[prev in list] [next in list] [prev in thread] [next in thread]
List: net-snmp-announce
Subject: Multiple new Net-SNMP releases to fix a security related bug
From: Wes Hardaker <hardaker () users ! sourceforge ! net>
Date: 2005-07-02 4:25:15
Message-ID: sdzmt5sul0.fsf () wes ! hardakers ! net
[Download RAW message or body]
A security vulnerability has been found in Net-SNMP releases that
could allow a denial of service attack against Net-SNMP agent's which
have opened a stream based protocol (EG, TCP but not UDP; it should be
noted that Net-SNMP does not by default open a TCP port). Because of
this, we've immediately released a number of Net-SNMP versions
(5.2.1.2, 5.1.3, and 5.0.10.2) to fix this problem in the various
Net-SNMP branches. Most of these versions are minor patches from a
previous release, but since we were so close to releasing 5.1.3 anyway
we decided to do a full release of that rather than an incremental
release from the 5.1.2 release.
We hope you enjoy this new releases,
The NET-SNMP Development Team
Contents of this announcement
-----------------------------
- What has Changed recently?
- Where can I get it?
- Are there binaries available?
- What operating systems does it run on?
- Which versions of the SNMP protocol are supported in this package?
- I've found a bug or have a suggestion, how do I tell you about it?
- What's the difference between UCD-SNMP and Net-SNMP?
What has Changed recently?
-------------------------------------------
The NEWS file snippits from these releases are as follows:
*5.2.1.2*
Security:
- Fixed a denial of service vulnerability when stream sockets have
been configured for use (E.G., TCP but not UDP).
*5.0.10.2*
Security:
- Fixed a denial of service vulnerability when stream sockets have
been configured for use (E.G., TCP but not UDP).
*5.1.3*
Fixes:
security:
- fix potential race condition in fixproc script
- fix DOS vulnerability on tcp connections
agent:
- bug 1034008: memory leak using SET for table_dataset
- patch 1052460: fix agent deadlock on exec
- bug 1055781: get-next fails to step into interfaces group correctly
- bug 1056760: agent ignores ifspeed, type settings in snmpd.conf
- Persistent files in directory defined by snmp.conf persistentDir were
not being loaded at startup
- 1062986: pass and pass_persist fail and crash snmpd
- patch 1052460: agent deadlock on exec
- fix bug 1056760: agent ignores ifspeed, type settings in snmpd.conf
- bug 119106, ipAdEntIfIndex is wrong
- bug 986238: snmpd loops forever
- bug 615744: Spurious DISMAN-EVENT traps
- patch 1040718: Agentx error propagation and infinite loop
- fix error handling for proxy get-next requests
snmptrapd:
- new configure option to exclude AgentX subagent code
- new runtime option to exclude table registrations
library:
- process pre-mib config tokens in optional config files at the
right time
- get rid of strtok (patch 1040330, backported by Thomas Anders, fixes
bug 1040686)
- consistent handling of '+' for MIB and MIB directory handling from all
sources (config file, environment variables, command line)
- handle agentXsocket token in sub-agent configuration files
- several AgentX fixes
Ports:
Linux:
- use ethtool ioctl to detect gigibit interface speeds
- Fix reversed sysIORawSent/Received
- 64bit fixes to interface and ssRawCpu statistics
- integrate fixes from RedHat and Debian
Tru64:
- build fixes; README.tru64 added
FreeBSD:
- apply patch 1056927: 5.2-p03: freebsd interface bugs
- fix bug 1055781: get-next fails to step into interfaces group correctly
Win32:
- Cygwin compiler fixes
- bug 926389: Win32 event log logging
- Fix compiling without the Platform SDK (PSDK)
NetBSD:
- integragte fixes from NetBSD port
Where can I get it?
------------------
Download:
- http://www.net-snmp.org/download/
- ftp://ftp.net-snmp.org/pub/sourceforge/net-snmp/
Web page:
- http://www.net-snmp.org/
Sourceforge Project page:
- http://www.net-snmp.org/project/
Mirrors (note that sourceforge download servers are mirrored themselves):
- US: ftp://ftp.freesnmp.com/mirrors/net-snmp/
- Bulgaria: http://rtfm.uni-svishtov.bg/net-snmp/ (appears to be out of date)
- Germany: ftp://ftp.mpg.goe.ni.schule.de/pub/internet/net-snmp/ (unknown host)
- Greece: ftp://ftp.ntua.gr/pub/net/snmp/net-snmp/
Are there binaries available?
----------------------------
- Binaries do appear on our download site, but often are published a
bit later than the normal source code. Most of the binaries that
are available have been linked with the OpenSSL package so you'll
need a copy of it installed in order to use them. If you don't
have OpenSSL installed and don't want it installed, please get the
net-snmp source release instead and built it yourself (but you'll
loose support for SNMPv3 with SHA1 authentication and both DES and
AES encryption).
What operating systems does it run on?
-------------------------------------
Both the applications and the agent have been reported as running
(at least in part) on the following operating systems:
* HP-UX (10.20 to 9.01 and 11.0 -- see README.hpux11)
* Ultrix (4.5 to 4.2)
* Solaris SPARC/ULTRA (2.8 to 2.3), Intel (2.9) and SunOS (4.1.4 to 4.1.2)
* OSF (4.0, 3.2)
* NetBSD (1.5alpha to 1.0)
* FreeBSD (4.1 to 2.2)
* BSDi (4.0.1 to 2.1)
* Linux (kernels 2.4 to 1.3)
* AIX (4.1.5, 3.2.5)
* OpenBSD (2.8, 2.6)
* Irix (6.5 to 5.1)
* OS X (10.1.1 and 10.1.2)
* Dynix/PTX 4.4
* QNX 6.2.1A
See our FAQ at http://www.Net-SNMP.org/FAQ.html for more details on
portability of the Net-SNMP package.
Which versions of the SNMP protocol are supported in this package?
-----------------------------------------------------------------
SNMPv1, SNMPv2c, and SNMPv3 (including user-based and kerberos-based support)
I've found a bug or have a suggestion, how do I tell you about it?
-----------------------------------------------------------------
Please submit the bug to our bug-tracking system at:
http://www.net-snmp.org/bugs/
Please submit patches (for features or bugs) to our patch-tracking
system. (You don't need to submit a big report as well, just a patch)
http://www.net-snmp.org/patches/
What's the difference between UCD-SNMP and Net-SNMP?
---------------------------------------------------
Not a great deal, really.
Although the project originally started at UC Davis (hence the name),
and it has always been based there, most of the contributors have had
little or no connection with this institution.
The move to SourceForge was intended to provide a more flexible
environment for the project, and to distribute the administrative
workload more evenly. The change of name simply reflects this move,
which was the last remaining link with UC Davis.
The 4.2.x line is the last release line that uses the ucd-snmp name,
and all releases under this banner will be bug-fixes only. Release
5.0 is the first version using the net-snmp name, and all new features
and significant development will be released under this name.
(Though the dividing line between a bug-fix and a new feature is
something of a vague one, so some changes in the 4.2.x line may be
relatively non-trivial!)
--
"In the bathtub of history the truth is harder to hold than the soap,
and much more difficult to find." -- Terry Pratchett
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Net-snmp-announce mailing list
Net-snmp-announce@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-announce
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic