[Bug 1880724] Re: Add (D)TLS support by default to snmpd
** Changed in: net-snmp (Debian) Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1880724 Title: Add (D)TLS support by default to snmpd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1880724/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1880724] Re: Add (D)TLS support by default to snmpd
This bug was fixed in the package net-snmp - 5.8+dfsg-5ubuntu1 --- net-snmp (5.8+dfsg-5ubuntu1) groovy; urgency=medium * Merge with Debian unstable (LP: #1880724). Remaining changes: - Add apport hook: + d/control: add dh-apport to Build-Depends + d/rules: install the apport hook via debhelper + d/source.apport: apport hook - d/p/Link-libnetsnmptrapd-against-MYSQL_LIBS.patch: Link libnetsnmptrapd against MYSQL_LIBS. Thanks to Adam Williamson . (Closes #886221, LP #1814254) - Fix build with mysql-8 (LP #1814270): + d/p/mysql8-replace-bool.patch: newer mysql dropped my_bool, use char instead. - Skip autofs entries when calling statfs to prevent autofs being mounted on snmpd startup (LP #1835818): + d/p/autofs-fix-a-recently-introduced-bug.patch + d/p/autofs-skip-autofs-entries.patch - d/p/fix-check-hr-filesys-autofs.patch: + On Linux getmntent() is available but getfsstat() not. Hence remove #if HAVE_GETFSSTAT from around the HRFS_type check. * Dropped changes, incorporated by Debian: - d/p/lp1871307-log-once-proc-net-if_inet6-failure.patch (LP #1871307): + MIB-II: Only log once that opening /proc/net/if_inet6 failed - SECURITY UPDATE: Fix segmentation fault that happens when using the snmpv3 protocol with snmpbulkget. (LP #1877027) + d/p/move-securityStateRef-into-free_securityStateRef.patch: Consolidate the check of the securityStateRef pointer into the free_securityStateRef function. + d/p/prevent-snmpv3-bulkget-errors-double-free.patch: Prevent snmpv3 bulkget errors from becoming resulting in a double free. + d/p/fix-usmStateReference-free.patch: Fix typo on usm_free_usmStateReference from last patch. + d/p/unexport-struct-usmStateReference.patch: Unexport struct usmStateReference and to prevent ABI breakages, since it will be necessary to add a reference count to it. + d/p/introduce-refcount-usmStateReference.patch: Introduce refcount in the struct usmStateReference, and adjust code to properly use the field. + CVE-2019-20892 -- Sergio Durigan Junior Thu, 06 Aug 2020 11:42:13 -0400 ** Changed in: net-snmp (Ubuntu Groovy) Status: Triaged => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-20892 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1880724 Title: Add (D)TLS support by default to snmpd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1880724/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1880724] Re: Add (D)TLS support by default to snmpd
** Also affects: netsnmp via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964054 Importance: Unknown Status: Unknown ** No longer affects: netsnmp ** Also affects: net-snmp (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964054 Importance: Unknown Status: Unknown ** Changed in: net-snmp (Ubuntu Groovy) Importance: Wishlist => Low -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1880724 Title: Add (D)TLS support by default to snmpd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1880724/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1880724] Re: Add (D)TLS support by default to snmpd
I'm taking care of the net-snmp merge. ** Changed in: net-snmp (Ubuntu Groovy) Assignee: (unassigned) => Sergio Durigan Junior (sergiodj) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1880724 Title: Add (D)TLS support by default to snmpd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1880724/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1880724] Re: Add (D)TLS support by default to snmpd
Thank you, this needs a merge now - Adding server-next tag ** Tags added: server-next -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1880724 Title: Add (D)TLS support by default to snmpd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1880724/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1880724] Re: Add (D)TLS support by default to snmpd
Fixed in Debian version 5.8+dfsg-3 (see above bug for details) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1880724 Title: Add (D)TLS support by default to snmpd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1880724/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1880724] Re: Add (D)TLS support by default to snmpd
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964054 (Done, a bug is added) ** Bug watch added: Debian Bug tracker #964054 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964054 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1880724 Title: Add (D)TLS support by default to snmpd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1880724/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1880724] Re: Add (D)TLS support by default to snmpd
Thanks Paride, I understand the this isn't urgent enough to make it to SRU. I don't have acess to a debian system, so, just sent submittted a bug report (wishlist) viz e-mail, don't see that reflected in the link you have shared, but should be with the debian guys now, will paste a link once I have access to it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1880724 Title: Add (D)TLS support by default to snmpd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1880724/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1880724] Re: Add (D)TLS support by default to snmpd
@Chaitanya I briefly discussed the issue with the team. Enabling new features is normally out of the scope of SRU upgrades, which have a well defined policy [1], so it is unlikely that we're going to enable DTLS in Focal, as there isn't very compelling reason to do so. As I deem the SRU unlikely I marked the Focal task as "Won't Fix". The Groovy task remains open, but we believe that the right way forward here is to enable the feature in Debian. [1] https://wiki.ubuntu.com/StableReleaseUpdates -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1880724 Title: Add (D)TLS support by default to snmpd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1880724/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1880724] Re: Add (D)TLS support by default to snmpd
** Tags removed: server-triage-discuss ** Changed in: net-snmp (Ubuntu) Importance: Low => Wishlist ** Also affects: net-snmp (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: net-snmp (Ubuntu Groovy) Importance: Wishlist Status: Triaged ** Changed in: net-snmp (Ubuntu Focal) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1880724 Title: Add (D)TLS support by default to snmpd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1880724/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1880724] Re: Add (D)TLS support by default to snmpd
Hi Chaitanya, Ubuntu Focal and Groovy (the current devel version) have net-snmp 5.8, so if I'm not mistaken enabling DTLS can be done by passing a couple of options to the configure script, without patching. In this case I think there are two fronts we can work at: 1. For the next Ubuntu releases (>= Groovy) support for DTLS should ideally be enabled in Debian, and later picked up by Ubuntu when syncing the package. This will streamline the package maintenance on the Ubuntu side and benefit Debian too. I can't find a Debian bug about the lack of DTLS support in the Debian bug tracker [1]. @Chaitanya: do you think you can report a bug against the Debian package and link it here? 2. For Focal: technically we could enable the configure flags and update the package following the SRU procedure [2], but even if it would be a no-patch SRU the implications of it have to be carefully considered, weighting the regression potential. Some more discussion is needed. [1] https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=net-snmp [2] https://wiki.ubuntu.com/StableReleaseUpdates ** Changed in: net-snmp (Ubuntu) Importance: Wishlist => Low ** Tags removed: needs-upstream-report ** Tags added: server-triage-discuss -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1880724 Title: Add (D)TLS support by default to snmpd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1880724/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1880724] Re: Add (D)TLS support by default to snmpd
And the patch for 5.7.3 version, but if you switch to latest version it supports openssl OOB, just need to pass DTLS/TLS and TSM options to configure, no need of any extra patches. And to confirm net-snmp already links with openssl, see https://git.launchpad.net/ubuntu/+source/net-snmp/tree/debian/rules?h=ubuntu/bionic-devel#n48 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1880724 Title: Add (D)TLS support by default to snmpd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1880724/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1880724] Re: Add (D)TLS support by default to snmpd
Thanks. I have lifted the openssl patch from https://src.fedoraproject.org/rpms/net- snmp/blob/e4d5ceb957a64d6994629f84901d9f76d2ffed9b/f/net- snmp-5.7.3-openssl.patch, so, not my place to upstream it. And as per https://www.openssl.org/source/license.html it seems like a free license at least for 1.X.Y versions. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1880724 Title: Add (D)TLS support by default to snmpd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1880724/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1880724] Re: Add (D)TLS support by default to snmpd
Thank you for taking the time to report this bug and helping to make Ubuntu better. I think it's unlikely that we would make this change in Ubuntu without the support of Debian or upstream. Given that you had to patch net-snmp to support OpenSSL 1.1.0, any chance you could get that patch upstreamed (if it isn't already) so that Debian might be able to make this change, and then Ubuntu could pick it up in the future? ** Tags added: needs-upstream-report ** Changed in: net-snmp (Ubuntu) Status: New => Triaged ** Changed in: net-snmp (Ubuntu) Importance: Undecided => Wishlist -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1880724 Title: Add (D)TLS support by default to snmpd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1880724/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1880724] Re: Add (D)TLS support by default to snmpd
(there's also the question of licensing - are net-snmp and its reverse dependencies definitely compatible with OpenSSL's license such that distributions are permitted to redistribute it linked against OpenSSL?) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1880724 Title: Add (D)TLS support by default to snmpd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1880724/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1880724] Re: Add (D)TLS support by default to snmpd
Ah..sorry, the default version might not have openssl enabled, I was looking at my changed version, and I had to patch net-snmp to support OpenSSL 1.1.0. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1880724 Title: Add (D)TLS support by default to snmpd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1880724/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs