- Prior to this update, there was a limit of 50 'exec' entries in the /etc/snmp/snmpd.conf file. With more than 50 such entries in the configuration file, the snmpd daemon returned the "Error: No further UCD-compatible entries" error message to the system log. With this update, this limit has been removed and there can now be any number of 'exec' entries in the snmpd configuration file, thus preventing this bug.
SNMPagents, tools for generating and handling SNMP traps, a version of the
netstatcommand which uses SNMP, and a Tk/Perl Management Information Base (MIB) browser.
- An array index error, leading to an out-of-bounds buffer read flaw, was found in the way the net-snmp agent looked up entries in the extension table. A remote attacker with read privileges to a Management Information Base (MIB) subtree handled by the
/etc/snmp/snmpd.conf) could use this flaw to crash
snmpdvia a crafted SNMP GET request.
- In the previous update, a change was made in order to stop
snmpdterminating unexpectedly when an AgentX subagent disconnected while processing a request. This fix, however, introduced a memory leak. With this update, this memory leak is fixed.
- In a previous update, a new BRIDGE-MIB was implemented in the net-snmp-perl subpackage. This MIB used incorrect conversion of interface-index values from the kernel and reported incorrect values of ifIndex
OIDs(object identifiers). With this update, conversion of interface indexes is fixed and BRIDGE-MIB reports correct ifIndex OIDs.
snmpderroneously enabled verbose logging when parsing the
proxyoption in the
snmpd.conffile. Consequently, unexpected debug messages were sometimes written to the system log. With this update,
snmpdno longer modifies logging settings when parsing the
proxyoption. As a result, no debug messages are sent to the system log unless explicitly enabled by the system administrator.
- Previously, the
snmpddaemon strictly implemented RFC 2780. However, this specification no longer scales well with modern big storage devices with small allocation units. Consequently,
snmpdreported a wrong value for the “HOST-RESOURCES-MIB::hrStorageSize” object when working with a large file system (larger than 16TB), because the accurate value did not fit into Integer32 as specified in the RFC. To address this problem, this update adds a new option to the
/etc/snmp/snmpd.confconfiguration file, “realStorageUnits”. By changing the value of this option to
0, users can now enable recalculation of all values in “hrStorageTable” to ensure that the multiplication of “hrStorageSize” and “hrStorageAllocationUnits” always produces an accurate device size. The values of “hrStorageAllocationUnits” are then artificial in this case and no longer represent the real size of the allocation unit on the storage device.
- BZ#748411, BZ#755481, BZ#757685
- In the previous net-snmp update, the implementation of “HOST-RESOURCES-MIB::hrStorageTable” was rewritten and devices with Veritas File System (VxFS), ReiserFS, and Oracle Cluster File System (OCFS2) were not reported. In this update,
snmpdproperly recognizes VxFS, ReiserFS, and OCFS2 devices and reports them in “HOST-RESOURCES-MIB::hrStorageTable”.
- Prior to this update, the Net-SNMP Perl module did not properly evaluate error codes in the
register()method in the “NetSNMP::agent” module and terminated unexpectedly when this method failed. With this update, the
register()method has been fixed and the updated Perl modules no longer crash on failure.
- The SNMP daemon (
snmpd) did not properly fill a set of watched socket file descriptors. Therefore, the daemon sometimes terminated unexpectedly with the “select: bad file descriptor” error message when more than 32 AgentX subagents connected to
snmpdon 32-bit platforms or more than 64 subagents on 64-bit platforms. With this update,
snmpdproperly clears sets of watched file descriptors and no longer crashes when handling a large number of subagents.
snmpderroneously checked the length of “SNMP-TARGET-MIB::snmpTargetAddrRowStatus” value in incoming “SNMP-SET” requests on 64-bit platforms. Consequently,
snmpdsent an incorrect reply to the “SNMP-SET” request. With this update, the check of “SNMP-TARGET-MIB::snmpTargetAddrRowStatus” is fixed and it is possible to set it remotely using “SNMP-SET” messages.
snmpddid not check the permissions of its MIB index files stored in the
/var/lib/net-snmp/mib_indexesdirectory and assumed it could read them. If the read access was denied, for example due to incorrect SELinux contexts on these files,
snmpdcrashed. With this update,
snmpdchecks if its MIB index files were correctly opened and does not crash if they cannot be opened.
- Before this release, the length of the
OIDparameter of “sysObjectID” (an
snmpd.confconfig file option) was not correctly stored in
snmpd, which resulted in “SNMPv2-MIB::sysObjectID” being truncated if the
OIDhad more than 10 components. In this update, handling of the
OIDlength is fixed and “SNMPv2-MIB::sysObjectID” is returned correctly.
- Prior to this update, when
snmpdwas started and did not find a network interface which had been present during the last
snmpdshutdown, the following error message was logged:
snmpd: error finding row index in _ifXTable_container_row_restoreThis happened on systems which dynamically create and remove network interfaces on demand, such as virtual hosts or PPP servers. In this update, this message has been removed and no longer appears in the system log.
snmpd, enumerated active
TCPconnections for “TCP-MIB::tcpConnectionTable” in an inefficient way with O(n^2) complexity. With many TCP connections, an
SNMPclient could time out before
snmpdprocessed a request regarding the “tcpConnectionTable”, and sent a response. This update improves the enumeration mechanism and
snmpdnow swiftly responds to SNMP requests in the “tcpConnectionTable”.
- When an object identifier (
OID) was out of the subtree registered by the proxy statement in the
/etc/snmp/snmpd.confconfiguration file, the previous version of the
snmpddaemon failed to use a correct
OIDof proxied “GETNEXT” requests. With this update, snmpd now adjusts the
OIDsof proxied “GETNEXT” requests correctly and sends correct requests to the remote agent as expected.
- Net-SNMP daemons and utilities use the
/var/lib/net-snmpdirectory to store persistent data, for example the cache of parsed MIB files. This directory is created by the net-snmp package and when this package is not installed, Net-SNMP utilities and libraries create the directory with the wrong SELinux context, which results in an Access Vector Cache (AVC) error reported by SELinux. In this update, the
/var/lib/net-snmpdirectory is created by the net-snmp-lib package, therefore all Net-SNMP utilities and libraries do not need to create the directory and the directory will have the correct SELinux context.
snmptrapddaemons will be restarted automatically.
- In previous Net-SNMP releases, snmpd reported an invalid speed of network interfaces in IF-MIB::ifTable and IF-MIB::ifXTable if the interface had a speed other than 10, 100, 1000 or 2500 MB/s. Thus, the net-snmp ifHighSpeed value returned was "0" compared to the correct speed as reported in ethtool, if the Virtual Connect speed was set to, for example, 0.9 Gb/s. With this update, the ifHighSpeed value returns the correct speed as reported in ethtool, and snmpd correctly reports non-standard network interface speeds.
- When an AgentX subagent disconnected from the SNMP daemon (snmpd), the daemon did not properly check that there were no active requests queued in the subagent and destroyed the session. Consequently, the session was referenced by snmpd later when processing queued requests and because it was already destroyed, snmpd terminated unexpectedly with a segmentation fault or looped indefinitely. This update adds several checks to prevent the destruction of sessions with active requests, and snmpd no longer crashes in the described scenario.