Recommended update for net-snmp

Announcement ID:	SUSE-RU-2024:0029-1
Rating:	moderate
References:	bsc#1181400 bsc#1206044 bsc#1214364 jsc#PED-6416 jsc#PED-6434 jsc#PED-6435
Affected Products:	SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Software Development Kit 12 SP5

An update that contains three features and has three fixes can now be installed.

Description:

This update for net-snmp fixes the following issues:

Update to net-snmp-5.9.4 (bsc#1214364 jsc#PED-6435).

• 5.9.4:

• libsnmp:

  • Remove the SNMP_SWIPE_MEM() macro Remove this macro since it is not used in the Net-SNMP code base.
  • DISPLAY-HINT fixes
  • Miscellanious improvements to the transports
  • Handle multiple oldEngineID configuration lines
  • fixes for DNS names longer than 63 characters

• agent:

  • Added a ignoremount configuration option for the HOST-MIB
  • disallow SETs with a NULL varbind
  • fix the --enable-minimalist build

• apps:

  • snmpset: allow SET with NULL varbind for testing
  • snmptrapd: improved MySQL logging code

• general:

  • configure: Remove -Wno-deprecated as it is no longer needed
  • miscellanious ther bug fixes, build fixes and cleanups

• security:

  • These two CVEs can be exploited by a user with read-only credentials:

    • CVE-2022-24805 A buffer overflow in the handling of the INDEX of NET-SNMP-VACM-MIB can cause an out-of-bounds memory access.
    • CVE-2022-24809 A malformed OID in a GET-NEXT to the nsVacmAccessTable can cause a NULL pointer dereference.

  • These CVEs can be exploited by a user with read-write credentials:

    • CVE-2022-24806 Improper Input Validation when SETing malformed OIDs in master agent and subagent simultaneously
    • CVE-2022-24807 A malformed OID in a SET request to SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an out-of-bounds memory access.
    • CVE-2022-24808 A malformed OID in a SET request to NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference
    • CVE-2022-24810 A malformed OID in a SET to the nsVacmAccessTable can cause a NULL pointer dereference.
      • To avoid these flaws, use strong SNMPv3 credentials and do not share them. If you must use SNMPv1 or SNMPv2c, use a complex community string and enhance the protection by restricting access to a given IP address range.
      • Thanks are due to Yu Zhang of VARAS@IIE and Nanyu Zhong of VARAS@IIE for reporting the following CVEs that have been fixed in this release, and to Arista Networks for providing fixes.

  • IF-MIB: Update ifTable entries even if the interface name has changed At least on Linux a network interface index may be reused for a network interface with a different name. Hence this patch that enables replacing network interface information even if the network interface name has changed.

  • unspecified:

  • Moved transport code into a separate subdirectory in snmplib

  • Snmplib: remove inline versions of container funcs".

  • misc:

  • snmp-create-v3-user: Fix the snmpd.conf path @datadir@ is expanded in ${datarootdir} so datarootdir must be set before @datadir@ is used.

• 5.9:

• snmplib:

  • Add IPv6 support to DTLSUDP transport
  • use new netsnmp_sockaddr_storage in netsnmp_addr_pair
  • add base_transport ptr for tunneled transports
  • Dtls: overhaul of debug
  • Remove inline versions of container funcs

• snmpd:

  • Use ETHTOOL_GLINKSETTINGS when available Newer Linux kernels support ETHTOOL_GLINKSETTINGS. Use it when available instead of the older and deprecated ETHTOOL_GSET. This patch avoids that the Linux kernel reports the following kernel warning: warning: 'snmpd' uses legacy ethtool link settings API, link modes are only partially reported See also https://sourceforge.net/p/net-snmp/patches/1387/.

  • [BUG 2926]: Make it possible to set agentXPingInterval for a subagent - register agentXPingInterval for the subagent list handler, before it was registered for snmp - added agentxTimeout to the subagent list handler. It's now possible to set for snmpd and the subagent. See 'man snmpd.conf' - added agentxRetries to the subagent list handler. See 'man snmpd.conf'. It's never used in the subagent, but it's now following the documentation Signed-off-by: Anders Wallin <wallinux@gmail.com>

  • snmptrap:

  • BUG: 2899: Patch from Drew Roedersheimer to set library engineboots/time values before sending

  • snmptrapd:

  • Add support for the latest libmysqlclient version

  • libsnmp:

  • Scan MIB directories in alphabetical order This guarantees that e.g. mibs/RFC1213-MIB.txt is read before mibs/SNMPv2-MIB.txt. The order in which these MIBs is read matters because both define sysLocation but with different attributes.

• Removing legacy MIBs used by Velocity Software (jsc#PED-6416 jsc#PED-6434).

• Added hardening to systemd service(s) (bsc#1181400, bsc#1206044).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise High Performance Computing 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-29=1
• SUSE Linux Enterprise Server 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-29=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-29=1
• SUSE Linux Enterprise Software Development Kit 12 SP5
  zypper in -t patch SUSE-SLE-SDK-12-SP5-2024-29=1

Package List:

• SUSE Linux Enterprise High Performance Computing 12 SP5 (aarch64 x86_64)
  • snmp-mibs-5.9.4-14.3.1
  • libsnmp40-5.9.4-14.3.1
  • net-snmp-debuginfo-5.9.4-14.3.1
  • libsnmp40-debuginfo-5.9.4-14.3.1
  • perl-SNMP-debuginfo-5.9.4-14.3.1
  • net-snmp-debugsource-5.9.4-14.3.1
  • net-snmp-5.9.4-14.3.1
  • perl-SNMP-5.9.4-14.3.1
• SUSE Linux Enterprise High Performance Computing 12 SP5 (x86_64)
  • libsnmp40-32bit-5.9.4-14.3.1
  • libsnmp40-debuginfo-32bit-5.9.4-14.3.1
• SUSE Linux Enterprise Server 12 SP5 (aarch64 ppc64le s390x x86_64)
  • snmp-mibs-5.9.4-14.3.1
  • libsnmp40-5.9.4-14.3.1
  • net-snmp-debuginfo-5.9.4-14.3.1
  • libsnmp40-debuginfo-5.9.4-14.3.1
  • perl-SNMP-debuginfo-5.9.4-14.3.1
  • net-snmp-debugsource-5.9.4-14.3.1
  • net-snmp-5.9.4-14.3.1
  • perl-SNMP-5.9.4-14.3.1
• SUSE Linux Enterprise Server 12 SP5 (s390x x86_64)
  • libsnmp40-32bit-5.9.4-14.3.1
  • libsnmp40-debuginfo-32bit-5.9.4-14.3.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP5 (ppc64le x86_64)
  • snmp-mibs-5.9.4-14.3.1
  • libsnmp40-5.9.4-14.3.1
  • net-snmp-debuginfo-5.9.4-14.3.1
  • libsnmp40-debuginfo-5.9.4-14.3.1
  • perl-SNMP-debuginfo-5.9.4-14.3.1
  • net-snmp-debugsource-5.9.4-14.3.1
  • net-snmp-5.9.4-14.3.1
  • perl-SNMP-5.9.4-14.3.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP5 (x86_64)
  • libsnmp40-32bit-5.9.4-14.3.1
  • libsnmp40-debuginfo-32bit-5.9.4-14.3.1
• SUSE Linux Enterprise Software Development Kit 12 SP5 (aarch64 ppc64le s390x x86_64)
  • net-snmp-devel-5.9.4-14.3.1
  • net-snmp-debuginfo-5.9.4-14.3.1
  • net-snmp-debugsource-5.9.4-14.3.1

References:

• https://bugzilla.suse.com/show_bug.cgi?id=1181400
• https://bugzilla.suse.com/show_bug.cgi?id=1206044
• https://bugzilla.suse.com/show_bug.cgi?id=1214364
• https://jira.suse.com/browse/PED-6416
• https://jira.suse.com/browse/PED-6434
• https://jira.suse.com/browse/PED-6435