[Bug 1892980] Re: NET-SNMP-EXTEND-MIB::nsExtendCacheTime cannot be set anymore
This bug was fixed in the package net-snmp - 5.7.3+dfsg-1ubuntu4.6 --- net-snmp (5.7.3+dfsg-1ubuntu4.6) xenial-security; urgency=medium * SECURITY REGRESSION: The update for CVE-2020-15862 making mib extend read-only caused nsExtendCacheTime to be not setable anymore (LP: #1892980) - debian/patches/CVE-2020-15862-bug1893465.patch: add -cacheTime and -execType flags to "extend" config directive in agent/mibgroup/agent/extend.c, man/snmpd.conf.5.def. -- leo.barb...@canonical.com (Leonidas S. Barbosa) Mon, 31 Aug 2020 09:46:19 -0300 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1892980 Title: NET-SNMP-EXTEND-MIB::nsExtendCacheTime cannot be set anymore To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1892980/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1892980] Re: NET-SNMP-EXTEND-MIB::nsExtendCacheTime cannot be set anymore
This bug was fixed in the package net-snmp - 5.7.3+dfsg-1.8ubuntu3.6 --- net-snmp (5.7.3+dfsg-1.8ubuntu3.6) bionic-security; urgency=medium * SECURITY REGRESSION: The update for CVE-2020-15862 making mib extend read-only caused nsExtendCacheTime to be not setable anymore (LP: #1892980) - debian/patches/CVE-2020-15862-bug1893465.patch: add -cacheTime and -execType flags to "extend" config directive in agent/mibgroup/agent/extend.c, man/snmpd.conf.5.def. -- leo.barb...@canonical.com (Leonidas S. Barbosa) Fri, 28 Aug 2020 17:14:41 -0300 ** Changed in: net-snmp (Ubuntu) Status: In Progress => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-15862 ** Changed in: net-snmp (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1892980 Title: NET-SNMP-EXTEND-MIB::nsExtendCacheTime cannot be set anymore To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1892980/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1892980] Re: NET-SNMP-EXTEND-MIB::nsExtendCacheTime cannot be set anymore
Thanks for the quick fix! After some tests, I believe that 5.7.3+dfsg-1.8ubuntu3.6 will fix the issue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1892980 Title: NET-SNMP-EXTEND-MIB::nsExtendCacheTime cannot be set anymore To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1892980/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1892980] Re: NET-SNMP-EXTEND-MIB::nsExtendCacheTime cannot be set anymore
A new version is available building in security-proposed: https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/+packages - 5.7.3+dfsg-1.8ubuntu3.6. It would be appreciate any tests on it. Using the new flag -cacheTime is set in /etc/snmp/snmpd.conf , extend -cacheTime -1 ... After restart snmpd run snmpwalk -v1 -c test localhost "NET-SNMP-EXTEND-MIB::nsExtendCacheTime" must show the value was set. Issue was not reproducible in a VM, probably some issues with NIC. It was in a docker. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1892980 Title: NET-SNMP-EXTEND-MIB::nsExtendCacheTime cannot be set anymore To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1892980/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1892980] Re: NET-SNMP-EXTEND-MIB::nsExtendCacheTime cannot be set anymore
** Changed in: net-snmp (Ubuntu) Assignee: (unassigned) => Leonidas S. Barbosa (leosilvab) ** Changed in: net-snmp (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1892980 Title: NET-SNMP-EXTEND-MIB::nsExtendCacheTime cannot be set anymore To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1892980/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1892980] Re: NET-SNMP-EXTEND-MIB::nsExtendCacheTime cannot be set anymore
Hi azrle! Thanks a lot for the detailed steps. I now could reproduce it. I'll issue a new update adding the feature flags that allow cachetime be set. Soon I have a tested version I reach you back. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1892980 Title: NET-SNMP-EXTEND-MIB::nsExtendCacheTime cannot be set anymore To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1892980/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1892980] Re: NET-SNMP-EXTEND-MIB::nsExtendCacheTime cannot be set anymore
Hi, Thanks for following up. Here are steps to reproduce it. 1. Login to an Ubuntu 18 server. e.g. docker run --name ubuntu18 -it ubuntu:bionic 2. apt-get update 3. apt-get install snmp snmp-mibs-downloader snmpd (5.7.3+dfsg-1.8ubuntu3.5 will be installed) 4. Use the following config: cat << EOF > /etc/snmp/snmpd.conf com2sec private localhost test group readwrite v1 private view all included .1 80 access readonly "" any noauth exact all none none access readwrite "" any noauth exact all all none extend unixtime /bin/date +%s EOF 5. service snmpd start 6. Run tests The following command to set cache time to -1 will fail: snmpset -v1 -c test localhost 'NET-SNMP-EXTEND-MIB::nsExtendCacheTime."unixtime"' i -1 We can also observe that nsExtendCacheTime is still 5 seconds. snmpwalk -v1 -c test localhost "NET-SNMP-EXTEND-MIB::nsExtendCacheTime" And the following result will be cached for 5 seconds. snmpwalk -v1 -c test localhost 'NET-SNMP-EXTEND-MIB::nsExtendOutLine."unixtime"' 7. Test another versions apt-get install libsnmp30=5.7.3+dfsg-1.8ubuntu3 \ snmp=5.7.3+dfsg-1.8ubuntu3 \ snmpd=5.7.3+dfsg-1.8ubuntu3 pkill snmpd Then, repeat steps 5, 6, it will success to change cache time to -1 and the result is not cached anymore, which is our expected behavior. Let me know if you have any problem to reproduce the issue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1892980 Title: NET-SNMP-EXTEND-MIB::nsExtendCacheTime cannot be set anymore To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1892980/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1892980] Re: NET-SNMP-EXTEND-MIB::nsExtendCacheTime cannot be set anymore
Also, would mind to provide detailed steps in how to reproduce this issue? I wasn't so far able to reproduce it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1892980 Title: NET-SNMP-EXTEND-MIB::nsExtendCacheTime cannot be set anymore To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1892980/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1892980] Re: NET-SNMP-EXTEND-MIB::nsExtendCacheTime cannot be set anymore
Hi, Sorry for the inconvenient. We (security team) are/will analyze what would be a better solution here. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1892980 Title: NET-SNMP-EXTEND-MIB::nsExtendCacheTime cannot be set anymore To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1892980/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1892980] Re: NET-SNMP-EXTEND-MIB::nsExtendCacheTime cannot be set anymore
Subscribing Leonidas who did the CVE fix and tagging regression-update. Since the break is pushed to -security the fixup (if any) will need to land there as well. Also he will have more experience in security fixes that suddenly make new features required to work around new limitations. @Leonidas what is your advice how to go on here? ** Tags removed: server-triage-discuss ** Tags added: regression-update -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1892980 Title: NET-SNMP-EXTEND-MIB::nsExtendCacheTime cannot be set anymore To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1892980/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1892980] Re: NET-SNMP-EXTEND-MIB::nsExtendCacheTime cannot be set anymore
Hello and thanks for this bug report and for the pointer to the upstream commit implementing -cacheTime and -execType. I can see how those would bring the functionality back, however they can be considered "new features", which are rarely introduced with stable release updates, and with extra care. This will require some discussion. [1] https://wiki.ubuntu.com/StableReleaseUpdates ** Tags added: server-triage-discuss -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1892980 Title: NET-SNMP-EXTEND-MIB::nsExtendCacheTime cannot be set anymore To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1892980/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1892980] Re: NET-SNMP-EXTEND-MIB::nsExtendCacheTime cannot be set anymore
By the way, here is another thread discussing about the similar issue. https://sourceforge.net/p/net-snmp/mailman/net-snmp- users/thread/AB3D9027096B5848A262A13D45A88E680182CA87F7%40RISBCTMBXP007.risk.regn.net/#msg36715544 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1892980 Title: NET-SNMP-EXTEND-MIB::nsExtendCacheTime cannot be set anymore To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1892980/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs