Skip to navigation

Security Advisory Moderate: net-snmp security and bug fix update

Advisory: RHSA-2013:0124-1
Type: Security Advisory
Severity: Moderate
Issued on: 2013-01-08
Last updated on: 2013-01-08
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2012-2141

Details

Updated net-snmp packages that fix one security issue and multiple bugs are
now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

These packages provide various libraries and tools for the Simple Network
Management Protocol (SNMP).

An out-of-bounds buffer read flaw was found in the net-snmp agent. A remote
attacker with read privileges to a Management Information Base (MIB)
subtree handled by the "extend" directive (in "/etc/snmp/snmpd.conf") could
use this flaw to crash snmpd via a crafted SNMP GET request.
(CVE-2012-2141)

Bug fixes:

* Devices that used certain file systems were not reported in the
"HOST-RESOURCES-MIB::hrStorageTable" table. As a result, the snmpd daemon
did not recognize devices using tmpfs, ReiserFS, and Oracle Cluster File
System (OCFS2) file systems. This update recognizes these devices and
reports them in the "HOST-RESOURCES-MIB::hrStorageTable" table.
(BZ#754652, BZ#755958, BZ#822061)

* The snmptrapd (8) man page did not correctly describe how to load
multiple configuration files using the "-c" option. This update describes
correctly that multiple configuration files must be separated by a comma.
(BZ#760001)

* Integers truncated from 64 to 32-bit were not correctly evaluated. As a
consequence, the snmpd daemon could enter an endless loop when encoding the
truncated integers to network format. This update modifies the underlying
code so that snmpd correctly checks truncated 64-bit integers. Now, snmpd
avoids an endless loop. (BZ#783892)

* snmpd did not correctly check for interrupted system calls when
enumerating existing IPv6 network prefixes during startup. As a
consequence, snmpd could prematurely exit when receiving a signal during
this enumeration. This update checks the network prefix enumeration code
for interrupted system calls. Now, snmpd no longer terminates when a signal
is received. (BZ#799699)

* snmpd used the wrong length of COUNTER64 values in the AgentX protocol.
As a consequence, snmpd could not decode two consecutive COUNTER64 values
in one AgentX packet. This update uses the correct COUNTER64 size and can
process two or mode COUNTER64 values in AgentX communication. (BZ#803585)

* snmpd ignored the "-e" parameter of the "trapsess" option in the snmpd
configuration file. As a result, outgoing traps were incorrectly sent with
the default EngineID of snmpd when configuring "trapsess" with an explicit
EngineID. This update modifies the underlying code to send outgoing traps
using the EngineID as specified in the "trapsess -e" parameter in the
configuration file. (BZ#805689)

* snmpd did not correctly encode negative Request-IDs in outgoing requests,
for example during trap operations. As a consequence, a 32-bit value could
be encoded in 5 bytes instead of 4, and the outgoing requests were refused
by certain implementations of the SNMP protocol as invalid. With this
update, a Request-ID can no longer become negative and is always encoded in
4 bytes. (BZ#818259)

* snmpd ignored the port number of the "clientaddr" option when specifying
the source address of outgoing SNMP requests. As a consequence, the system
assigned a random address. This update allows to specify both the port
number and the source IP address in the "clientaddr" option. Now,
administrators can increase security with firewall rules and
Security-Enhanced Linux (SELinux) policies by configuring a specific source
port of outgoing traps and other requests. (BZ#828691)

* snmpd did not correctly process responses to internal queries when
initializing monitoring enabled by the "monitor" option in the
"/etc/snmp/snmpd.conf" configuration file. As a consequence, snmpd was not
fully initialized and the error message "failed to run mteTrigger query"
appeared in the system log 30 seconds after the snmpd startup. This update
explicitly checks for responses to internal monitoring queries. (BZ#830042)

Users of net-snmp should upgrade to these updated packages, which contain
backported patches to correct these issues. After installing the update,
the snmpd and snmptrapd daemons will be restarted automatically.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
net-snmp-5.3.2.2-20.el5.src.rpm
File outdated by:  RHSA-2014:0322
    MD5: 1256cbd0d0e8116f0fced2a030f9d823
SHA-256: 27befdbe811216f9679f2635ce508a4d0cf22afff905a87755e5a7c4843202bc
 
IA-32:
net-snmp-debuginfo-5.3.2.2-20.el5.i386.rpm
File outdated by:  RHSA-2014:0322
    MD5: bbcf5f28eeb088e00fe8560af076a7ca
SHA-256: ee101da988c624bde781e19f88eaf45b2e044dc13ac693f37cf61f2808a14e5c
net-snmp-devel-5.3.2.2-20.el5.i386.rpm
File outdated by:  RHSA-2014:0322
    MD5: 903c031b52082d567a10cd70f103e677
SHA-256: 0581dba09d5a146feb3a2bfcffe1f0c00b668cd28edf8bda11c86dcd73551ee1
 
x86_64:
net-snmp-debuginfo-5.3.2.2-20.el5.i386.rpm
File outdated by:  RHSA-2014:0322
    MD5: bbcf5f28eeb088e00fe8560af076a7ca
SHA-256: ee101da988c624bde781e19f88eaf45b2e044dc13ac693f37cf61f2808a14e5c
net-snmp-debuginfo-5.3.2.2-20.el5.x86_64.rpm
File outdated by:  RHSA-2014:0322
    MD5: c992dfff4d9fd9907ba9c6e9006e9f13
SHA-256: e8af50abcbe8b8386d432c0c4f688b02dcd95fc6ae86b22120f1809bcfbfd196
net-snmp-devel-5.3.2.2-20.el5.i386.rpm
File outdated by:  RHSA-2014:0322
    MD5: 903c031b52082d567a10cd70f103e677
SHA-256: 0581dba09d5a146feb3a2bfcffe1f0c00b668cd28edf8bda11c86dcd73551ee1
net-snmp-devel-5.3.2.2-20.el5.x86_64.rpm
File outdated by:  RHSA-2014:0322
    MD5: e7d3f261494c6869309eebdd9ccc6b09
SHA-256: f3c291eb0353440fed4316d3dfcb623d48c93db4e9eeab63ef30bec544fb8aa2
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
net-snmp-5.3.2.2-20.el5.src.rpm
File outdated by:  RHSA-2014:0322
    MD5: 1256cbd0d0e8116f0fced2a030f9d823
SHA-256: 27befdbe811216f9679f2635ce508a4d0cf22afff905a87755e5a7c4843202bc
 
IA-32:
net-snmp-5.3.2.2-20.el5.i386.rpm
File outdated by:  RHSA-2014:0322
    MD5: a2ab2c30f4e0bff6fb8bfa17de17d655
SHA-256: 837294254be9c9c2d8e9eca9b714a4bd807a4cd50a11c798c395f94691f417f9
net-snmp-debuginfo-5.3.2.2-20.el5.i386.rpm
File outdated by:  RHSA-2014:0322
    MD5: bbcf5f28eeb088e00fe8560af076a7ca
SHA-256: ee101da988c624bde781e19f88eaf45b2e044dc13ac693f37cf61f2808a14e5c
net-snmp-devel-5.3.2.2-20.el5.i386.rpm
File outdated by:  RHSA-2014:0322
    MD5: 903c031b52082d567a10cd70f103e677
SHA-256: 0581dba09d5a146feb3a2bfcffe1f0c00b668cd28edf8bda11c86dcd73551ee1
net-snmp-libs-5.3.2.2-20.el5.i386.rpm
File outdated by:  RHSA-2014:0322
    MD5: a9d8532b6744347830d3104149b7a2ec
SHA-256: d18c9d4478ad1315e66671814be8271b9d931f685be5912eff898ce970f50a3d
net-snmp-perl-5.3.2.2-20.el5.i386.rpm
File outdated by:  RHSA-2014:0322
    MD5: c20f56b61feb4859550a768b0a87a6a5
SHA-256: 14cbdb17d0fcc768370e24a9de3b839e28b23f9a30d5d43f6d9d6121b231b99d
net-snmp-utils-5.3.2.2-20.el5.i386.rpm
File outdated by:  RHSA-2014:0322
    MD5: 9ad7e0d483cf1f923d6ca5d089008332
SHA-256: a0c47371af607378c75704e8dd719800954815e9cde1360c4b2791a43f24ab61
 
IA-64:
net-snmp-5.3.2.2-20.el5.ia64.rpm
File outdated by:  RHSA-2014:0322
    MD5: 4b540d6adeba2970537c5fa3029b4289
SHA-256: 61d83f4750204a148ee11a7ecef1d67220a6849d80d8c611deab72c0bc733c70
net-snmp-debuginfo-5.3.2.2-20.el5.ia64.rpm
File outdated by:  RHSA-2014:0322
    MD5: 019ce25bb1b23849009f7b3095fe1e74
SHA-256: d9282e7593055a2eabe53b6de1127524d845f4d57cf060f5261d246890a8c897
net-snmp-devel-5.3.2.2-20.el5.ia64.rpm
File outdated by:  RHSA-2014:0322
    MD5: 4ade81d47df44573fc92b046d3c724c5
SHA-256: fb35f9911ef6d7ba322a478de8b150db36fa807104910f0f420cb262b891545c
net-snmp-libs-5.3.2.2-20.el5.ia64.rpm
File outdated by:  RHSA-2014:0322
    MD5: 3755be5e67add9780ed4367adaeaa5e0
SHA-256: 870352d30d2f956fcca664a1c2562bf2553032eaca195985ef2a752d0a9a88c2
net-snmp-perl-5.3.2.2-20.el5.ia64.rpm
File outdated by:  RHSA-2014:0322
    MD5: f80e9e9d3ee0576cf95fca8772bb3e65
SHA-256: c15a1d9c2e6746d023b5594206790f84acbea7e5a8671408acbdc943295388be
net-snmp-utils-5.3.2.2-20.el5.ia64.rpm
File outdated by:  RHSA-2014:0322
    MD5: bc64acb6d9f7e2b08f3b828959edc598
SHA-256: bba283d548b2d2d82f57a6e9a4723da24ee3c1002536feb2c0341a66ee47c19e
 
PPC:
net-snmp-5.3.2.2-20.el5.ppc.rpm
File outdated by:  RHSA-2014:0322
    MD5: 371f34182b2d390a605d77aa719b1560
SHA-256: 5c7ed11dfc030ee3d7a9838c8a51d0ca987aaa0f45b6e48112e542d6925082ef
net-snmp-debuginfo-5.3.2.2-20.el5.ppc.rpm
File outdated by:  RHSA-2014:0322
    MD5: 968713774bb0338cb81fce553bb6c4db
SHA-256: 6b647b2f8558ecbfec7da79bc320a547a4637f33560697fb6379c793917c53c2
net-snmp-debuginfo-5.3.2.2-20.el5.ppc64.rpm
File outdated by:  RHSA-2014:0322
    MD5: 8889ec982a2c1b93c758356414076ca3
SHA-256: 955a40b907bcba0d5173ff797677e57be3df1e614126adf927d7a71e08347e4d
net-snmp-devel-5.3.2.2-20.el5.ppc.rpm
File outdated by:  RHSA-2014:0322
    MD5: 2733e2c6f11b3c576c22f8edb723a373
SHA-256: 2b8dd2e6d33038dae08b44ef13a7f51eccb7d47b20e694193e3437f85c1ba3b0
net-snmp-devel-5.3.2.2-20.el5.ppc64.rpm
File outdated by:  RHSA-2014:0322
    MD5: 6dc72a54f7db86bf8353e759f54f3af9
SHA-256: cee79bb939347a7c60d4add56f1d824a2e7dd71cfc114931407ddf546c4fb035
net-snmp-libs-5.3.2.2-20.el5.ppc.rpm
File outdated by:  RHSA-2014:0322
    MD5: 3961f63c027b3099ea56c921b23fb343
SHA-256: d424432972fc2ab360318369ffd3956c4e993ad4d0f0b03f34817ecf06aed9a5
net-snmp-libs-5.3.2.2-20.el5.ppc64.rpm
File outdated by:  RHSA-2014:0322
    MD5: 00a7b76f88e2e205b52f30bad997857c
SHA-256: 368418603fa6563400571960cbcaaa9700808ba024e91cc25ebec5fd48506fcc
net-snmp-perl-5.3.2.2-20.el5.ppc.rpm
File outdated by:  RHSA-2014:0322
    MD5: 1088aae1abc024e685c49fef6e2d4abc
SHA-256: 74582d71e6d4c6b35ed23e0d0c2d0082ee5e41f246f84960d4d97bfd37920ca5
net-snmp-utils-5.3.2.2-20.el5.ppc.rpm
File outdated by:  RHSA-2014:0322
    MD5: 66a523ee500e81f93ef9ba3e044c1a4a
SHA-256: 2ac9742dd81fcdbc472eb3d40e80d9cd76d27dcd65f0f3361625e6abc884f0f6
 
s390x:
net-snmp-5.3.2.2-20.el5.s390x.rpm
File outdated by:  RHSA-2014:0322
    MD5: e0017233d655ec2ab1784fc118adde32
SHA-256: 38e747dfc3cd72a7e5e7e1845eb81124b69c1a5fd7d7a24496a510bb4b25f817
net-snmp-debuginfo-5.3.2.2-20.el5.s390.rpm
File outdated by:  RHSA-2014:0322
    MD5: 79c1ec790c9819b2d0fdcaf15e4a39c3
SHA-256: 681251a8dc3f733b2c6f06f89d2137879a6e270f50c63197a6c8fcc73c7af1ef
net-snmp-debuginfo-5.3.2.2-20.el5.s390x.rpm
File outdated by:  RHSA-2014:0322
    MD5: 09b431cce134dfa1aba5ee3d213db74b
SHA-256: 71c7fb74c3d0bdd49a7ccc7b220aff7e061e48f5d17c100aa1cb192d21115f44
net-snmp-devel-5.3.2.2-20.el5.s390.rpm
File outdated by:  RHSA-2014:0322
    MD5: a3ea3fc2b67ef9774f8919d9624b78df
SHA-256: 464ad41ea74c5821da2791e6d70bdad58b0f7a090ee87b5dc2568144595e6185
net-snmp-devel-5.3.2.2-20.el5.s390x.rpm
File outdated by:  RHSA-2014:0322
    MD5: a4ab237f184a04e29852c359465ec3d3
SHA-256: b70d7f6a10c354ce336d05d615afa20f8ea9f1e1fd5c001717e64ecec49275d2
net-snmp-libs-5.3.2.2-20.el5.s390.rpm
File outdated by:  RHSA-2014:0322
    MD5: 5b8e218557cc4f89cdd016062192e21b
SHA-256: 3f8a2de0e006ec0570b24773a8672f1dcb984521b3f6a409c7ed8dbd208e57a2
net-snmp-libs-5.3.2.2-20.el5.s390x.rpm
File outdated by:  RHSA-2014:0322
    MD5: afae3d5506b4b0343f78c5d6f648f250
SHA-256: 6252da23a4db7e0c14fa192b3bbf1d279425543365193028cfd67b54aa38258a
net-snmp-perl-5.3.2.2-20.el5.s390x.rpm
File outdated by:  RHSA-2014:0322
    MD5: 8db3b71fbb2417ff71cef52d6a517ea0
SHA-256: 9061708beb6c4e83fda55bba76419d2480c787929b00f6461af3b0aaa8b378d2
net-snmp-utils-5.3.2.2-20.el5.s390x.rpm
File outdated by:  RHSA-2014:0322
    MD5: e46c17082751b0a783634ca70ab7cac6
SHA-256: 436a2126cd82b2e4ff716eeeb70371a777ec9c0948e48ba5bd72b363c539a08d
 
x86_64:
net-snmp-5.3.2.2-20.el5.x86_64.rpm
File outdated by:  RHSA-2014:0322
    MD5: 586c2a4fd75780729de7014a33732587
SHA-256: 11c40d833102a6ec79252403e0962d95b9d684f9b822dd6f63b4d350a02a3847
net-snmp-debuginfo-5.3.2.2-20.el5.i386.rpm
File outdated by:  RHSA-2014:0322
    MD5: bbcf5f28eeb088e00fe8560af076a7ca
SHA-256: ee101da988c624bde781e19f88eaf45b2e044dc13ac693f37cf61f2808a14e5c
net-snmp-debuginfo-5.3.2.2-20.el5.x86_64.rpm
File outdated by:  RHSA-2014:0322
    MD5: c992dfff4d9fd9907ba9c6e9006e9f13
SHA-256: e8af50abcbe8b8386d432c0c4f688b02dcd95fc6ae86b22120f1809bcfbfd196
net-snmp-devel-5.3.2.2-20.el5.i386.rpm
File outdated by:  RHSA-2014:0322
    MD5: 903c031b52082d567a10cd70f103e677
SHA-256: 0581dba09d5a146feb3a2bfcffe1f0c00b668cd28edf8bda11c86dcd73551ee1
net-snmp-devel-5.3.2.2-20.el5.x86_64.rpm
File outdated by:  RHSA-2014:0322
    MD5: e7d3f261494c6869309eebdd9ccc6b09
SHA-256: f3c291eb0353440fed4316d3dfcb623d48c93db4e9eeab63ef30bec544fb8aa2
net-snmp-libs-5.3.2.2-20.el5.i386.rpm
File outdated by:  RHSA-2014:0322
    MD5: a9d8532b6744347830d3104149b7a2ec
SHA-256: d18c9d4478ad1315e66671814be8271b9d931f685be5912eff898ce970f50a3d
net-snmp-libs-5.3.2.2-20.el5.x86_64.rpm
File outdated by:  RHSA-2014:0322
    MD5: e26911a7ee3901223ef660166c9e647b
SHA-256: 0ad2efa9fa8bd9be1d1133c150245697010f6ccd0ee092b6bbd17b7b007329d5
net-snmp-perl-5.3.2.2-20.el5.x86_64.rpm
File outdated by:  RHSA-2014:0322
    MD5: 464efdd9e8aaa63502be8e528e274910
SHA-256: 47f68607f0e5a245f2e2913499d0097862379afffd09854c2af7c773da57fbe5
net-snmp-utils-5.3.2.2-20.el5.x86_64.rpm
File outdated by:  RHSA-2014:0322
    MD5: 4f60f05cdeadf0d3e327997f49fc2cda
SHA-256: a2522eac2cd8d8ed0af9bd5e52b304d98b7830df242b6713ead589c459e265d4
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
net-snmp-5.3.2.2-20.el5.src.rpm
File outdated by:  RHSA-2014:0322
    MD5: 1256cbd0d0e8116f0fced2a030f9d823
SHA-256: 27befdbe811216f9679f2635ce508a4d0cf22afff905a87755e5a7c4843202bc
 
IA-32:
net-snmp-5.3.2.2-20.el5.i386.rpm
File outdated by:  RHSA-2014:0322
    MD5: a2ab2c30f4e0bff6fb8bfa17de17d655
SHA-256: 837294254be9c9c2d8e9eca9b714a4bd807a4cd50a11c798c395f94691f417f9
net-snmp-debuginfo-5.3.2.2-20.el5.i386.rpm
File outdated by:  RHSA-2014:0322
    MD5: bbcf5f28eeb088e00fe8560af076a7ca
SHA-256: ee101da988c624bde781e19f88eaf45b2e044dc13ac693f37cf61f2808a14e5c
net-snmp-libs-5.3.2.2-20.el5.i386.rpm
File outdated by:  RHSA-2014:0322
    MD5: a9d8532b6744347830d3104149b7a2ec
SHA-256: d18c9d4478ad1315e66671814be8271b9d931f685be5912eff898ce970f50a3d
net-snmp-perl-5.3.2.2-20.el5.i386.rpm
File outdated by:  RHSA-2014:0322
    MD5: c20f56b61feb4859550a768b0a87a6a5
SHA-256: 14cbdb17d0fcc768370e24a9de3b839e28b23f9a30d5d43f6d9d6121b231b99d
net-snmp-utils-5.3.2.2-20.el5.i386.rpm
File outdated by:  RHSA-2014:0322
    MD5: 9ad7e0d483cf1f923d6ca5d089008332
SHA-256: a0c47371af607378c75704e8dd719800954815e9cde1360c4b2791a43f24ab61
 
x86_64:
net-snmp-5.3.2.2-20.el5.x86_64.rpm
File outdated by:  RHSA-2014:0322
    MD5: 586c2a4fd75780729de7014a33732587
SHA-256: 11c40d833102a6ec79252403e0962d95b9d684f9b822dd6f63b4d350a02a3847
net-snmp-debuginfo-5.3.2.2-20.el5.i386.rpm
File outdated by:  RHSA-2014:0322
    MD5: bbcf5f28eeb088e00fe8560af076a7ca
SHA-256: ee101da988c624bde781e19f88eaf45b2e044dc13ac693f37cf61f2808a14e5c
net-snmp-debuginfo-5.3.2.2-20.el5.x86_64.rpm
File outdated by:  RHSA-2014:0322
    MD5: c992dfff4d9fd9907ba9c6e9006e9f13
SHA-256: e8af50abcbe8b8386d432c0c4f688b02dcd95fc6ae86b22120f1809bcfbfd196
net-snmp-libs-5.3.2.2-20.el5.i386.rpm
File outdated by:  RHSA-2014:0322
    MD5: a9d8532b6744347830d3104149b7a2ec
SHA-256: d18c9d4478ad1315e66671814be8271b9d931f685be5912eff898ce970f50a3d
net-snmp-libs-5.3.2.2-20.el5.x86_64.rpm
File outdated by:  RHSA-2014:0322
    MD5: e26911a7ee3901223ef660166c9e647b
SHA-256: 0ad2efa9fa8bd9be1d1133c150245697010f6ccd0ee092b6bbd17b7b007329d5
net-snmp-perl-5.3.2.2-20.el5.x86_64.rpm
File outdated by:  RHSA-2014:0322
    MD5: 464efdd9e8aaa63502be8e528e274910
SHA-256: 47f68607f0e5a245f2e2913499d0097862379afffd09854c2af7c773da57fbe5
net-snmp-utils-5.3.2.2-20.el5.x86_64.rpm
File outdated by:  RHSA-2014:0322
    MD5: 4f60f05cdeadf0d3e327997f49fc2cda
SHA-256: a2522eac2cd8d8ed0af9bd5e52b304d98b7830df242b6713ead589c459e265d4
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

755958 - net-snmp ignores reiserfs formatted partitions
803585 - agentx counter64 snmpget problem
815813 - CVE-2012-2141 net-snmp: Array index error, leading to out-of heap-based buffer read (snmpd crash)
840861 - snmpd does not report error when clientaddr <ip>:<port> cannot bind to the specified port


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/