RE: Multiple new Net-SNMP releases to fix a security related bug

Tue, 05 Jul 2005 14:00:36 -0700 

Is this security bug effect on v5.0.9? 

In net-snmp-5.0.1.0.2, which file the fix for security is in,
snmp_api.c, right?

Thanks,

FT

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wes
Hardaker
Sent: Friday, July 01, 2005 9:25 PM
To: [email protected]
Subject: Multiple new Net-SNMP releases to fix a security related bug


A security vulnerability has been found in Net-SNMP releases that
could allow a denial of service attack against Net-SNMP agent's which
have opened a stream based protocol (EG, TCP but not UDP; it should be
noted that Net-SNMP does not by default open a TCP port).  Because of
this, we've immediately released a number of Net-SNMP versions
(5.2.1.2, 5.1.3, and 5.0.10.2) to fix this problem in the various
Net-SNMP branches.  Most of these versions are minor patches from a
previous release, but since we were so close to releasing 5.1.3 anyway
we decided to do a full release of that rather than an incremental
release from the 5.1.2 release.

We hope you enjoy this new releases,
The NET-SNMP Development Team

Contents of this announcement
-----------------------------
  - What has Changed recently?
  - Where can I get it?
  - Are there binaries available?
  - What operating systems does it run on?
  - Which versions of the SNMP protocol are supported in this package?
  - I've found a bug or have a suggestion, how do I tell you about it?
  - What's the difference between UCD-SNMP and Net-SNMP?

What has Changed recently?
-------------------------------------------

  The NEWS file snippits from these releases are as follows:

  *5.2.1.2*
   Security:
     - Fixed a denial of service vulnerability when stream sockets have
       been configured for use (E.G., TCP but not UDP).

  *5.0.10.2*
   Security:
     - Fixed a denial of service vulnerability when stream sockets have
       been configured for use (E.G., TCP but not UDP).

  *5.1.3*
   Fixes:
     security:
       - fix potential race condition in fixproc script
       - fix DOS vulnerability on tcp connections

     agent:
       - bug 1034008: memory leak using SET for table_dataset
       - patch 1052460: fix agent deadlock on exec
       - bug 1055781: get-next fails to step into interfaces group
correctly
       - bug 1056760: agent ignores ifspeed, type settings in snmpd.conf
       - Persistent files in directory defined by snmp.conf
persistentDir were
         not being loaded at startup
       - 1062986: pass and pass_persist fail and crash snmpd
       - patch 1052460: agent deadlock on exec
       - fix bug 1056760: agent ignores ifspeed, type settings in
snmpd.conf
       - bug 119106, ipAdEntIfIndex is wrong
       - bug 986238: snmpd loops forever
       - bug 615744: Spurious DISMAN-EVENT traps
       - patch 1040718: Agentx error propagation and infinite loop
       - fix error handling for proxy get-next requests

     snmptrapd:
       - new configure option to exclude AgentX subagent code
       - new runtime option to exclude table registrations

     library:
       - process pre-mib config tokens in optional config files at the
         right time
       - get rid of strtok (patch 1040330, backported by Thomas Anders,
fixes
         bug 1040686)
       - consistent handling of '+' for MIB and MIB directory handling
from all
         sources (config file, environment variables, command line)
       - handle agentXsocket token in sub-agent configuration files
       - several AgentX fixes

   Ports:
     Linux:
       - use ethtool ioctl to detect gigibit interface speeds
       - Fix reversed sysIORawSent/Received
       - 64bit fixes to interface and ssRawCpu statistics
       - integrate fixes from RedHat and Debian

     Tru64:
       - build fixes; README.tru64 added

     FreeBSD:
       - apply patch 1056927: 5.2-p03: freebsd interface bugs
       - fix bug 1055781: get-next fails to step into interfaces group
correctly


     Win32:
       - Cygwin compiler fixes
       - bug 926389: Win32 event log logging
       - Fix compiling without the Platform SDK (PSDK)

     NetBSD:
       - integragte fixes from NetBSD port

Where can I get it?
------------------

  Download:
    - http://www.net-snmp.org/download/
    - ftp://ftp.net-snmp.org/pub/sourceforge/net-snmp/
  Web page:
    - http://www.net-snmp.org/
  Sourceforge Project page:
    - http://www.net-snmp.org/project/
  Mirrors (note that sourceforge download servers are mirrored
themselves):
    - US:          ftp://ftp.freesnmp.com/mirrors/net-snmp/
    - Bulgaria:    http://rtfm.uni-svishtov.bg/net-snmp/    (appears to
be out of date)
    - Germany:     ftp://ftp.mpg.goe.ni.schule.de/pub/internet/net-snmp/
(unknown host)
    - Greece:      ftp://ftp.ntua.gr/pub/net/snmp/net-snmp/


Are there binaries available?
----------------------------

  - Binaries do appear on our download site, but often are published a
    bit later than the normal source code.  Most of the binaries that
    are available have been linked with the OpenSSL package so you'll
    need a copy of it installed in order to use them.  If you don't
    have OpenSSL installed and don't want it installed, please get the
    net-snmp source release instead and built it yourself (but you'll
    loose support for SNMPv3 with SHA1 authentication and both DES and
    AES encryption).

What operating systems does it run on?
-------------------------------------

  Both the applications and the agent have been reported as running
  (at least in part) on the following operating systems:

        * HP-UX (10.20 to 9.01 and 11.0 -- see README.hpux11)
        * Ultrix (4.5 to 4.2)
        * Solaris SPARC/ULTRA (2.8 to 2.3), Intel (2.9) and SunOS (4.1.4
to 4.1.2)
        * OSF (4.0, 3.2)
        * NetBSD (1.5alpha to 1.0)
        * FreeBSD (4.1 to 2.2)
        * BSDi (4.0.1 to 2.1)
        * Linux (kernels 2.4 to 1.3)
        * AIX (4.1.5, 3.2.5)
        * OpenBSD (2.8, 2.6)
        * Irix (6.5 to 5.1)
        * OS X (10.1.1 and 10.1.2)
        * Dynix/PTX 4.4
        * QNX 6.2.1A

  See our FAQ at http://www.Net-SNMP.org/FAQ.html for more details on
  portability of the Net-SNMP package.

Which versions of the SNMP protocol are supported in this package?
-----------------------------------------------------------------

  SNMPv1, SNMPv2c, and SNMPv3 (including user-based and kerberos-based
support) 

I've found a bug or have a suggestion, how do I tell you about it?
-----------------------------------------------------------------

  Please submit the bug to our bug-tracking system at:

    http://www.net-snmp.org/bugs/

  Please submit patches (for features or bugs) to our patch-tracking
  system.  (You don't need to submit a big report as well, just a patch)

    http://www.net-snmp.org/patches/

What's the difference between UCD-SNMP and Net-SNMP?
---------------------------------------------------

  Not a great deal, really.
  Although the project originally started at UC Davis (hence the name),
  and it has always been based there, most of the contributors have had
  little or no connection with this institution.

    The move to SourceForge was intended to provide a more flexible
  environment for the project, and to distribute the administrative
  workload more evenly.  The change of name simply reflects this move,
  which was the last remaining link with UC Davis.

    The 4.2.x line is the last release line that uses the ucd-snmp name,
  and all releases under this banner will be bug-fixes only.  Release
  5.0 is the first version using the net-snmp name, and all new features
  and significant development will be released under this name.
    (Though the dividing line between a bug-fix and a new feature is
  something of a vague one, so some changes in the 4.2.x line may be
  relatively non-trivial!)
-- 
"In the bathtub of history the truth is harder to hold than the soap,
 and much more difficult to find."  -- Terry Pratchett


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Net-snmp-announce mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/net-snmp-announce


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
Net-snmp-coders mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders

Reply via email to