5.206. net-snmp
Updated net-snmp packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The net-snmp packages provide various libraries and tools for the Simple Network Management Protocol (SNMP), including an SNMP library, an extensible agent, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which uses SNMP, and a Tk/Perl Management Information Base (MIB) browser.
Bug Fix
- BZ#836252
- Prior to this update, there was a limit of 50 'exec' entries in the /etc/snmp/snmpd.conf file. With more than 50 such entries in the configuration file, the snmpd daemon returned the "Error: No further UCD-compatible entries" error message to the system log. With this update, this limit has been removed and there can now be any number of 'exec' entries in the snmpd configuration file, thus preventing this bug.
All users of net-snmp are advised to upgrade to these updated packages, which fix this bug.
Updated net-snmp packages that fix one security issue and multiple bugs are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The net-snmp packages provide various libraries and tools for the Simple Network Management Protocol (SNMP), including an SNMP library, an extensible agent, tools for requesting or setting information from
SNMP
agents, tools for generating and handling SNMP traps, a version of the netstat
command which uses SNMP, and a Tk/Perl Management Information Base (MIB) browser.
Security Fix
- CVE-2012-2141
- An array index error, leading to an out-of-bounds buffer read flaw, was found in the way the net-snmp agent looked up entries in the extension table. A remote attacker with read privileges to a Management Information Base (MIB) subtree handled by the
extend
directive (in/etc/snmp/snmpd.conf
) could use this flaw to crashsnmpd
via a crafted SNMP GET request.
Bug Fixes
- BZ#736580
- In the previous update, a change was made in order to stop
snmpd
terminating unexpectedly when an AgentX subagent disconnected while processing a request. This fix, however, introduced a memory leak. With this update, this memory leak is fixed. - BZ#740172
- In a previous update, a new BRIDGE-MIB was implemented in the net-snmp-perl subpackage. This MIB used incorrect conversion of interface-index values from the kernel and reported incorrect values of ifIndex
OIDs
(object identifiers). With this update, conversion of interface indexes is fixed and BRIDGE-MIB reports correct ifIndex OIDs. - BZ#746903
- Previously,
snmpd
erroneously enabled verbose logging when parsing theproxy
option in thesnmpd.conf
file. Consequently, unexpected debug messages were sometimes written to the system log. With this update,snmpd
no longer modifies logging settings when parsing theproxy
option. As a result, no debug messages are sent to the system log unless explicitly enabled by the system administrator. - BZ#748410
- Previously, the
snmpd
daemon strictly implemented RFC 2780. However, this specification no longer scales well with modern big storage devices with small allocation units. Consequently,snmpd
reported a wrong value for the “HOST-RESOURCES-MIB::hrStorageSize” object when working with a large file system (larger than 16TB), because the accurate value did not fit into Integer32 as specified in the RFC. To address this problem, this update adds a new option to the/etc/snmp/snmpd.conf
configuration file, “realStorageUnits”. By changing the value of this option to0
, users can now enable recalculation of all values in “hrStorageTable” to ensure that the multiplication of “hrStorageSize” and “hrStorageAllocationUnits” always produces an accurate device size. The values of “hrStorageAllocationUnits” are then artificial in this case and no longer represent the real size of the allocation unit on the storage device. - BZ#748411, BZ#755481, BZ#757685
- In the previous net-snmp update, the implementation of “HOST-RESOURCES-MIB::hrStorageTable” was rewritten and devices with Veritas File System (VxFS), ReiserFS, and Oracle Cluster File System (OCFS2) were not reported. In this update,
snmpd
properly recognizes VxFS, ReiserFS, and OCFS2 devices and reports them in “HOST-RESOURCES-MIB::hrStorageTable”. - BZ#748907
- Prior to this update, the Net-SNMP Perl module did not properly evaluate error codes in the
register()
method in the “NetSNMP::agent” module and terminated unexpectedly when this method failed. With this update, theregister()
method has been fixed and the updated Perl modules no longer crash on failure. - BZ#749227
- The SNMP daemon (
snmpd
) did not properly fill a set of watched socket file descriptors. Therefore, the daemon sometimes terminated unexpectedly with the “select: bad file descriptor” error message when more than 32 AgentX subagents connected tosnmpd
on 32-bit platforms or more than 64 subagents on 64-bit platforms. With this update,snmpd
properly clears sets of watched file descriptors and no longer crashes when handling a large number of subagents. - BZ#754275
- Previously,
snmpd
erroneously checked the length of “SNMP-TARGET-MIB::snmpTargetAddrRowStatus” value in incoming “SNMP-SET” requests on 64-bit platforms. Consequently,snmpd
sent an incorrect reply to the “SNMP-SET” request. With this update, the check of “SNMP-TARGET-MIB::snmpTargetAddrRowStatus” is fixed and it is possible to set it remotely using “SNMP-SET” messages. - BZ#754971
- Previously,
snmpd
did not check the permissions of its MIB index files stored in the/var/lib/net-snmp/mib_indexes
directory and assumed it could read them. If the read access was denied, for example due to incorrect SELinux contexts on these files,snmpd
crashed. With this update,snmpd
checks if its MIB index files were correctly opened and does not crash if they cannot be opened. - BZ#786931
- Before this release, the length of the
OID
parameter of “sysObjectID” (ansnmpd.conf
config file option) was not correctly stored insnmpd
, which resulted in “SNMPv2-MIB::sysObjectID” being truncated if theOID
had more than 10 components. In this update, handling of theOID
length is fixed and “SNMPv2-MIB::sysObjectID” is returned correctly. - BZ#788954
- Prior to this update, when
snmpd
was started and did not find a network interface which had been present during the lastsnmpd
shutdown, the following error message was logged:snmpd: error finding row index in _ifXTable_container_row_restore
This happened on systems which dynamically create and remove network interfaces on demand, such as virtual hosts or PPP servers. In this update, this message has been removed and no longer appears in the system log. - BZ#789909
- Previously,
snmpd
, enumerated activeTCP
connections for “TCP-MIB::tcpConnectionTable” in an inefficient way with O(n^2) complexity. With many TCP connections, anSNMP
client could time out beforesnmpd
processed a request regarding the “tcpConnectionTable”, and sent a response. This update improves the enumeration mechanism andsnmpd
now swiftly responds to SNMP requests in the “tcpConnectionTable”. - BZ#799291
- When an object identifier (
OID
) was out of the subtree registered by the proxy statement in the/etc/snmp/snmpd.conf
configuration file, the previous version of thesnmpd
daemon failed to use a correctOID
of proxied “GETNEXT” requests. With this update, snmpd now adjusts theOIDs
of proxied “GETNEXT” requests correctly and sends correct requests to the remote agent as expected. - BZ#822480
- Net-SNMP daemons and utilities use the
/var/lib/net-snmp
directory to store persistent data, for example the cache of parsed MIB files. This directory is created by the net-snmp package and when this package is not installed, Net-SNMP utilities and libraries create the directory with the wrong SELinux context, which results in an Access Vector Cache (AVC) error reported by SELinux. In this update, the/var/lib/net-snmp
directory is created by the net-snmp-lib package, therefore all Net-SNMP utilities and libraries do not need to create the directory and the directory will have the correct SELinux context.
All users of net-snmp are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the update, the
snmpd
and snmptrapd
daemons will be restarted automatically.
Updated net-snmp packages that fix one bug are now available for Red Hat Enterprise Linux 6 Extended Update Support.
The net-snmp packages provide various libraries and tools for the Simple Network Management Protocol (SNMP), including an SNMP library, an extensible agent, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which uses SNMP, and a Tk/Perl Management Information Base (MIB) browser.
Bug Fix
- BZ#986192
- In previous Net-SNMP releases, snmpd reported an invalid speed of network interfaces in IF-MIB::ifTable and IF-MIB::ifXTable if the interface had a speed other than 10, 100, 1000 or 2500 MB/s. Thus, the net-snmp ifHighSpeed value returned was "0" compared to the correct speed as reported in ethtool, if the Virtual Connect speed was set to, for example, 0.9 Gb/s. With this update, the ifHighSpeed value returns the correct speed as reported in ethtool, and snmpd correctly reports non-standard network interface speeds.
Users of net-snmp are advised to upgrade to these updated packages, which fix this bug.
Updated net-snmp packages that fix one bug are now available for Red Hat Enterprise Linux 6 Extended Update Support.
The net-snmp packages provide various libraries and tools for the Simple Network Management Protocol (SNMP), including an SNMP library, an extensible agent, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which uses SNMP, and a Tk/Perl Management Information Base (MIB) browser.
Bug Fix
- BZ#1002859
- When an AgentX subagent disconnected from the SNMP daemon (snmpd), the daemon did not properly check that there were no active requests queued in the subagent and destroyed the session. Consequently, the session was referenced by snmpd later when processing queued requests and because it was already destroyed, snmpd terminated unexpectedly with a segmentation fault or looped indefinitely. This update adds several checks to prevent the destruction of sessions with active requests, and snmpd no longer crashes in the described scenario.
Users of net-snmp are advised to upgrade to these updated packages, which fix this bug.