsnmpd/install.sh b/src/paks/netsnmpd/install.sh index 31c5fecae..5baa2ffee 100644 --- a/src/paks/netsnmpd/install.sh +++ b/src/paks/netsnmpd/install.sh @@ -17,11 +17,17 @@ # along with IPFire; if not, write to the Free Software # # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # # -# Copyright (C) 2007 IPFire-Team . # +# Copyright (C) 2007-2026 IPFire-Team . # # # ############################################################################ # . /opt/pakfire/lib/functions.sh extract_files restore_backup ${NAME} + +# Create symlinks for runlevel interaction. +ln -sf ../init.d/netsnmpd /etc/rc.d/rc3.d/S65netsnmpd +ln -sf ../init.d/netsnmpd /etc/rc.d/rc0.d/K02netsnmpd +ln -sf ../init.d/netsnmpd /etc/rc.d/rc6.d/K02zabbix_agentd + start_service --background ${NAME} diff --git a/src/paks/netsnmpd/uninstall.sh b/src/paks/netsnmpd/uninstall.sh index a7b8a5370..ffd74217b 100644 --- a/src/paks/netsnmpd/uninstall.sh +++ b/src/paks/netsnmpd/uninstall.sh @@ -17,7 +17,7 @@ # along with IPFire; if not, write to the Free Software # # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # # -# Copyright (C) 2007 IPFire-Team . # +# Copyright (C) 2007-2026 IPFire-Team . # # # ############################################################################ # @@ -25,3 +25,6 @@ stop_service ${NAME} make_backup ${NAME} remove_files + +# Remove init-scripts and symlinks +rm -rfv /etc/rc.d/rc*.d/*netsnmpd