SUSE-RU-2024:0029-1

This update for net-snmp fixes the following issues:

Update to net-snmp-5.9.4 (bsc#1214364 jsc#PED-6435).

• 5.9.4:

  • libsnmp:

    • Remove the SNMPSWIPEMEM() macro Remove this macro since it is not used in the Net-SNMP code base.
    • DISPLAY-HINT fixes
    • Miscellanious improvements to the transports
    • Handle multiple oldEngineID configuration lines
    • fixes for DNS names longer than 63 characters

  • agent:

    • Added a ignoremount configuration option for the HOST-MIB
    • disallow SETs with a NULL varbind
    • fix the --enable-minimalist build

  • apps:

    • snmpset: allow SET with NULL varbind for testing
    • snmptrapd: improved MySQL logging code

  • general:

    • configure: Remove -Wno-deprecated as it is no longer needed
    • miscellanious ther bug fixes, build fixes and cleanups

  • security:

    • These two CVEs can be exploited by a user with read-only credentials:

      • CVE-2022-24805�A buffer overflow in the handling of the INDEX of NET-SNMP-VACM-MIB can cause an out-of-bounds memory access.
      • CVE-2022-24809�A malformed OID in a GET-NEXT to the nsVacmAccessTable can cause a NULL pointer dereference.

    • These CVEs can be exploited by a user with read-write credentials:

      • CVE-2022-24806�Improper Input Validation when SETing malformed OIDs in master agent and subagent simultaneously
      • CVE-2022-24807�A malformed OID in a SET request to SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an out-of-bounds memory access.
      • CVE-2022-24808�A malformed OID in a SET request to NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference
      • CVE-2022-24810�A malformed OID in a SET to the nsVacmAccessTable can cause a NULL pointer dereference.
    • To avoid these flaws, use strong SNMPv3 credentials and do not share them. If you must use SNMPv1 or SNMPv2c, use a complex community string and enhance the protection by restricting access to a given IP address range.

    • Thanks are due to�Yu Zhang of VARAS@IIE and Nanyu Zhong of VARAS@IIE for reporting the following CVEs that have been fixed in this release, and to Arista Networks for providing fixes.

      • IF-MIB: Update ifTable entries even if the interface name has changed At least on Linux a network interface index may be reused for a network interface with a different name. Hence this patch that enables replacing network interface information even if the network interface name has changed.

      • unspecified:

    • Moved transport code into a separate subdirectory in snmplib

    • Snmplib: remove inline versions of container funcs'.

      • misc:

    • snmp-create-v3-user: Fix the snmpd.conf path @datadir@ is expanded in ${datarootdir} so datarootdir must be set before @datadir@ is used.

• 5.9:

  • snmplib:

    • Add IPv6 support to DTLSUDP transport
    • use new netsnmpsockaddrstorage in netsnmpaddrpair
    • add base_transport ptr for tunneled transports
    • Dtls: overhaul of debug
    • Remove inline versions of container funcs

  • snmpd:

    • Use ETHTOOLGLINKSETTINGS when available Newer Linux kernels support ETHTOOLGLINKSETTINGS. Use it when available instead of the older and deprecated ETHTOOL_GSET. This patch avoids that the Linux kernel reports the following kernel warning: warning: 'snmpd' uses legacy ethtool link settings API, link modes are only partially reported See also https://sourceforge.net/p/net-snmp/patches/1387/.

    • [BUG 2926]: Make it possible to set agentXPingInterval for a subagent - register agentXPingInterval for the subagent list handler, before it was registered for snmp - added agentxTimeout to the subagent list handler. It's now possible to set for snmpd and the subagent. See 'man snmpd.conf' - added agentxRetries to the subagent list handler. See 'man snmpd.conf'. It's never used in the subagent, but it's now following the documentation Signed-off-by: Anders Wallin wallinux@gmail.com

      • snmptrap:

    • BUG: 2899: Patch from Drew Roedersheimer to set library engineboots/time values before sending

      • snmptrapd:

    • Add support for the latest libmysqlclient version

      • libsnmp:

    • Scan MIB directories in alphabetical order This guarantees that e.g. mibs/RFC1213-MIB.txt is read before mibs/SNMPv2-MIB.txt. The order in which these MIBs is read matters because both define sysLocation but with different attributes.

• Removing legacy MIBs used by Velocity Software (jsc#PED-6416 jsc#PED-6434).

• Added hardening to systemd service(s) (bsc#1181400, bsc#1206044).