From 3030e861e944b467f038551069a31d3095b22399 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Thu, 20 Oct 2022 20:10:38 +0000 Subject: [PATCH] Auto sync2gitlab import of net-snmp-5.8-26.el8.src.rpm --- .gitignore | 1 + EMPTY | 1 - IETF-MIB-LICENSE.txt | 41 + net-snmp-5.7.2-CVE-2020-15862.patch | 70 + net-snmp-5.7.2-autoreconf.patch | 10 + net-snmp-5.7.2-cert-path.patch | 30 + net-snmp-5.7.2-pie.patch | 128 ++ net-snmp-5.7.3-iterator-fix.patch | 14 + net-snmp-5.8-Remove-U64-typedef.patch | 12 + net-snmp-5.8-aes-config.patch | 100 + net-snmp-5.8-agent-of-death.patch | 122 ++ net-snmp-5.8-agentx-disconnect-crash.patch | 12 + net-snmp-5.8-asn-parse-nlength.patch | 86 + net-snmp-5.8-autofs-skip.patch | 199 ++ net-snmp-5.8-broken-errmsg.patch | 90 + net-snmp-5.8-bulk.patch | 51 + net-snmp-5.8-certs.patch | 12 + net-snmp-5.8-cflags.patch | 112 + net-snmp-5.8-clientaddr-error-message.patch | 35 + net-snmp-5.8-coverity.patch | 68 + net-snmp-5.8-deleted-iface.patch | 41 + net-snmp-5.8-digest-from-ECC.patch | 98 + net-snmp-5.8-dir-fix.patch | 12 + net-snmp-5.8-double-IP-parsing.patch | 48 + net-snmp-5.8-dskTable-dynamic.patch | 181 ++ net-snmp-5.8-duplicate-ipAddress.patch | 11 + net-snmp-5.8-empty-passphrase.patch | 30 + net-snmp-5.8-engine-id.patch | 25 + net-snmp-5.8-expand-SNMPCONFPATH.patch | 12 + net-snmp-5.8-fix-cert-crash.patch | 67 + net-snmp-5.8-flood-messages.patch | 26 + net-snmp-5.8-intermediate-certs.patch | 1066 +++++++++ net-snmp-5.8-ipAddress-faster-load.patch | 82 + net-snmp-5.8-ipv6-clientaddr.patch | 12 + net-snmp-5.8-ipv6-disabled.patch | 31 + ...8-libnetsnmptrapd-against-MYSQL_LIBS.patch | 12 + net-snmp-5.8-man-page.patch | 36 + net-snmp-5.8-memleak-backport.patch | 92 + net-snmp-5.8-memory-reporting.patch | 35 + net-snmp-5.8-modern-rpm-api.patch | 83 + net-snmp-5.8-multilib.patch | 45 + net-snmp-5.8-proxy-getnext.patch | 12 + net-snmp-5.8-rpm-memory-leak.patch | 26 + net-snmp-5.8-sec-counter.patch | 146 ++ net-snmp-5.8-sec-memory-leak.patch | 84 + net-snmp-5.8-test-debug.patch | 30 + net-snmp-5.8-trapsink.patch | 21 + net-snmp-5.8-usage-exit.patch | 11 + net-snmp-5.8-util-fix.patch | 13 + net-snmp-5.8-v3-forward.patch | 357 ++++ net-snmp-config | 62 + net-snmp-config.h | 38 + net-snmp-tmpfs.conf | 1 + net-snmp-trapd.redhat.conf | 6 + net-snmp.redhat.conf | 462 ++++ net-snmp.spec | 1900 +++++++++++++++++ net-snmpd.sysconfig | 3 + net-snmptrapd.sysconfig | 3 + snmpd.service | 13 + snmptrapd.service | 13 + sources | 1 + 61 files changed, 6440 insertions(+), 1 deletion(-) create mode 100644 .gitignore delete mode 100644 EMPTY create mode 100644 IETF-MIB-LICENSE.txt create mode 100644 net-snmp-5.7.2-CVE-2020-15862.patch create mode 100644 net-snmp-5.7.2-autoreconf.patch create mode 100644 net-snmp-5.7.2-cert-path.patch create mode 100644 net-snmp-5.7.2-pie.patch create mode 100644 net-snmp-5.7.3-iterator-fix.patch create mode 100644 net-snmp-5.8-Remove-U64-typedef.patch create mode 100644 net-snmp-5.8-aes-config.patch create mode 100644 net-snmp-5.8-agent-of-death.patch create mode 100644 net-snmp-5.8-agentx-disconnect-crash.patch create mode 100644 net-snmp-5.8-asn-parse-nlength.patch create mode 100644 net-snmp-5.8-autofs-skip.patch create mode 100644 net-snmp-5.8-broken-errmsg.patch create mode 100644 net-snmp-5.8-bulk.patch create mode 100644 net-snmp-5.8-certs.patch create mode 100644 net-snmp-5.8-cflags.patch create mode 100644 net-snmp-5.8-clientaddr-error-message.patch create mode 100644 net-snmp-5.8-coverity.patch create mode 100644 net-snmp-5.8-deleted-iface.patch create mode 100644 net-snmp-5.8-digest-from-ECC.patch create mode 100644 net-snmp-5.8-dir-fix.patch create mode 100644 net-snmp-5.8-double-IP-parsing.patch create mode 100644 net-snmp-5.8-dskTable-dynamic.patch create mode 100644 net-snmp-5.8-duplicate-ipAddress.patch create mode 100644 net-snmp-5.8-empty-passphrase.patch create mode 100644 net-snmp-5.8-engine-id.patch create mode 100644 net-snmp-5.8-expand-SNMPCONFPATH.patch create mode 100644 net-snmp-5.8-fix-cert-crash.patch create mode 100644 net-snmp-5.8-flood-messages.patch create mode 100644 net-snmp-5.8-intermediate-certs.patch create mode 100644 net-snmp-5.8-ipAddress-faster-load.patch create mode 100644 net-snmp-5.8-ipv6-clientaddr.patch create mode 100644 net-snmp-5.8-ipv6-disabled.patch create mode 100644 net-snmp-5.8-libnetsnmptrapd-against-MYSQL_LIBS.patch create mode 100644 net-snmp-5.8-man-page.patch create mode 100644 net-snmp-5.8-memleak-backport.patch create mode 100644 net-snmp-5.8-memory-reporting.patch create mode 100644 net-snmp-5.8-modern-rpm-api.patch create mode 100644 net-snmp-5.8-multilib.patch create mode 100644 net-snmp-5.8-proxy-getnext.patch create mode 100644 net-snmp-5.8-rpm-memory-leak.patch create mode 100644 net-snmp-5.8-sec-counter.patch create mode 100644 net-snmp-5.8-sec-memory-leak.patch create mode 100644 net-snmp-5.8-test-debug.patch create mode 100644 net-snmp-5.8-trapsink.patch create mode 100644 net-snmp-5.8-usage-exit.patch create mode 100644 net-snmp-5.8-util-fix.patch create mode 100644 net-snmp-5.8-v3-forward.patch create mode 100755 net-snmp-config create mode 100644 net-snmp-config.h create mode 100644 net-snmp-tmpfs.conf create mode 100644 net-snmp-trapd.redhat.conf create mode 100644 net-snmp.redhat.conf create mode 100644 net-snmp.spec create mode 100644 net-snmpd.sysconfig create mode 100644 net-snmptrapd.sysconfig create mode 100644 snmpd.service create mode 100644 snmptrapd.service create mode 100644 sources diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8ce311b --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/net-snmp-5.8.tar.gz diff --git a/EMPTY b/EMPTY deleted file mode 100644 index 0519ecb..0000000 --- a/EMPTY +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/IETF-MIB-LICENSE.txt b/IETF-MIB-LICENSE.txt new file mode 100644 index 0000000..5fd2a6a --- /dev/null +++ b/IETF-MIB-LICENSE.txt @@ -0,0 +1,41 @@ +MIBs included in this software taken from IETF Documents are considered +Code Components in accordance with the IETF Trust License Policy, as found +here: + +http://trustee.ietf.org/license-info/ + +They are available under the terms of the Simplified BSD license, a copy of +which is included below. + +***** + +Copyright (c) 2013 IETF Trust and the persons identified as authors of +the code. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + +· Redistributions of source code must retain the above copyright notice, +this list of conditions and the following disclaimer. + +· Redistributions in binary form must reproduce the above copyright +notice, this list of conditions and the following disclaimer in the +documentation and/or other materials provided with the distribution. + +· Neither the name of Internet Society, IETF or IETF Trust, nor the +names of specific contributors, may be used to endorse or promote +products derived from this software without specific prior written +permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS +IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A +PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER +OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, +EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR +PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/net-snmp-5.7.2-CVE-2020-15862.patch b/net-snmp-5.7.2-CVE-2020-15862.patch new file mode 100644 index 0000000..394c714 --- /dev/null +++ b/net-snmp-5.7.2-CVE-2020-15862.patch @@ -0,0 +1,70 @@ +diff -urNp old/agent/mibgroup/agent/extend.c new/agent/mibgroup/agent/extend.c +--- old/agent/mibgroup/agent/extend.c 2020-11-11 12:41:46.377115142 +0100 ++++ new/agent/mibgroup/agent/extend.c 2020-11-11 12:50:28.047142105 +0100 +@@ -16,6 +16,12 @@ + #define SHELLCOMMAND 3 + #endif + ++/* This mib is potentially dangerous to turn on by default, since it ++ * allows arbitrary commands to be set by anyone with SNMP WRITE ++ * access to the MIB table. If all of your users are "root" level ++ * users, then it may be safe to turn on. */ ++#define ENABLE_EXTEND_WRITE_ACCESS 0 ++ + netsnmp_feature_require(extract_table_row_data) + netsnmp_feature_require(table_data_delete_table) + #ifndef NETSNMP_NO_WRITE_SUPPORT +@@ -723,7 +729,7 @@ handle_nsExtendConfigTable(netsnmp_mib_h + * + **********/ + +-#ifndef NETSNMP_NO_WRITE_SUPPORT ++#if !defined(NETSNMP_NO_WRITE_SUPPORT) && ENABLE_EXTEND_WRITE_ACCESS + case MODE_SET_RESERVE1: + /* + * Validate the new assignments +@@ -1049,7 +1055,7 @@ handle_nsExtendConfigTable(netsnmp_mib_h + } + } + break; +-#endif /* !NETSNMP_NO_WRITE_SUPPORT */ ++#endif /* !NETSNMP_NO_WRITE_SUPPORT and ENABLE_EXTEND_WRITE_ACCESS */ + + default: + netsnmp_set_request_error(reqinfo, request, SNMP_ERR_GENERR); +@@ -1057,7 +1063,7 @@ handle_nsExtendConfigTable(netsnmp_mib_h + } + } + +-#ifndef NETSNMP_NO_WRITE_SUPPORT ++#if !defined(NETSNMP_NO_WRITE_SUPPORT) && ENABLE_EXTEND_WRITE_ACCESS + /* + * If we're marking a given row as active, + * then we need to check that it's ready. +@@ -1082,7 +1088,7 @@ handle_nsExtendConfigTable(netsnmp_mib_h + } + } + } +-#endif /* !NETSNMP_NO_WRITE_SUPPORT */ ++#endif /* !NETSNMP_NO_WRITE_SUPPORT && ENABLE_EXTEND_WRITE_ACCESS */ + + return SNMP_ERR_NOERROR; + } +@@ -1571,7 +1577,7 @@ fixExec2Error(int action, + idx = name[name_len-1] -1; + exten = &compatability_entries[ idx ]; + +-#ifndef NETSNMP_NO_WRITE_SUPPORT ++#if !defined(NETSNMP_NO_WRITE_SUPPORT) && ENABLE_EXTEND_WRITE_ACCESS + switch (action) { + case MODE_SET_RESERVE1: + if (var_val_type != ASN_INTEGER) { +@@ -1592,7 +1598,7 @@ fixExec2Error(int action, + case MODE_SET_COMMIT: + netsnmp_cache_check_and_reload( exten->efix_entry->cache ); + } +-#endif /* !NETSNMP_NO_WRITE_SUPPORT */ ++#endif /* !NETSNMP_NO_WRITE_SUPPORT && ENABLE_EXTEND_WRITE_ACCESS */ + return SNMP_ERR_NOERROR; + } + #endif /* USING_UCD_SNMP_EXTENSIBLE_MODULE */ diff --git a/net-snmp-5.7.2-autoreconf.patch b/net-snmp-5.7.2-autoreconf.patch new file mode 100644 index 0000000..a5618e8 --- /dev/null +++ b/net-snmp-5.7.2-autoreconf.patch @@ -0,0 +1,10 @@ +926223 - net-snmp: Does not support aarch64 in f19 and rawhide + +Update autoconf version to make the test suite happy. + +diff -up net-snmp-5.7.2/dist/autoconf-version.autoreconf net-snmp-5.7.2/dist/autoconf-version +--- net-snmp-5.7.2/dist/autoconf-version.autoreconf 2013-03-25 13:00:15.002745347 +0100 ++++ net-snmp-5.7.2/dist/autoconf-version 2013-03-25 13:00:17.207736442 +0100 +@@ -1 +1 @@ +-2.68 ++2.69 diff --git a/net-snmp-5.7.2-cert-path.patch b/net-snmp-5.7.2-cert-path.patch new file mode 100644 index 0000000..495fccb --- /dev/null +++ b/net-snmp-5.7.2-cert-path.patch @@ -0,0 +1,30 @@ +1134475 - dependency in perl package + +Use hardcoded path to configuration directories instead of net-snmp-config. +net-snmp-config is in net-snmp-devel package and we do not want net-snmp-perl +depending on -devel. + +diff -up net-snmp-5.7.2/local/net-snmp-cert.cert-path net-snmp-5.7.2/local/net-snmp-cert +--- net-snmp-5.7.2/local/net-snmp-cert.cert-path 2012-10-10 00:28:58.000000000 +0200 ++++ net-snmp-5.7.2/local/net-snmp-cert 2014-09-01 12:05:10.582427036 +0200 +@@ -819,8 +819,7 @@ sub set_default { + sub cfg_path { + my $path; + +- $path = `$NetSNMP::Cert::CFGTOOL --snmpconfpath`; +- chomp $path; ++ $path = "/etc/snmp:/usr/share/snmp:/usr/lib64/snmp:/home/jsafrane/.snmp:/var/lib/net-snmp"; + return (wantarray ? split(':', $path) : $path); + } + +@@ -1414,8 +1413,8 @@ sub checkReqs { + die("$NetSNMP::Cert::OPENSSL (v$ossl_ver): must be $ossl_min_ver or later") + if ($ossl_ver cmp $ossl_min_ver) < 0; + +- die("$NetSNMP::Cert::CFGTOOL not found: please install") +- if system("$NetSNMP::Cert::CFGTOOL > /dev/null 2>&1"); ++# die("$NetSNMP::Cert::CFGTOOL not found: please install") ++# if system("$NetSNMP::Cert::CFGTOOL > /dev/null 2>&1"); + } + + sub initOpts { diff --git a/net-snmp-5.7.2-pie.patch b/net-snmp-5.7.2-pie.patch new file mode 100644 index 0000000..a05a9bb --- /dev/null +++ b/net-snmp-5.7.2-pie.patch @@ -0,0 +1,128 @@ +diff -up net-snmp-5.7.2/agent/Makefile.in.pie net-snmp-5.7.2/agent/Makefile.in +--- net-snmp-5.7.2/agent/Makefile.in.pie 2012-10-10 00:28:58.000000000 +0200 ++++ net-snmp-5.7.2/agent/Makefile.in 2012-10-18 09:45:13.298613099 +0200 +@@ -294,7 +294,7 @@ getmibstat.o: mibgroup/kernel_sunos5.c + $(CC) $(CFLAGS) -o $@ -D_GETMIBSTAT_TEST -DDODEBUG -c $? + + snmpd$(EXEEXT): ${LAGENTOBJS} $(USELIBS) $(AGENTLIB) $(HELPERLIB) $(MIBLIB) $(LIBTARG) +- $(LINK) $(CFLAGS) -o $@ ${LAGENTOBJS} ${LDFLAGS} ${OUR_AGENT_LIBS} ++ $(LINK) $(CFLAGS) -o $@ -pie ${LAGENTOBJS} ${LDFLAGS} ${OUR_AGENT_LIBS} + + libnetsnmpagent.$(LIB_EXTENSION)$(LIB_VERSION): ${LLIBAGENTOBJS} $(USELIBS) + $(LIB_LD_CMD) $(AGENTLIB) ${LLIBAGENTOBJS} $(USELIBS) ${LAGENTLIBS} @LD_NO_UNDEFINED@ $(LDFLAGS) $(PERLLDOPTS_FOR_LIBS) $(LIB_LD_LIBS) @AGENTLIBS@ +diff -up net-snmp-5.7.2/apps/Makefile.in.pie net-snmp-5.7.2/apps/Makefile.in +--- net-snmp-5.7.2/apps/Makefile.in.pie 2012-10-10 00:28:58.000000000 +0200 ++++ net-snmp-5.7.2/apps/Makefile.in 2012-10-18 09:44:27.827774580 +0200 +@@ -170,7 +170,7 @@ snmptest$(EXEEXT): snmptest.$(OSUFFIX + $(LINK) ${CFLAGS} -o $@ snmptest.$(OSUFFIX) ${LDFLAGS} ${LIBS} + + snmptrapd$(EXEEXT): $(TRAPD_OBJECTS) $(USETRAPLIBS) $(INSTALLLIBS) +- $(LINK) ${CFLAGS} -o $@ $(TRAPD_OBJECTS) $(INSTALLLIBS) ${LDFLAGS} ${TRAPLIBS} ++ $(LINK) ${CFLAGS} -o $@ -pie $(TRAPD_OBJECTS) $(INSTALLLIBS) ${LDFLAGS} ${TRAPLIBS} + + snmptrap$(EXEEXT): snmptrap.$(OSUFFIX) $(USELIBS) + $(LINK) ${CFLAGS} -o $@ snmptrap.$(OSUFFIX) ${LDFLAGS} ${LIBS} +diff -urNp a/apps/Makefile.in b/apps/Makefile.in +--- a/apps/Makefile.in 2018-09-25 09:18:46.036239465 +0200 ++++ b/apps/Makefile.in 2018-09-25 09:38:18.361298461 +0200 +@@ -156,37 +156,37 @@ OTHERUNINSTALL=snmpinformuninstall snmpt + # build rules + # + snmpwalk$(EXEEXT): snmpwalk.$(OSUFFIX) $(USELIBS) +- $(LINK) ${CFLAGS} -o $@ snmpwalk.$(OSUFFIX) ${LDFLAGS} ${LIBS} ++ $(LINK) ${CFLAGS} -o $@ -pie snmpwalk.$(OSUFFIX) ${LDFLAGS} ${LIBS} + + snmpbulkwalk$(EXEEXT): snmpbulkwalk.$(OSUFFIX) $(USELIBS) +- $(LINK) ${CFLAGS} -o $@ snmpbulkwalk.$(OSUFFIX) ${LDFLAGS} ${LIBS} ++ $(LINK) ${CFLAGS} -o $@ -pie snmpbulkwalk.$(OSUFFIX) ${LDFLAGS} ${LIBS} + + snmpbulkget$(EXEEXT): snmpbulkget.$(OSUFFIX) $(USELIBS) +- $(LINK) ${CFLAGS} -o $@ snmpbulkget.$(OSUFFIX) ${LDFLAGS} ${LIBS} ++ $(LINK) ${CFLAGS} -o $@ -pie snmpbulkget.$(OSUFFIX) ${LDFLAGS} ${LIBS} + + snmptranslate$(EXEEXT): snmptranslate.$(OSUFFIX) $(USELIBS) +- $(LINK) ${CFLAGS} -o $@ snmptranslate.$(OSUFFIX) ${LDFLAGS} ${LIBS} ++ $(LINK) ${CFLAGS} -o $@ -pie snmptranslate.$(OSUFFIX) ${LDFLAGS} ${LIBS} + + snmpstatus$(EXEEXT): snmpstatus.$(OSUFFIX) $(USELIBS) +- $(LINK) ${CFLAGS} -o $@ snmpstatus.$(OSUFFIX) ${LDFLAGS} ${LIBS} ++ $(LINK) ${CFLAGS} -o $@ -pie snmpstatus.$(OSUFFIX) ${LDFLAGS} ${LIBS} + + snmpget$(EXEEXT): snmpget.$(OSUFFIX) $(USELIBS) +- $(LINK) ${CFLAGS} -o $@ snmpget.$(OSUFFIX) ${LDFLAGS} ${LIBS} ++ $(LINK) ${CFLAGS} -o $@ -pie snmpget.$(OSUFFIX) ${LDFLAGS} ${LIBS} + + snmpdelta$(EXEEXT): snmpdelta.$(OSUFFIX) $(USELIBS) +- $(LINK) ${CFLAGS} -o $@ snmpdelta.$(OSUFFIX) ${LDFLAGS} ${LIBS} ++ $(LINK) ${CFLAGS} -o $@ -pie snmpdelta.$(OSUFFIX) ${LDFLAGS} ${LIBS} + + snmptable$(EXEEXT): snmptable.$(OSUFFIX) $(USELIBS) +- $(LINK) ${CFLAGS} -o $@ snmptable.$(OSUFFIX) ${LDFLAGS} ${LIBS} ++ $(LINK) ${CFLAGS} -o $@ -pie snmptable.$(OSUFFIX) ${LDFLAGS} ${LIBS} + + snmptest$(EXEEXT): snmptest.$(OSUFFIX) $(USELIBS) +- $(LINK) ${CFLAGS} -o $@ snmptest.$(OSUFFIX) ${LDFLAGS} ${LIBS} ++ $(LINK) ${CFLAGS} -o $@ -pie snmptest.$(OSUFFIX) ${LDFLAGS} ${LIBS} + + snmptrapd$(EXEEXT): $(TRAPD_OBJECTS) $(USETRAPLIBS) $(INSTALLLIBS) + $(LINK) ${CFLAGS} -o $@ -pie $(TRAPD_OBJECTS) $(INSTALLLIBS) ${LDFLAGS} ${TRAPLIBS} + + snmptrap$(EXEEXT): snmptrap.$(OSUFFIX) $(USELIBS) +- $(LINK) ${CFLAGS} -o $@ snmptrap.$(OSUFFIX) ${LDFLAGS} ${LIBS} ++ $(LINK) ${CFLAGS} -o $@ -pie snmptrap.$(OSUFFIX) ${LDFLAGS} ${LIBS} + + snmpinform$(EXEEXT): snmptrap$(EXEEXT) + rm -f snmpinform +@@ -197,34 +197,34 @@ snmptop$(EXEEXT): snmpps$(EXEEXT) + $(LN_S) snmpps$(EXEEXT) snmptop$(EXEEXT) + + snmpset$(EXEEXT): snmpset.$(OSUFFIX) $(USELIBS) +- $(LINK) ${CFLAGS} -o $@ snmpset.$(OSUFFIX) ${LDFLAGS} ${LIBS} ++ $(LINK) ${CFLAGS} -o $@ -pie snmpset.$(OSUFFIX) ${LDFLAGS} ${LIBS} + + snmpusm$(EXEEXT): snmpusm.$(OSUFFIX) $(USELIBS) +- $(LINK) ${CFLAGS} -o $@ snmpusm.$(OSUFFIX) ${LDFLAGS} ${LIBS} ++ $(LINK) ${CFLAGS} -o $@ -pie snmpusm.$(OSUFFIX) ${LDFLAGS} ${LIBS} + + snmpvacm$(EXEEXT): snmpvacm.$(OSUFFIX) $(USELIBS) +- $(LINK) ${CFLAGS} -o $@ snmpvacm.$(OSUFFIX) ${LDFLAGS} ${LIBS} ++ $(LINK) ${CFLAGS} -o $@ -pie snmpvacm.$(OSUFFIX) ${LDFLAGS} ${LIBS} + + snmptls$(EXEEXT): snmptls.$(OSUFFIX) $(USELIBS) +- $(LINK) ${CFLAGS} -o $@ snmptls.$(OSUFFIX) ${LDFLAGS} ${LIBS} ++ $(LINK) ${CFLAGS} -o $@ -pie snmptls.$(OSUFFIX) ${LDFLAGS} ${LIBS} + + agentxtrap$(EXEEXT): agentxtrap.$(OSUFFIX) $(USEAGENTLIBS) + $(LINK) ${CFLAGS} -o $@ agentxtrap.$(OSUFFIX) ${LDFLAGS} $(USEAGENTLIBS) $(PERLLDOPTS_FOR_APPS) ${LIBS} + + snmpgetnext$(EXEEXT): snmpgetnext.$(OSUFFIX) $(USELIBS) +- $(LINK) ${CFLAGS} -o $@ snmpgetnext.$(OSUFFIX) ${LDFLAGS} ${LIBS} ++ $(LINK) ${CFLAGS} -o $@ -pie snmpgetnext.$(OSUFFIX) ${LDFLAGS} ${LIBS} + + encode_keychange$(EXEEXT): encode_keychange.$(OSUFFIX) $(USELIBS) +- $(LINK) ${CFLAGS} -o $@ encode_keychange.$(OSUFFIX) ${LDFLAGS} ${LIBS} ++ $(LINK) ${CFLAGS} -o $@ -pie encode_keychange.$(OSUFFIX) ${LDFLAGS} ${LIBS} + + snmpdf$(EXEEXT): snmpdf.$(OSUFFIX) $(USELIBS) +- $(LINK) ${CFLAGS} -o $@ snmpdf.$(OSUFFIX) ${LDFLAGS} ${LIBS} ++ $(LINK) ${CFLAGS} -o $@ -pie snmpdf.$(OSUFFIX) ${LDFLAGS} ${LIBS} + + snmpps$(EXEEXT): snmpps.$(OSUFFIX) $(USELIBS) +- $(LINK) ${CFLAGS} -o $@ snmpps.$(OSUFFIX) ${LDFLAGS} @LIBCURSES@ ${LIBS} ++ $(LINK) ${CFLAGS} -o $@ -pie snmpps.$(OSUFFIX) ${LDFLAGS} @LIBCURSES@ ${LIBS} + + snmpping$(EXEEXT): snmpping.$(OSUFFIX) $(USELIBS) +- $(LINK) ${CFLAGS} -o $@ snmpping.$(OSUFFIX) ${LDFLAGS} ${LIBS} -lm ++ $(LINK) ${CFLAGS} -o $@ -pie snmpping.$(OSUFFIX) ${LDFLAGS} ${LIBS} -lm + + snmppcap$(EXEEXT): snmppcap.$(OSUFFIX) $(USELIBS) + $(LINK) ${CFLAGS} -o $@ snmppcap.$(OSUFFIX) ${LDFLAGS} ${LIBS} -lpcap +diff -urNp a/apps/snmpnetstat/Makefile.in b/apps/snmpnetstat/Makefile.in +--- a/apps/snmpnetstat/Makefile.in 2018-09-25 09:18:46.036239465 +0200 ++++ b/apps/snmpnetstat/Makefile.in 2018-09-25 09:39:30.406458117 +0200 +@@ -34,4 +34,4 @@ LIBS= ../../snmplib/libnetsnmp.$(LIB_EX + all: standardall + + snmpnetstat$(EXEEXT): ${LOBJS} ${USELIBS} +- ${LINK} ${CFLAGS} -o $@ ${LOBJS} ${LOCAL_LIBS} ${LDFLAGS} ${LIBS} ++ ${LINK} ${CFLAGS} -o $@ -pie ${LOBJS} ${LOCAL_LIBS} ${LDFLAGS} ${LIBS} diff --git a/net-snmp-5.7.3-iterator-fix.patch b/net-snmp-5.7.3-iterator-fix.patch new file mode 100644 index 0000000..fb34caf --- /dev/null +++ b/net-snmp-5.7.3-iterator-fix.patch @@ -0,0 +1,14 @@ +diff -urNp old/agent/mibgroup/host/data_access/swrun.c new/agent/mibgroup/host/data_access/swrun.c +--- old/agent/mibgroup/host/data_access/swrun.c 2017-07-18 09:44:00.626109526 +0200 ++++ new/agent/mibgroup/host/data_access/swrun.c 2017-07-19 15:27:50.452255836 +0200 +@@ -102,6 +102,10 @@ swrun_count_processes_by_name( char *nam + return 0; /* or -1 */ + + it = CONTAINER_ITERATOR( swrun_container ); ++ if((entry = (netsnmp_swrun_entry*)ITERATOR_FIRST( it )) != NULL) { ++ if (0 == strcmp( entry->hrSWRunName, name )) ++ i++; ++ } + while ((entry = (netsnmp_swrun_entry*)ITERATOR_NEXT( it )) != NULL) { + if (0 == strcmp( entry->hrSWRunName, name )) + i++; diff --git a/net-snmp-5.8-Remove-U64-typedef.patch b/net-snmp-5.8-Remove-U64-typedef.patch new file mode 100644 index 0000000..75a2c6d --- /dev/null +++ b/net-snmp-5.8-Remove-U64-typedef.patch @@ -0,0 +1,12 @@ +diff -urNp a/include/net-snmp/library/int64.h b/include/net-snmp/library/int64.h +--- a/include/net-snmp/library/int64.h 2018-07-18 14:37:16.543348832 +0200 ++++ b/include/net-snmp/library/int64.h 2018-07-18 15:31:31.516999288 +0200 +@@ -10,7 +10,7 @@ extern "C" { + * Note: using the U64 typedef is deprecated because this typedef conflicts + * with a typedef with the same name defined in the Perl header files. + */ +- typedef struct counter64 U64; ++// typedef struct counter64 U64; + #endif + + #define I64CHARSZ 21 diff --git a/net-snmp-5.8-aes-config.patch b/net-snmp-5.8-aes-config.patch new file mode 100644 index 0000000..a1ce69c --- /dev/null +++ b/net-snmp-5.8-aes-config.patch @@ -0,0 +1,100 @@ +From 0be093688013b90896f2db3204bb20e790d70149 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Mon, 27 Apr 2020 08:23:16 -0700 +Subject: [PATCH] configure: Report supported authentication and encryption + modes correctly + +Commit 9e49de2e03b1 ("NEWS: snmplib: AES-192/AES-256 compatibility with SNMP +Research / CISCO") removed SHA-128 and SHA-192 support and added support for +SHA-224, SHA-256, SHA-384 and SHA-512. Commit 329a9d3c9d63 ("revamp auth/priv +protocol constants handling") added support for several AES encryption modes. +Make the configure script report which modes are supported. +--- + configure | 15 ++++++++++++++- + configure.d/config_os_misc2 | 15 ++++++++++++++- + 2 files changed, 28 insertions(+), 2 deletions(-) + +diff --git a/configure b/configure +index 46402589f..7481ebd07 100755 +--- a/configure ++++ b/configure +@@ -26453,7 +26453,13 @@ $as_echo "#define NETSNMP_USE_INTERNAL_CRYPTO 1" >>confdefs.h + { $as_echo "$as_me:${as_lineno-$LINENO}: result: Internal Crypto Support" >&5 + $as_echo "Internal Crypto Support" >&6; } + elif test "x$useopenssl" != "xno" ; then +- authmodes="MD5 SHA1 SHA512 SHA384 SHA256 SHA192" ++ authmodes="MD5 SHA1" ++ if test "x$ac_cv_func_EVP_sha224" = xyes; then ++ authmodes="$authmodes SHA224 SHA256" ++ fi ++ if test "x$ac_cv_func_EVP_sha384" = xyes; then ++ authmodes="$authmodes SHA384 SHA512" ++ fi + if test "x$enable_privacy" != "xno" ; then + if test "x$ac_cv_header_openssl_aes_h" = "xyes" ; then + encrmodes="DES AES" +@@ -26492,6 +26498,13 @@ fi + if test "x$enable_md5" = "xno"; then + authmodes=`echo $authmodes | $SED 's/MD5 *//;'` + fi ++if test "x$ac_cv_func_AES_cfb128_encrypt" = xyes || ++ test "x$CRYPTO" = xinternal; then ++ encrmodes="$encrmodes AES128" ++ if test "x$aes_capable" = "xyes"; then ++ encrmodes="$encrmodes AES192 AES192C AES256 AES256C" ++ fi ++fi + + + +diff --git a/configure.d/config_os_misc2 b/configure.d/config_os_misc2 +index 1df9bf0a2..be0bccec0 100644 +--- a/configure.d/config_os_misc2 ++++ b/configure.d/config_os_misc2 +@@ -53,7 +53,13 @@ if test "x$CRYPTO" = "xinternal" ; then + AC_DEFINE(NETSNMP_USE_INTERNAL_CRYPTO, 1, "Define if internal cryptography code should be used") + AC_MSG_RESULT(Internal Crypto Support) + elif test "x$useopenssl" != "xno" ; then +- authmodes="MD5 SHA1 SHA512 SHA384 SHA256 SHA192" ++ authmodes="MD5 SHA1" ++ if test "x$ac_cv_func_EVP_sha224" = xyes; then ++ authmodes="$authmodes SHA224 SHA256" ++ fi ++ if test "x$ac_cv_func_EVP_sha384" = xyes; then ++ authmodes="$authmodes SHA384 SHA512" ++ fi + if test "x$enable_privacy" != "xno" ; then + if test "x$ac_cv_header_openssl_aes_h" = "xyes" ; then + encrmodes="DES AES" +@@ -86,6 +92,13 @@ fi + if test "x$enable_md5" = "xno"; then + authmodes=`echo $authmodes | $SED 's/MD5 *//;'` + fi ++if test "x$ac_cv_func_AES_cfb128_encrypt" = xyes || ++ test "x$CRYPTO" = xinternal; then ++ encrmodes="$encrmodes AES128" ++ if test "x$aes_capable" = "xyes"; then ++ encrmodes="$encrmodes AES192 AES192C AES256 AES256C" ++ fi ++fi + AC_SUBST(LNETSNMPLIBS) + AC_SUBST(LAGENTLIBS) + + +diff -urNp a/net-snmp-create-v3-user.in b/net-snmp-create-v3-user.in +--- a/net-snmp-create-v3-user.in 2020-06-15 12:59:05.117432700 +0200 ++++ b/net-snmp-create-v3-user.in 2020-06-15 13:01:36.151905241 +0200 +@@ -58,11 +58,11 @@ case $1 in + exit 1 + fi + case $1 in +- DES|AES|AES128) ++ DES|AES|AES128|AES192|AES256) + Xalgorithm=$1 + shift + ;; +- des|aes|aes128) ++ des|aes|aes128|aes192|aes256) + Xalgorithm=`echo $1 | tr a-z A-Z` + shift + ;; diff --git a/net-snmp-5.8-agent-of-death.patch b/net-snmp-5.8-agent-of-death.patch new file mode 100644 index 0000000..dcafbb1 --- /dev/null +++ b/net-snmp-5.8-agent-of-death.patch @@ -0,0 +1,122 @@ +diff -urNp a/agent/agent_trap.c b/agent/agent_trap.c +--- a/agent/agent_trap.c 2019-02-13 13:10:36.862269252 +0100 ++++ b/agent/agent_trap.c 2019-02-13 15:02:11.396042356 +0100 +@@ -174,6 +174,11 @@ _trap_version_incr(int version) + case SNMP_VERSION_3: + ++_v2_sessions; + break; ++#ifdef USING_AGENTX_PROTOCOL_MODULE ++ case AGENTX_VERSION_1: ++ /* agentx registers in sinks, no need to count */ ++ break; ++#endif + default: + snmp_log(LOG_ERR, "unknown snmp version %d\n", version); + } +@@ -201,6 +206,11 @@ _trap_version_decr(int version) + _v2_sessions = 0; + } + break; ++#ifdef USING_AGENTX_PROTOCOL_MODULE ++ case AGENTX_VERSION_1: ++ /* agentx registers in sinks, no need to count */ ++ break; ++#endif + default: + snmp_log(LOG_ERR, "unknown snmp version %d\n", version); + } +diff -urNp old/agent/mibgroup/agentx/master.c new/agent/mibgroup/agentx/master.c +--- old/agent/mibgroup/agentx/master.c 2019-04-03 12:13:55.115769783 +0200 ++++ new/agent/mibgroup/agentx/master.c 2019-04-10 09:49:53.277168497 +0200 +@@ -280,6 +280,11 @@ agentx_got_response(int operation, + netsnmp_free_delegated_cache(cache); + return 0; + ++ case NETSNMP_CALLBACK_OP_RESEND: ++ DEBUGMSGTL(("agentx/master", "resend on session %8p req=0x%x\n", ++ session, (unsigned)reqid)); ++ return 0; ++ + case NETSNMP_CALLBACK_OP_RECEIVED_MESSAGE: + /* + * This session is alive +diff -urNp old/snmplib/snmp_api.c new/snmplib/snmp_api.c +--- old/snmplib/snmp_api.c 2019-04-24 00:28:34.904357292 +0200 ++++ new/snmplib/snmp_api.c 2019-04-24 00:24:40.101830685 +0200 +@@ -352,6 +352,7 @@ static int snmpv3_build(u_char ** p + netsnmp_pdu *pdu); + static int snmp_parse_version(u_char *, size_t); + static int snmp_resend_request(struct session_list *slp, ++ netsnmp_request_list *orp, + netsnmp_request_list *rp, + int incr_retries); + static void register_default_handlers(void); +@@ -5717,7 +5718,7 @@ _sess_process_packet_handle_pdu(void *se + * * inifinite resend + */ + if (rp->retries <= sp->retries) { +- snmp_resend_request(slp, rp, TRUE); ++ snmp_resend_request(slp, orp, rp, TRUE); + break; + } else { + /* We're done with retries, so no longer waiting for a response */ +@@ -6662,9 +6663,22 @@ snmp_timeout(void) + snmp_res_unlock(MT_LIBRARY_ID, MT_LIB_SESSION); + } + ++static void ++remove_request(struct snmp_internal_session *isp, ++ netsnmp_request_list *orp, netsnmp_request_list *rp) ++{ ++ if (orp) ++ orp->next_request = rp->next_request; ++ else ++ isp->requests = rp->next_request; ++ if (isp->requestsEnd == rp) ++ isp->requestsEnd = orp; ++ snmp_free_pdu(rp->pdu); ++} ++ + static int +-snmp_resend_request(struct session_list *slp, netsnmp_request_list *rp, +- int incr_retries) ++snmp_resend_request(struct session_list *slp, netsnmp_request_list *orp, ++ netsnmp_request_list *rp, int incr_retries) + { + struct snmp_internal_session *isp; + netsnmp_session *sp; +@@ -6731,9 +6745,11 @@ snmp_resend_request(struct session_list + sp->s_snmp_errno = SNMPERR_BAD_SENDTO; + sp->s_errno = errno; + snmp_set_detail(strerror(errno)); +- if (rp->callback) ++ if (rp->callback) { + rp->callback(NETSNMP_CALLBACK_OP_SEND_FAILED, sp, + rp->pdu->reqid, rp->pdu, rp->cb_data); ++ remove_request(isp, orp, rp); ++ } + return -1; + } else { + netsnmp_get_monotonic_clock(&now); +@@ -6813,19 +6829,12 @@ snmp_sess_timeout(void *sessp) + callback(NETSNMP_CALLBACK_OP_TIMED_OUT, sp, + rp->pdu->reqid, rp->pdu, magic); + } +- if (orp) +- orp->next_request = rp->next_request; +- else +- isp->requests = rp->next_request; +- if (isp->requestsEnd == rp) +- isp->requestsEnd = orp; +- snmp_free_pdu(rp->pdu); ++ remove_request(isp, orp, rp); + freeme = rp; + continue; /* don't update orp below */ + } else { +- if (snmp_resend_request(slp, rp, TRUE)) { ++ if (snmp_resend_request(slp, orp, rp, TRUE)) + break; +- } + } + } + orp = rp; diff --git a/net-snmp-5.8-agentx-disconnect-crash.patch b/net-snmp-5.8-agentx-disconnect-crash.patch new file mode 100644 index 0000000..da84313 --- /dev/null +++ b/net-snmp-5.8-agentx-disconnect-crash.patch @@ -0,0 +1,12 @@ +diff -urNp a/agent/mibgroup/agentx/master.c b/agent/mibgroup/agentx/master.c +--- a/agent/mibgroup/agentx/master.c 2018-07-18 12:13:49.953014652 +0200 ++++ b/agent/mibgroup/agentx/master.c 2018-07-18 12:20:23.537626773 +0200 +@@ -221,7 +221,7 @@ agentx_got_response(int operation, + /* response is too late, free the cache */ + if (magic) + netsnmp_free_delegated_cache((netsnmp_delegated_cache*) magic); +- return 0; ++ return 1; + } + requests = cache->requests; + diff --git a/net-snmp-5.8-asn-parse-nlength.patch b/net-snmp-5.8-asn-parse-nlength.patch new file mode 100644 index 0000000..23823f5 --- /dev/null +++ b/net-snmp-5.8-asn-parse-nlength.patch @@ -0,0 +1,86 @@ +From 92f0fe9e0dc3cf7ab6e8cc94d7962df83d0ddbec Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Mon, 4 Jan 2021 12:21:59 -0800 +Subject: [PATCH] libsnmp: Fix asn_parse_nlength() + +Handle length zero correctly. + +Fixes: https://github.com/net-snmp/net-snmp/issues/253 +Fixes: a9850f4445cf ("asn parse: add NULL checks, check length lengths") +--- + snmplib/asn1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/snmplib/asn1.c b/snmplib/asn1.c +index e983500e7..33c272768 100644 +--- a/snmplib/asn1.c ++++ b/snmplib/asn1.c +@@ -345,7 +345,7 @@ asn_parse_nlength(u_char *pkt, size_t pkt_len, u_long *data_len) + * long length; first byte is length of length (after masking high bit) + */ + len_len = (int) ((*pkt & ~0x80) + 1); +- if ((int) pkt_len <= len_len ) ++ if (pkt_len < len_len) + return NULL; /* still too short for length and data */ + + /* now we know we have enough data to parse length */ +From baef04f9c6fe0eb3ac74dd4d26a19264eeaf7fa1 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Mon, 4 Jan 2021 10:00:33 -0800 +Subject: [PATCH] testing/fulltests/unit-tests/T105trap_parse_clib: Add this + test + +Add a reproducer for the bug fixed by the previous patch. +--- + .../unit-tests/T105trap_parse_clib.c | 41 +++++++++++++++++++ + 1 file changed, 41 insertions(+) + create mode 100644 testing/fulltests/unit-tests/T105trap_parse_clib.c + +diff --git a/testing/fulltests/unit-tests/T105trap_parse_clib.c b/testing/fulltests/unit-tests/T105trap_parse_clib.c +new file mode 100644 +index 000000000..5c21ccdc7 +--- /dev/null ++++ b/testing/fulltests/unit-tests/T105trap_parse_clib.c +@@ -0,0 +1,41 @@ ++/* HEADER Parsing of an SNMP trap with no varbinds */ ++netsnmp_pdu pdu; ++int rc; ++static u_char trap_pdu[] = { ++ /* Sequence with length of 0x2d = 45 bytes. */ ++ [ 0] = 0x30, [ 1] = 0x82, [ 2] = 0x00, [ 3] = 0x2d, ++ /* version = INTEGER 0 */ ++ [ 4] = 0x02, [ 5] = 0x01, [ 6] = 0x00, ++ /* community = public (OCTET STRING 0x70 0x75 0x62 0x6c 0x69 0x63) */ ++ [ 7] = 0x04, [ 8] = 0x06, [ 9] = 0x70, [10] = 0x75, ++ [11] = 0x62, [12] = 0x6c, [13] = 0x69, [14] = 0x63, ++ /* SNMP_MSG_TRAP; 32 bytes. */ ++ [15] = 0xa4, [16] = 0x20, ++ /* enterprise = OBJECT IDENTIFIER .1.3.6.1.6.3.1.1.5 = snmpTraps */ ++ [17] = 0x06, [18] = 0x08, ++ [19] = 0x2b, [20] = 0x06, [21] = 0x01, [22] = 0x06, ++ [23] = 0x03, [24] = 0x01, [25] = 0x01, [26] = 0x05, ++ /* agent-addr = ASN_IPADDRESS 192.168.1.34 */ ++ [27] = 0x40, [28] = 0x04, [29] = 0xc0, [30] = 0xa8, ++ [31] = 0x01, [32] = 0x22, ++ /* generic-trap = INTEGER 0 */ ++ [33] = 0x02, [34] = 0x01, [35] = 0x00, ++ /* specific-trap = INTEGER 0 */ ++ [36] = 0x02, [37] = 0x01, [38] = 0x00, ++ /* ASN_TIMETICKS 0x117f243a */ ++ [39] = 0x43, [40] = 0x04, [41] = 0x11, [42] = 0x7f, ++ [43] = 0x24, [44] = 0x3a, ++ /* varbind list */ ++ [45] = 0x30, [46] = 0x82, [47] = 0x00, [48] = 0x00, ++}; ++static size_t trap_pdu_length = sizeof(trap_pdu); ++netsnmp_session session; ++ ++snmp_set_do_debugging(TRUE); ++debug_register_tokens("dumpv_recv,dumpv_send,asn,recv"); ++memset(&session, 0, sizeof(session)); ++snmp_sess_init(&session); ++memset(&pdu, 0, sizeof(pdu)); ++rc = snmp_parse(NULL, &session, &pdu, trap_pdu, trap_pdu_length); ++ ++OKF((rc == 0), ("Parsing of a trap PDU")); + diff --git a/net-snmp-5.8-autofs-skip.patch b/net-snmp-5.8-autofs-skip.patch new file mode 100644 index 0000000..e6de4f3 --- /dev/null +++ b/net-snmp-5.8-autofs-skip.patch @@ -0,0 +1,199 @@ +diff -urNp b/agent/mibgroup/hardware/fsys/fsys_mntctl.c net-snmp-5.8/agent/mibgroup/hardware/fsys/fsys_mntctl.c +--- b/agent/mibgroup/hardware/fsys/fsys_mntctl.c 2018-07-18 16:12:20.674499629 +0200 ++++ net-snmp-5.8/agent/mibgroup/hardware/fsys/fsys_mntctl.c 2018-07-18 16:15:46.782859398 +0200 +@@ -43,8 +43,9 @@ _fsys_type( int type) + + case MNT_NFS: + case MNT_NFS3: +- case MNT_AUTOFS: + return NETSNMP_FS_TYPE_NFS; ++ case MNT_AUTOFS: ++ return NETSNMP_FS_TYPE_AUTOFS; + + /* + * The following code covers selected filesystems +@@ -156,10 +157,12 @@ netsnmp_fsys_arch_load( void ) + + /* + * Optionally skip retrieving statistics for remote mounts ++ * AUTOFS is skipped by default + */ +- if ( (entry->flags & NETSNMP_FS_FLAG_REMOTE) && ++ if ( ((entry->flags & NETSNMP_FS_FLAG_REMOTE) && + netsnmp_ds_get_boolean(NETSNMP_DS_APPLICATION_ID, +- NETSNMP_DS_AGENT_SKIPNFSINHOSTRESOURCES)) ++ NETSNMP_DS_AGENT_SKIPNFSINHOSTRESOURCES)) || ++ entry->type == (NETSNMP_FS_TYPE_AUTOFS)) + continue; + + if ( statfs( entry->path, &stat_buf ) < 0 ) { +diff -urNp b/agent/mibgroup/hardware/fsys/fsys_mntent.c net-snmp-5.8/agent/mibgroup/hardware/fsys/fsys_mntent.c +--- b/agent/mibgroup/hardware/fsys/fsys_mntent.c 2018-07-18 16:12:20.674499629 +0200 ++++ net-snmp-5.8/agent/mibgroup/hardware/fsys/fsys_mntent.c 2018-07-18 16:15:46.782859398 +0200 +@@ -150,6 +150,13 @@ _fsys_type( char *typename ) + !strcmp(typename, MNTTYPE_LOFS)) + return NETSNMP_FS_TYPE_OTHER; + ++ /* Detection of AUTOFS. ++ * This file system will be ignored by default ++ */ ++ else if ( !strcmp(typename, MNTTYPE_AUTOFS)) ++ return NETSNMP_FS_TYPE_AUTOFS; ++ ++ + /* + * All other types are silently skipped + */ +@@ -239,6 +246,10 @@ netsnmp_fsys_arch_load( void ) + NETSNMP_DS_AGENT_SKIPNFSINHOSTRESOURCES)) + continue; + ++ /* Skip AUTOFS enteries */ ++ if ( entry->type == (NETSNMP_FS_TYPE_AUTOFS)) ++ continue; ++ + #ifdef irix6 + if ( NSFS_STATFS( entry->path, &stat_buf, sizeof(struct statfs), 0) < 0 ) + #else +diff -urNp b/agent/mibgroup/hardware/fsys/mnttypes.h net-snmp-5.8/agent/mibgroup/hardware/fsys/mnttypes.h +--- b/agent/mibgroup/hardware/fsys/mnttypes.h 2018-07-18 16:12:20.674499629 +0200 ++++ net-snmp-5.8/agent/mibgroup/hardware/fsys/mnttypes.h 2018-07-18 16:15:46.782859398 +0200 +@@ -165,6 +165,9 @@ + #ifndef MNTTYPE_APP + #define MNTTYPE_APP "app" + #endif ++#ifndef MNTTYPE_AUTOFS ++#define MNTTYPE_AUTOFS "autofs" ++#endif + #ifndef MNTTYPE_DEVPTS + #define MNTTYPE_DEVPTS "devpts" + #endif +diff -urNp b/agent/mibgroup/host/hr_filesys.c net-snmp-5.8/agent/mibgroup/host/hr_filesys.c +--- b/agent/mibgroup/host/hr_filesys.c 2018-07-18 16:12:20.668499652 +0200 ++++ net-snmp-5.8/agent/mibgroup/host/hr_filesys.c 2018-07-18 16:15:46.783859399 +0200 +@@ -834,6 +834,27 @@ Check_HR_FileSys_NFS (void) + return 0; /* no NFS file system */ + } + ++/* This function checks whether current file system is an AutoFs ++ * HRFS_entry must be valid prior to calling this function ++ * return 1 if AutoFs, 0 otherwise ++ */ ++int ++Check_HR_FileSys_AutoFs (void) ++{ ++#if HAVE_GETFSSTAT ++ if ( HRFS_entry->HRFS_type != NULL && ++#if defined(MNTTYPE_AUTOFS) ++ !strcmp( HRFS_entry->HRFS_type, MNTTYPE_AUTOFS) ++#else ++ !strcmp( HRFS_entry->HRFS_type, "autofs") ++#endif ++ ) ++#endif /* HAVE_GETFSSTAT */ ++ return 1; /* AUTOFS */ ++ ++ return 0; /* no AUTOFS */ ++} ++ + void + End_HR_FileSys(void) + { +diff -urNp b/agent/mibgroup/host/hr_filesys.h net-snmp-5.8/agent/mibgroup/host/hr_filesys.h +--- b/agent/mibgroup/host/hr_filesys.h 2018-07-18 16:12:20.669499648 +0200 ++++ net-snmp-5.8/agent/mibgroup/host/hr_filesys.h 2018-07-18 16:15:46.784859400 +0200 +@@ -10,6 +10,7 @@ extern void Init_HR_FileSys(void); + extern FindVarMethod var_hrfilesys; + extern int Get_Next_HR_FileSys(void); + extern int Check_HR_FileSys_NFS(void); ++extern int Check_HR_FileSys_AutoFs(void); + + extern int Get_FSIndex(char *); + extern long Get_FSSize(char *); /* Temporary */ +diff -urNp b/agent/mibgroup/host/hrh_filesys.c net-snmp-5.8/agent/mibgroup/host/hrh_filesys.c +--- b/agent/mibgroup/host/hrh_filesys.c 2018-07-18 16:12:20.668499652 +0200 ++++ net-snmp-5.8/agent/mibgroup/host/hrh_filesys.c 2018-07-18 16:15:46.785859402 +0200 +@@ -429,3 +429,9 @@ Check_HR_FileSys_NFS (void) + { + return (HRFS_entry->flags & NETSNMP_FS_FLAG_REMOTE) ? 1 : 0; + } ++ ++int ++Check_HR_FileSys_AutoFs (void) ++{ ++ return (HRFS_entry->type == (NETSNMP_FS_TYPE_AUTOFS)) ? 1 : 0; ++} +diff -urNp b/agent/mibgroup/host/hrh_filesys.h net-snmp-5.8/agent/mibgroup/host/hrh_filesys.h +--- b/agent/mibgroup/host/hrh_filesys.h 2018-07-18 16:12:20.669499648 +0200 ++++ net-snmp-5.8/agent/mibgroup/host/hrh_filesys.h 2018-07-18 16:15:46.785859402 +0200 +@@ -10,6 +10,7 @@ extern void Init_HR_FileSys(void); + extern FindVarMethod var_hrhfilesys; + extern int Get_Next_HR_FileSys(void); + extern int Check_HR_FileSys_NFS(void); ++extern int Check_HR_FileSys_AutoFs(void); + + extern int Get_FSIndex(char *); + extern long Get_FSSize(char *); /* Temporary */ +diff -urNp b/agent/mibgroup/host/hrh_storage.c net-snmp-5.8/agent/mibgroup/host/hrh_storage.c +--- b/agent/mibgroup/host/hrh_storage.c 2018-07-18 16:12:20.668499652 +0200 ++++ net-snmp-5.8/agent/mibgroup/host/hrh_storage.c 2018-07-18 16:15:46.786859402 +0200 +@@ -367,9 +367,10 @@ really_try_next: + store_idx = name[ HRSTORE_ENTRY_NAME_LENGTH ]; + if (HRFS_entry && + store_idx > NETSNMP_MEM_TYPE_MAX && +- netsnmp_ds_get_boolean(NETSNMP_DS_APPLICATION_ID, ++ ((netsnmp_ds_get_boolean(NETSNMP_DS_APPLICATION_ID, + NETSNMP_DS_AGENT_SKIPNFSINHOSTRESOURCES) && +- Check_HR_FileSys_NFS()) ++ Check_HR_FileSys_NFS()) || ++ Check_HR_FileSys_AutoFs())) + return NULL; + if (store_idx <= NETSNMP_MEM_TYPE_MAX ) { + mem = (netsnmp_memory_info*)ptr; +@@ -508,7 +509,8 @@ Get_Next_HR_Store(void) + if (HRS_index >= 0) { + if (!(netsnmp_ds_get_boolean(NETSNMP_DS_APPLICATION_ID, + NETSNMP_DS_AGENT_SKIPNFSINHOSTRESOURCES) && +- Check_HR_FileSys_NFS())) { ++ Check_HR_FileSys_NFS()) && ++ !Check_HR_FileSys_AutoFs()) { + return HRS_index + NETSNMP_MEM_TYPE_MAX; + } + } else { +diff -urNp b/agent/mibgroup/host/hr_storage.c net-snmp-5.8/agent/mibgroup/host/hr_storage.c +--- b/agent/mibgroup/host/hr_storage.c 2018-07-18 16:12:20.670499644 +0200 ++++ net-snmp-5.8/agent/mibgroup/host/hr_storage.c 2018-07-18 16:15:46.786859402 +0200 +@@ -540,9 +540,10 @@ really_try_next: + + store_idx = name[ HRSTORE_ENTRY_NAME_LENGTH ]; + if (store_idx > NETSNMP_MEM_TYPE_MAX ) { +- if ( netsnmp_ds_get_boolean(NETSNMP_DS_APPLICATION_ID, ++ if ( (netsnmp_ds_get_boolean(NETSNMP_DS_APPLICATION_ID, + NETSNMP_DS_AGENT_SKIPNFSINHOSTRESOURCES) && +- Check_HR_FileSys_NFS()) ++ Check_HR_FileSys_NFS()) || ++ Check_HR_FileSys_AutoFs()) + return NULL; /* or goto try_next; */ + if (HRFS_statfs(HRFS_entry->HRFS_mount, &stat_buf) < 0) { + snmp_log_perror(HRFS_entry->HRFS_mount); +@@ -683,7 +684,8 @@ Get_Next_HR_Store(void) + if (HRS_index >= 0) { + if (!(netsnmp_ds_get_boolean(NETSNMP_DS_APPLICATION_ID, + NETSNMP_DS_AGENT_SKIPNFSINHOSTRESOURCES) && +- Check_HR_FileSys_NFS())) { ++ Check_HR_FileSys_NFS()) && ++ !Check_HR_FileSys_AutoFs()) { + return HRS_index + NETSNMP_MEM_TYPE_MAX; + } + } else { +diff -urNp b/include/net-snmp/agent/hardware/fsys.h net-snmp-5.8/include/net-snmp/agent/hardware/fsys.h +--- b/include/net-snmp/agent/hardware/fsys.h 2018-07-18 16:12:20.649499726 +0200 ++++ net-snmp-5.8/include/net-snmp/agent/hardware/fsys.h 2018-07-18 16:19:33.994918912 +0200 +@@ -41,6 +41,7 @@ typedef struct netsnmp_fsys_info_s netsn + #define NETSNMP_FS_TYPE_SYSFS (4 | _NETSNMP_FS_TYPE_LOCAL | _NETSNMP_FS_TYPE_SKIP_BIT) + #define NETSNMP_FS_TYPE_TMPFS (5 | _NETSNMP_FS_TYPE_LOCAL) + #define NETSNMP_FS_TYPE_USBFS (6 | _NETSNMP_FS_TYPE_LOCAL) ++#define NETSNMP_FS_TYPE_AUTOFS (7 | _NETSNMP_FS_TYPE_LOCAL | _NETSNMP_FS_TYPE_SKIP_BIT) + + #define NETSNMP_FS_FLAG_ACTIVE 0x01 + #define NETSNMP_FS_FLAG_REMOTE 0x02 diff --git a/net-snmp-5.8-broken-errmsg.patch b/net-snmp-5.8-broken-errmsg.patch new file mode 100644 index 0000000..24b9039 --- /dev/null +++ b/net-snmp-5.8-broken-errmsg.patch @@ -0,0 +1,90 @@ +diff -urNp a/agent/mibgroup/host/hrh_filesys.c b/agent/mibgroup/host/hrh_filesys.c +--- a/agent/mibgroup/host/hrh_filesys.c 2021-06-09 10:30:07.744455758 +0200 ++++ b/agent/mibgroup/host/hrh_filesys.c 2021-06-09 10:32:50.657160232 +0200 +@@ -219,6 +219,7 @@ var_hrhfilesys(struct variable *vp, + { + int fsys_idx; + static char *string; ++ static char empty_str[1]; + + fsys_idx = + header_hrhfilesys(vp, name, length, exact, var_len, write_method); +@@ -235,7 +236,7 @@ var_hrhfilesys(struct variable *vp, + *var_len = 0; + if (asprintf(&string, "%s", HRFS_entry->path) >= 0) + *var_len = strlen(string); +- return (u_char *) string; ++ return (u_char *)(string ? string : empty_str); + case HRFSYS_RMOUNT: + free(string); + if (HRFS_entry->flags & NETSNMP_FS_FLAG_REMOTE) { +@@ -245,7 +246,7 @@ var_hrhfilesys(struct variable *vp, + string = strdup(""); + } + *var_len = string ? strlen(string) : 0; +- return (u_char *) string; ++ return (u_char *)(string ? string : empty_str); + + case HRFSYS_TYPE: + fsys_type_id[fsys_type_len - 1] = +diff -urNp a/agent/mibgroup/ucd-snmp/disk.c b/agent/mibgroup/ucd-snmp/disk.c +--- a/agent/mibgroup/ucd-snmp/disk.c 2021-06-09 10:30:07.728455689 +0200 ++++ b/agent/mibgroup/ucd-snmp/disk.c 2021-06-09 10:34:32.722597366 +0200 +@@ -842,6 +842,7 @@ var_extensible_disk(struct variable *vp, + struct dsk_entry entry; + static long long_ret; + static char *errmsg; ++ static char empty_str[1]; + + int i; + for (i = 0; i < numdisks; i++){ +@@ -950,7 +951,7 @@ tryAgain: + *var_len = strlen(errmsg); + } + } +- return (u_char *) (errmsg); ++ return (u_char *)(errmsg ? errmsg : empty_str); + } + return NULL; + } +diff -urNp a/agent/mibgroup/ucd-snmp/disk_hw.c b/agent/mibgroup/ucd-snmp/disk_hw.c +--- a/agent/mibgroup/ucd-snmp/disk_hw.c 2021-06-09 10:30:07.727455684 +0200 ++++ b/agent/mibgroup/ucd-snmp/disk_hw.c 2021-06-09 10:35:53.420943010 +0200 +@@ -314,6 +314,7 @@ var_extensible_disk(struct variable *vp, + unsigned long long val; + static long long_ret; + static char *errmsg; ++ static char empty_str[1]; + netsnmp_cache *cache; + + /* Update the fsys H/W module */ +@@ -432,7 +433,7 @@ tryAgain: + >= 0)) { + *var_len = strlen(errmsg); + } +- return (u_char *) errmsg; ++ return (u_char *)(errmsg ? errmsg : empty_str); + } + return NULL; + } +diff -urNp a/agent/mibgroup/ucd-snmp/proc.c b/agent/mibgroup/ucd-snmp/proc.c +--- a/agent/mibgroup/ucd-snmp/proc.c 2021-06-09 10:30:07.725455676 +0200 ++++ b/agent/mibgroup/ucd-snmp/proc.c 2021-06-09 10:37:31.143361548 +0200 +@@ -267,7 +267,7 @@ var_extensible_proc(struct variable *vp, + struct myproc *proc; + static long long_ret; + static char *errmsg; +- ++ static char empty_str[1]; + + if (header_simple_table + (vp, name, length, exact, var_len, write_method, numprocs)) +@@ -330,7 +330,7 @@ var_extensible_proc(struct variable *vp, + } + } + *var_len = errmsg ? strlen(errmsg) : 0; +- return ((u_char *) errmsg); ++ return (u_char *)(errmsg ? errmsg : empty_str); + case ERRORFIX: + *write_method = fixProcError; + long_return = fixproc.result; diff --git a/net-snmp-5.8-bulk.patch b/net-snmp-5.8-bulk.patch new file mode 100644 index 0000000..6e0a563 --- /dev/null +++ b/net-snmp-5.8-bulk.patch @@ -0,0 +1,51 @@ +diff -urNp a/snmplib/snmp_api.c b/snmplib/snmp_api.c +--- a/snmplib/snmp_api.c 2020-09-29 14:08:09.821479662 +0200 ++++ b/snmplib/snmp_api.c 2020-10-01 10:15:46.607374362 +0200 +@@ -769,7 +769,7 @@ snmp_sess_init(netsnmp_session * session + session->retries = SNMP_DEFAULT_RETRIES; + session->version = SNMP_DEFAULT_VERSION; + session->securityModel = SNMP_DEFAULT_SECMODEL; +- session->rcvMsgMaxSize = SNMP_MAX_MSG_SIZE; ++ session->rcvMsgMaxSize = netsnmp_max_send_msg_size(); + session->sndMsgMaxSize = netsnmp_max_send_msg_size(); + session->flags |= SNMP_FLAGS_DONT_PROBE; + } +@@ -2731,7 +2731,7 @@ snmpv3_packet_build(netsnmp_session * se + /* + * build a scopedPDU structure into spdu_buf + */ +- spdu_buf_len = SNMP_MAX_MSG_SIZE; ++ spdu_buf_len = sizeof(spdu_buf); + DEBUGDUMPSECTION("send", "ScopedPdu"); + cp = snmpv3_scopedPDU_header_build(pdu, spdu_buf, &spdu_buf_len, + &spdu_hdr_e); +@@ -2743,6 +2743,11 @@ snmpv3_packet_build(netsnmp_session * se + */ + DEBUGPRINTPDUTYPE("send", ((pdu_data) ? *pdu_data : 0x00)); + if (pdu_data) { ++ if (cp + pdu_data_len > spdu_buf + sizeof(spdu_buf)) { ++ snmp_log(LOG_ERR, "%s: PDU too big (%" NETSNMP_PRIz "d > %" NETSNMP_PRIz "d)\n", ++ __func__, pdu_data_len, sizeof(spdu_buf)); ++ return -1; ++ } + memcpy(cp, pdu_data, pdu_data_len); + cp += pdu_data_len; + } else { +@@ -2756,7 +2761,7 @@ snmpv3_packet_build(netsnmp_session * se + * re-encode the actual ASN.1 length of the scopedPdu + */ + spdu_len = cp - spdu_hdr_e; /* length of scopedPdu minus ASN.1 headers */ +- spdu_buf_len = SNMP_MAX_MSG_SIZE; ++ spdu_buf_len = sizeof(spdu_buf); + if (asn_build_sequence(spdu_buf, &spdu_buf_len, + (u_char) (ASN_SEQUENCE | ASN_CONSTRUCTOR), + spdu_len) == NULL) +@@ -2769,7 +2774,7 @@ snmpv3_packet_build(netsnmp_session * se + * message - the entire message to transmitted on the wire is returned + */ + cp = NULL; +- *out_length = SNMP_MAX_MSG_SIZE; ++ *out_length = sizeof(spdu_buf); + DEBUGDUMPSECTION("send", "SM msgSecurityParameters"); + sptr = find_sec_mod(pdu->securityModel); + if (sptr && sptr->encode_forward) { diff --git a/net-snmp-5.8-certs.patch b/net-snmp-5.8-certs.patch new file mode 100644 index 0000000..c4f8393 --- /dev/null +++ b/net-snmp-5.8-certs.patch @@ -0,0 +1,12 @@ +diff -urNp a/local/net-snmp-cert b/local/net-snmp-cert +--- a/local/net-snmp-cert 2021-10-11 09:08:53.451970484 +0200 ++++ b/local/net-snmp-cert 2021-10-11 09:11:36.765386413 +0200 +@@ -1002,7 +1002,7 @@ sub make_openssl_conf { + rdir = . + dir = $ENV::DIR + RANDFILE = $rdir/.rand +-MD = sha1 ++MD = sha512 + KSIZE = 2048 + CN = net-snmp.org + EMAIL = admin@net-snmp.org diff --git a/net-snmp-5.8-cflags.patch b/net-snmp-5.8-cflags.patch new file mode 100644 index 0000000..1809726 --- /dev/null +++ b/net-snmp-5.8-cflags.patch @@ -0,0 +1,112 @@ +diff -urNp a/net-snmp-config.in b/net-snmp-config.in +--- a/net-snmp-config.in 2018-07-18 13:43:12.264426052 +0200 ++++ b/net-snmp-config.in 2018-07-18 13:52:06.917089518 +0200 +@@ -140,10 +140,10 @@ else + ;; + #################################################### compile + --base-cflags) +- echo @CFLAGS@ @CPPFLAGS@ -I${NSC_INCLUDEDIR} ++ echo -I${NSC_INCLUDEDIR} + ;; + --cflags|--cf*) +- echo @CFLAGS@ @DEVFLAGS@ @CPPFLAGS@ -I. -I${NSC_INCLUDEDIR} ++ echo @DEVFLAGS@ -I. -I${NSC_INCLUDEDIR} + ;; + --srcdir) + echo $NSC_SRCDIR +diff -urNp a/perl/agent/default_store/Makefile.PL b/perl/agent/default_store/Makefile.PL +--- a/perl/agent/default_store/Makefile.PL 2018-07-18 13:43:12.170426290 +0200 ++++ b/perl/agent/default_store/Makefile.PL 2018-07-18 13:51:31.812176486 +0200 +@@ -83,7 +83,7 @@ sub AgentDefaultStoreInitMakeParams { + " " . $Params{'LIBS'}; + $Params{'CCFLAGS'} = "-I../../../include " . $Params{'CCFLAGS'}; + } +- $Params{'CCFLAGS'} =~ s/ -W(all|inline|strict-prototypes|write-strings|cast-qual|no-char-subscripts)//g; # ignore developer warnings ++ $Params{'CCFLAGS'} =~ s/ -W(inline|strict-prototypes|write-strings|cast-qual|no-char-subscripts)//g; # ignore developer warnings + $Params{'CCFLAGS'} .= ' -Wformat'; + if ($Params{'LIBS'} eq "" || $Params{'CCFLAGS'} eq "") { + die "You need to install net-snmp first (I can't find net-snmp-config)"; +diff -urNp a/perl/agent/Makefile.PL b/perl/agent/Makefile.PL +--- a/perl/agent/Makefile.PL 2018-07-18 13:43:12.169426292 +0200 ++++ b/perl/agent/Makefile.PL 2018-07-18 13:52:53.884973275 +0200 +@@ -98,7 +98,7 @@ sub AgentInitMakeParams { + $Params{'LIBS'} = `$opts->{'nsconfig'} --libdir` . $Params{'LIBS'}; + # $Params{'PREREQ_PM'} = {'NetSNMP::OID' => '0.1'}; + } +- $Params{'CCFLAGS'} =~ s/ -W(all|inline|strict-prototypes|write-strings|cast-qual|no-char-subscripts)//g; # ignore developer warnings ++ $Params{'CCFLAGS'} =~ s/ -W(inline|strict-prototypes|write-strings|cast-qual|no-char-subscripts)//g; # ignore developer warnings + $Params{'CCFLAGS'} .= ' -Wformat'; + if ($Params{'LIBS'} eq "" || $Params{'CCFLAGS'} eq "") { + die "You need to install net-snmp first (I can't find net-snmp-config)"; +diff -urNp a/perl/agent/Support/Makefile.PL b/perl/agent/Support/Makefile.PL +--- a/perl/agent/Support/Makefile.PL 2018-07-18 13:43:12.169426292 +0200 ++++ b/perl/agent/Support/Makefile.PL 2018-07-18 13:53:11.414929921 +0200 +@@ -90,7 +90,7 @@ sub SupportInitMakeParams { + " " . $Params{'LIBS'}; + $Params{'CCFLAGS'} = "-I../../include " . $Params{'CCFLAGS'}; + } +- $Params{'CCFLAGS'} =~ s/ -W(all|inline|strict-prototypes|write-strings|cast-qual|no-char-subscripts)//g; # ignore developer warnings ++ $Params{'CCFLAGS'} =~ s/ -W(inline|strict-prototypes|write-strings|cast-qual|no-char-subscripts)//g; # ignore developer warnings + $Params{'CCFLAGS'} .= ' -Wformat'; + if ($Params{'LIBS'} eq "" || $Params{'CCFLAGS'} eq "") { + die "You need to install net-snmp first (I can't find net-snmp-config)"; +diff -urNp a/perl/ASN/Makefile.PL b/perl/ASN/Makefile.PL +--- a/perl/ASN/Makefile.PL 2018-07-18 13:43:12.171426287 +0200 ++++ b/perl/ASN/Makefile.PL 2018-07-18 13:53:46.652842822 +0200 +@@ -93,7 +93,7 @@ sub AsnInitMakeParams { + " " . $Params{'LIBS'}; + $Params{'CCFLAGS'} = "-I../../include " . $Params{'CCFLAGS'}; + } +- $Params{'CCFLAGS'} =~ s/ -W(all|inline|strict-prototypes|write-strings|cast-qual|no-char-subscripts)//g; # ignore developer warnings ++ $Params{'CCFLAGS'} =~ s/ -W(inline|strict-prototypes|write-strings|cast-qual|no-char-subscripts)//g; # ignore developer warnings + $Params{'CCFLAGS'} .= ' -Wformat'; + if ($Params{'LIBS'} eq "" || $Params{'CCFLAGS'} eq "") { + die "You need to install net-snmp first (I can't find net-snmp-config)"; +diff -urNp a/perl/default_store/Makefile.PL b/perl/default_store/Makefile.PL +--- a/perl/default_store/Makefile.PL 2018-07-18 13:43:12.175426277 +0200 ++++ b/perl/default_store/Makefile.PL 2018-07-18 13:54:20.814758441 +0200 +@@ -83,7 +83,7 @@ sub DefaultStoreInitMakeParams { + " " . $Params{'LIBS'}; + $Params{'CCFLAGS'} = "-I../../include " . $Params{'CCFLAGS'}; + } +- $Params{'CCFLAGS'} =~ s/ -W(all|inline|strict-prototypes|write-strings|cast-qual|no-char-subscripts)//g; # ignore developer warnings ++ $Params{'CCFLAGS'} =~ s/ -W(inline|strict-prototypes|write-strings|cast-qual|no-char-subscripts)//g; # ignore developer warnings + $Params{'CCFLAGS'} .= ' -Wformat'; + if ($Params{'LIBS'} eq "" || $Params{'CCFLAGS'} eq "") { + die "You need to install net-snmp first (I can't find net-snmp-config)"; +diff -urNp a/perl/OID/Makefile.PL b/perl/OID/Makefile.PL +--- a/perl/OID/Makefile.PL 2018-07-18 13:43:12.175426277 +0200 ++++ b/perl/OID/Makefile.PL 2018-07-18 13:54:43.348702811 +0200 +@@ -90,7 +90,7 @@ sub OidInitMakeParams { + # } else { + # $Params{'PREREQ_PM'} = {'SNMP' => '5.0'}; + } +- $Params{'CCFLAGS'} =~ s/ -W(all|inline|strict-prototypes|write-strings|cast-qual|no-char-subscripts)//g; # ignore developer warnings ++ $Params{'CCFLAGS'} =~ s/ -W(inline|strict-prototypes|write-strings|cast-qual|no-char-subscripts)//g; # ignore developer warnings + $Params{'CCFLAGS'} .= ' -Wformat'; + if ($Params{'LIBS'} eq "" || $Params{'CCFLAGS'} eq "") { + die "You need to install net-snmp first (I can't find net-snmp-config)"; +diff -urNp a/perl/SNMP/Makefile.PL b/perl/SNMP/Makefile.PL +--- a/perl/SNMP/Makefile.PL 2018-07-18 13:43:12.173426282 +0200 ++++ b/perl/SNMP/Makefile.PL 2018-07-18 13:55:07.220643903 +0200 +@@ -103,7 +103,7 @@ sub SnmpInitMakeParams { + # } else { + # $Params{'PREREQ_PM'} = { 'NetSNMP::default_store' => 0.01 }; + } +- $Params{'CCFLAGS'} =~ s/ -W(all|inline|strict-prototypes|write-strings|cast-qual|no-char-subscripts)//g; # ignore developer warnings ++ $Params{'CCFLAGS'} =~ s/ -W(inline|strict-prototypes|write-strings|cast-qual|no-char-subscripts)//g; # ignore developer warnings + $Params{'CCFLAGS'} .= ' -Wformat'; + if (!$ENV{'NETSNMP_PREFIX'}) { + $prefix = `$opts->{'nsconfig'} --prefix`; +diff -urNp a/perl/TrapReceiver/Makefile.PL b/perl/TrapReceiver/Makefile.PL +--- a/perl/TrapReceiver/Makefile.PL 2018-07-18 13:43:12.172426285 +0200 ++++ b/perl/TrapReceiver/Makefile.PL 2018-07-18 13:55:43.100647233 +0200 +@@ -132,7 +132,7 @@ sub TrapReceiverInitMakeParams { + $Params{'LIBS'} = `$opts->{'nsconfig'} --libdir` . " $Params{'LIBS'}"; + } + +- $Params{'CCFLAGS'} =~ s/ -W(all|inline|strict-prototypes|write-strings|cast-qual|no-char-subscripts)//g; # ignore developer warnings ++ $Params{'CCFLAGS'} =~ s/ -W(inline|strict-prototypes|write-strings|cast-qual|no-char-subscripts)//g; # ignore developer warnings + $Params{'CCFLAGS'} .= ' -Wformat'; + if ($Params{'CCFLAGS'} eq "") { + die "You need to install net-snmp first (I can't find net-snmp-config)"; diff --git a/net-snmp-5.8-clientaddr-error-message.patch b/net-snmp-5.8-clientaddr-error-message.patch new file mode 100644 index 0000000..c423f21 --- /dev/null +++ b/net-snmp-5.8-clientaddr-error-message.patch @@ -0,0 +1,35 @@ +diff -urNp a/snmplib/snmp_api.c b/snmplib/snmp_api.c +--- a/snmplib/snmp_api.c 2020-11-26 11:05:51.084788775 +0100 ++++ b/snmplib/snmp_api.c 2020-11-26 11:08:27.850751397 +0100 +@@ -235,7 +235,7 @@ static const char *api_errors[-SNMPERR_M + "No error", /* SNMPERR_SUCCESS */ + "Generic error", /* SNMPERR_GENERR */ + "Invalid local port", /* SNMPERR_BAD_LOCPORT */ +- "Unknown host", /* SNMPERR_BAD_ADDRESS */ ++ "Invalid address", /* SNMPERR_BAD_ADDRESS */ + "Unknown session", /* SNMPERR_BAD_SESSION */ + "Too long", /* SNMPERR_TOO_LONG */ + "No socket", /* SNMPERR_NO_SOCKET */ +@@ -1662,7 +1662,9 @@ _sess_open(netsnmp_session * in_session) + DEBUGMSGTL(("_sess_open", "couldn't interpret peername\n")); + in_session->s_snmp_errno = SNMPERR_BAD_ADDRESS; + in_session->s_errno = errno; +- snmp_set_detail(in_session->peername); ++ if (!netsnmp_ds_get_string(NETSNMP_DS_LIBRARY_ID, ++ NETSNMP_DS_LIB_CLIENT_ADDR)) ++ snmp_set_detail(in_session->peername); + return NULL; + } + +diff -ruNp a/snmplib/transports/snmpUDPIPv4BaseDomain.c b/snmplib/transports/snmpUDPIPv4BaseDomain.c +--- a/snmplib/transports/snmpUDPIPv4BaseDomain.c 2021-01-06 12:51:51.948106797 +0100 ++++ b/snmplib/transports/snmpUDPIPv4BaseDomain.c 2021-01-06 14:17:31.029745744 +0100 +@@ -209,6 +209,8 @@ netsnmp_udpipv4base_transport_bind(netsn + DEBUGMSGTL(("netsnmp_udpbase", + "failed to bind for clientaddr: %d %s\n", + errno, strerror(errno))); ++ NETSNMP_LOGONCE((LOG_ERR, "Cannot bind for clientaddr: %s\n", ++ strerror(errno))); + netsnmp_socketbase_close(t); + return 1; + } diff --git a/net-snmp-5.8-coverity.patch b/net-snmp-5.8-coverity.patch new file mode 100644 index 0000000..4d41b31 --- /dev/null +++ b/net-snmp-5.8-coverity.patch @@ -0,0 +1,68 @@ +diff -urNp a/agent/mibgroup/disman/event/mteTrigger.c b/agent/mibgroup/disman/event/mteTrigger.c +--- a/agent/mibgroup/disman/event/mteTrigger.c 2018-09-27 10:43:38.722444233 +0200 ++++ b/agent/mibgroup/disman/event/mteTrigger.c 2018-09-27 11:01:46.503253963 +0200 +@@ -1012,7 +1012,7 @@ mteTrigger_run( unsigned int reg, void * + * Similarly, if no fallEvent is configured, + * there's no point in trying to fire it either. + */ +- if (entry->mteTThRiseEvent[0] != '\0' ) { ++ if (entry->mteTThFallEvent[0] != '\0' ) { + entry->mteTriggerXOwner = entry->mteTThObjOwner; + entry->mteTriggerXObjects = entry->mteTThObjects; + entry->mteTriggerFired = vp1; +@@ -1105,7 +1105,7 @@ mteTrigger_run( unsigned int reg, void * + * Similarly, if no fallEvent is configured, + * there's no point in trying to fire it either. + */ +- if (entry->mteTThDRiseEvent[0] != '\0' ) { ++ if (entry->mteTThDFallEvent[0] != '\0' ) { + entry->mteTriggerXOwner = entry->mteTThObjOwner; + entry->mteTriggerXObjects = entry->mteTThObjects; + entry->mteTriggerFired = vp1; +diff -urNp a/agent/mibgroup/hardware/cpu/cpu_linux.c b/agent/mibgroup/hardware/cpu/cpu_linux.c +--- a/agent/mibgroup/hardware/cpu/cpu_linux.c 2018-09-27 10:43:38.697444449 +0200 ++++ b/agent/mibgroup/hardware/cpu/cpu_linux.c 2018-09-27 11:12:07.109024625 +0200 +@@ -122,6 +122,7 @@ int netsnmp_cpu_arch_load( netsnmp_cache + bsize = getpagesize()-1; + buff = (char*)malloc(bsize+1); + if (buff == NULL) { ++ close(statfd); + return -1; + } + } +diff -urNp a/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c b/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c +--- a/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c 2018-09-27 10:43:38.711444328 +0200 ++++ b/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c 2018-09-27 11:16:45.532231535 +0200 +@@ -543,15 +543,18 @@ netsnmp_access_ipaddress_extra_prefix_in + status = send (sd, &req, req.nlhdr.nlmsg_len, 0); + if (status < 0) { + snmp_log(LOG_ERR, "could not send netlink request\n"); ++ close(sd); + return -1; + } + status = recv (sd, buf, sizeof(buf), 0); + if (status < 0) { + snmp_log (LOG_ERR, "could not recieve netlink request\n"); ++ close(sd); + return -1; + } + if (status == 0) { + snmp_log (LOG_ERR, "nothing to read\n"); ++ close(sd); + return -1; + } + for (nlmp = (struct nlmsghdr *)buf; status > sizeof(*nlmp); ){ +@@ -561,11 +564,13 @@ netsnmp_access_ipaddress_extra_prefix_in + + if (req_len < 0 || len > status) { + snmp_log (LOG_ERR, "invalid netlink message\n"); ++ close(sd); + return -1; + } + + if (!NLMSG_OK (nlmp, status)) { + snmp_log (LOG_ERR, "invalid NLMSG message\n"); ++ close(sd); + return -1; + } + rtmp = (struct ifaddrmsg *)NLMSG_DATA(nlmp); diff --git a/net-snmp-5.8-deleted-iface.patch b/net-snmp-5.8-deleted-iface.patch new file mode 100644 index 0000000..166bf66 --- /dev/null +++ b/net-snmp-5.8-deleted-iface.patch @@ -0,0 +1,41 @@ +diff -up net-snmp-5.8/agent/mibgroup/if-mib/data_access/interface_linux.c.original net-snmp-5.8/agent/mibgroup/if-mib/data_access/interface_linux.c +--- net-snmp-5.8/agent/mibgroup/if-mib/data_access/interface_linux.c.original 2022-02-02 15:06:29.382119898 +0900 ++++ net-snmp-5.8/agent/mibgroup/if-mib/data_access/interface_linux.c 2022-02-02 15:15:39.298280447 +0900 +@@ -600,7 +600,6 @@ netsnmp_arch_interface_container_load(ne + { + FILE *devin; + char line[256]; +- netsnmp_interface_entry *entry = NULL; + static char scan_expected = 0; + int fd; + #ifdef NETSNMP_ENABLE_IPV6 +@@ -669,6 +668,7 @@ netsnmp_arch_interface_container_load(ne + * and retrieve (or create) the corresponding data structure. + */ + while (fgets(line, sizeof(line), devin)) { ++ netsnmp_interface_entry *entry = NULL; + char *stats, *ifstart = line; + u_int flags; + oid if_index; +@@ -701,6 +701,11 @@ netsnmp_arch_interface_container_load(ne + *stats++ = 0; /* null terminate name */ + + if_index = netsnmp_arch_interface_index_find(ifstart); ++ if (if_index == 0) { ++ DEBUGMSGTL(("access:interface", "network interface %s is gone", ++ ifstart)); ++ continue; ++ } + + /* + * set address type flags. +@@ -726,7 +731,7 @@ netsnmp_arch_interface_container_load(ne + continue; + } + +- entry = netsnmp_access_interface_entry_create(ifstart, 0); ++ entry = netsnmp_access_interface_entry_create(ifstart, if_index); + if(NULL == entry) { + #ifdef NETSNMP_ENABLE_IPV6 + netsnmp_access_ipaddress_container_free(addr_container, 0); + diff --git a/net-snmp-5.8-digest-from-ECC.patch b/net-snmp-5.8-digest-from-ECC.patch new file mode 100644 index 0000000..dab54de --- /dev/null +++ b/net-snmp-5.8-digest-from-ECC.patch @@ -0,0 +1,98 @@ +From a1968db524e087a36a19a351b89bf6f1633819aa Mon Sep 17 00:00:00 2001 +From: minfrin +Date: Tue, 5 Jan 2021 23:17:14 +0000 +Subject: [PATCH] Add support for digests detected from ECC certificates + +Previously, the digest could be detected on RSA certificates only. This +patch adds detection for ECC certificates. + +[ bvanassche: changed _htmap2 into a two-dimensional array and renamed _htmap2 + back to _htmap ] +--- + snmplib/snmp_openssl.c | 60 +++++++++++++++++++++++++++++++++++------- + 1 file changed, 50 insertions(+), 10 deletions(-) + +diff --git a/snmplib/snmp_openssl.c b/snmplib/snmp_openssl.c +index c092a007af..432cb5c27c 100644 +--- a/snmplib/snmp_openssl.c ++++ b/snmplib/snmp_openssl.c +@@ -521,18 +521,54 @@ netsnmp_openssl_cert_dump_extensions(X509 *ocert) + } + } + +-static int _htmap[NS_HASH_MAX + 1] = { +- 0, NID_md5WithRSAEncryption, NID_sha1WithRSAEncryption, +- NID_sha224WithRSAEncryption, NID_sha256WithRSAEncryption, +- NID_sha384WithRSAEncryption, NID_sha512WithRSAEncryption }; ++static const struct { ++ uint16_t nid; ++ uint16_t ht; ++} _htmap[] = { ++ { 0, NS_HASH_NONE }, ++#ifdef NID_md5WithRSAEncryption ++ { NID_md5WithRSAEncryption, NS_HASH_MD5 }, ++#endif ++#ifdef NID_sha1WithRSAEncryption ++ { NID_sha1WithRSAEncryption, NS_HASH_SHA1 }, ++#endif ++#ifdef NID_ecdsa_with_SHA1 ++ { NID_ecdsa_with_SHA1, NS_HASH_SHA1 }, ++#endif ++#ifdef NID_sha224WithRSAEncryption ++ { NID_sha224WithRSAEncryption, NS_HASH_SHA224 }, ++#endif ++#ifdef NID_ecdsa_with_SHA224 ++ { NID_ecdsa_with_SHA224, NS_HASH_SHA224 }, ++#endif ++#ifdef NID_sha256WithRSAEncryption ++ { NID_sha256WithRSAEncryption, NS_HASH_SHA256 }, ++#endif ++#ifdef NID_ecdsa_with_SHA256 ++ { NID_ecdsa_with_SHA256, NS_HASH_SHA256 }, ++#endif ++#ifdef NID_sha384WithRSAEncryption ++ { NID_sha384WithRSAEncryption, NS_HASH_SHA384 }, ++#endif ++#ifdef NID_ecdsa_with_SHA384 ++ { NID_ecdsa_with_SHA384, NS_HASH_SHA384 }, ++#endif ++#ifdef NID_sha512WithRSAEncryption ++ { NID_sha512WithRSAEncryption, NS_HASH_SHA512 }, ++#endif ++#ifdef NID_ecdsa_with_SHA512 ++ { NID_ecdsa_with_SHA512, NS_HASH_SHA512 }, ++#endif ++}; + + int + _nid2ht(int nid) + { + int i; +- for (i=1; i<= NS_HASH_MAX; ++i) { +- if (nid == _htmap[i]) +- return i; ++ ++ for (i = 0; i < sizeof(_htmap) / sizeof(_htmap[0]); i++) { ++ if (_htmap[i].nid == nid) ++ return _htmap[i].ht; + } + return 0; + } +@@ -541,9 +577,13 @@ _nid2ht(int nid) + int + _ht2nid(int ht) + { +- if ((ht < 0) || (ht > NS_HASH_MAX)) +- return 0; +- return _htmap[ht]; ++ int i; ++ ++ for (i = 0; i < sizeof(_htmap) / sizeof(_htmap[0]); i++) { ++ if (_htmap[i].ht == ht) ++ return _htmap[i].nid; ++ } ++ return 0; + } + #endif /* NETSNMP_FEATURE_REMOVE_OPENSSL_HT2NID */ + + diff --git a/net-snmp-5.8-dir-fix.patch b/net-snmp-5.8-dir-fix.patch new file mode 100644 index 0000000..2c47d52 --- /dev/null +++ b/net-snmp-5.8-dir-fix.patch @@ -0,0 +1,12 @@ +diff -urNp a/net-snmp-create-v3-user.in b/net-snmp-create-v3-user.in +--- a/net-snmp-create-v3-user.in 2018-07-18 11:11:53.227015237 +0200 ++++ b/net-snmp-create-v3-user.in 2018-07-18 11:12:13.375010176 +0200 +@@ -137,7 +137,7 @@ fi + echo $line >> $outfile + prefix="@prefix@" + datarootdir="@datarootdir@" +-outfile="@datadir@/snmp/snmpd.conf" ++outfile="/etc/snmp/snmpd.conf" + line="$token $user" + echo "adding the following line to $outfile:" + echo " " $line diff --git a/net-snmp-5.8-double-IP-parsing.patch b/net-snmp-5.8-double-IP-parsing.patch new file mode 100644 index 0000000..333e301 --- /dev/null +++ b/net-snmp-5.8-double-IP-parsing.patch @@ -0,0 +1,48 @@ +From 1bb941d6fcd7ac2db5a54b95ee0ed07ec9861e70 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Josef=20=C5=98=C3=ADdk=C3=BD?= +Date: Fri, 12 Mar 2021 10:15:30 +0100 +Subject: [PATCH] Prevent parsing IP address twice (#199) + +This fixes issue, that is caused by parsing IP address twice. +First as IPv4 and as IPv6 at second, even thow the address was +properly parsed as a valid IPv4 address. +--- + snmplib/transports/snmpUDPDomain.c | 2 +- + snmplib/transports/snmpUDPIPv6Domain.c | 10 +++++++++- + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/snmplib/transports/snmpUDPDomain.c b/snmplib/transports/snmpUDPDomain.c +index b96497f3a3..b594a389b9 100644 +--- a/snmplib/transports/snmpUDPDomain.c ++++ b/snmplib/transports/snmpUDPDomain.c +@@ -387,7 +387,7 @@ netsnmp_udp_parse_security(const char *token, char *param) + /* Nope, wasn't a dotted quad. Must be a hostname. */ + int ret = netsnmp_gethostbyname_v4(sourcep, &network.s_addr); + if (ret < 0) { +- config_perror("cannot resolve source hostname"); ++ config_perror("cannot resolve IPv4 source hostname"); + return; + } + } +diff --git a/snmplib/transports/snmpUDPIPv6Domain.c b/snmplib/transports/snmpUDPIPv6Domain.c +index 238c8a9d63..7db19c5c02 100644 +--- a/snmplib/transports/snmpUDPIPv6Domain.c ++++ b/snmplib/transports/snmpUDPIPv6Domain.c +@@ -736,7 +736,15 @@ netsnmp_udp6_parse_security(const char *token, char *param) + memset(&pton_addr.sin6_addr.s6_addr, '\0', + sizeof(struct in6_addr)); + } else if (inet_pton(AF_INET6, sourcep, &pton_addr.sin6_addr) != 1) { +- /* Nope, wasn't a numeric address. Must be a hostname. */ ++ /* Nope, wasn't a numeric IPv6 address. Must be IPv4 or a hostname. */ ++ ++ /* Try interpreting as dotted quad - IPv4 */ ++ struct in_addr network; ++ if (inet_pton(AF_INET, sourcep, &network) > 0){ ++ /* Yes, it's IPv4 - so it's already parsed and we can return. */ ++ DEBUGMSGTL(("com2sec6", "IPv4 detected for IPv6 parser. Skipping.\n")); ++ return; ++ } + #if HAVE_GETADDRINFO + int gai_error; + + diff --git a/net-snmp-5.8-dskTable-dynamic.patch b/net-snmp-5.8-dskTable-dynamic.patch new file mode 100644 index 0000000..3ecbe64 --- /dev/null +++ b/net-snmp-5.8-dskTable-dynamic.patch @@ -0,0 +1,181 @@ +diff -ruNp a/agent/mibgroup/ucd-snmp/disk.c b/agent/mibgroup/ucd-snmp/disk.c +--- a/agent/mibgroup/ucd-snmp/disk.c 2020-06-10 09:29:35.867328760 +0200 ++++ b/agent/mibgroup/ucd-snmp/disk.c 2020-06-10 09:44:13.053535421 +0200 +@@ -153,9 +153,10 @@ static void disk_free_config(void) + static void disk_parse_config(const char *, char *); + static void disk_parse_config_all(const char *, char *); + #if HAVE_FSTAB_H || HAVE_GETMNTENT || HAVE_STATFS +-static void find_and_add_allDisks(int minpercent); ++static void refresh_disk_table(int addNewDisks, int minpercent); + static void add_device(char *path, char *device, +- int minspace, int minpercent, int override); ++ int minspace, int minpercent, int addNewDisks, ++ int override); + static void modify_disk_parameters(int index, int minspace, + int minpercent); + static int disk_exists(char *path); +@@ -167,6 +168,7 @@ struct diskpart { + char path[STRMAX]; + int minimumspace; + int minpercent; ++ int alive; + }; + + #define MAX_INT_32 0x7fffffff +@@ -174,6 +176,7 @@ struct diskpart { + + unsigned int numdisks; + int allDisksIncluded = 0; ++int allDisksMinPercent = 0; + unsigned int maxdisks = 0; + struct diskpart *disks; + +@@ -238,6 +241,7 @@ init_disk(void) + disk_free_config, + "minpercent%"); + allDisksIncluded = 0; ++ allDisksMinPercent = 0; + } + + static void +@@ -253,6 +257,7 @@ disk_free_config(void) + disks[i].minpercent = -1; + } + allDisksIncluded = 0; ++ allDisksMinPercent = 0; + } + + static void +@@ -313,7 +318,7 @@ disk_parse_config(const char *token, cha + * check if the disk already exists, if so then modify its + * parameters. if it does not exist then add it + */ +- add_device(path, find_device(path), minspace, minpercent, 1); ++ add_device(path, find_device(path), minspace, minpercent, 1, 1); + #endif /* HAVE_FSTAB_H || HAVE_GETMNTENT || HAVE_STATFS */ + } + +@@ -372,7 +377,7 @@ disk_parse_config_all(const char *token, + + #if HAVE_FSTAB_H || HAVE_GETMNTENT || HAVE_STATFS + static void +-add_device(char *path, char *device, int minspace, int minpercent, int override) ++add_device(char *path, char *device, int minspace, int minpercent, int addNewDisks, int override) + { + int index; + +@@ -402,10 +407,16 @@ add_device(char *path, char *device, int + } + + index = disk_exists(path); +- if((index != -1) && (index < maxdisks) && (override==1)) { +- modify_disk_parameters(index, minspace, minpercent); ++ if((index != -1) && (index < maxdisks)) { ++ /* the path is already in the table */ ++ disks[index].alive = 1; ++ /* -> update its device */ ++ strlcpy(disks[index].device, device, sizeof(disks[index].device)); ++ if (override == 1) { ++ modify_disk_parameters(index, minspace, minpercent); ++ } + } +- else if(index == -1){ ++ else if(index == -1 && addNewDisks){ + /* add if and only if the device was found */ + if(device[0] != 0) { + /* The following buffers are cleared above, no need to add '\0' */ +@@ -413,6 +424,7 @@ add_device(char *path, char *device, int + strlcpy(disks[numdisks].device, device, sizeof(disks[numdisks].device)); + disks[numdisks].minimumspace = minspace; + disks[numdisks].minpercent = minpercent; ++ disks[numdisks].alive = 1; + numdisks++; + } + else { +@@ -420,6 +432,7 @@ add_device(char *path, char *device, int + disks[numdisks].minpercent = -1; + disks[numdisks].path[0] = 0; + disks[numdisks].device[0] = 0; ++ disks[numdisks].alive = 0; + } + } + } +@@ -444,7 +457,7 @@ int disk_exists(char *path) + } + + static void +-find_and_add_allDisks(int minpercent) ++refresh_disk_table(int addNewDisks, int minpercent) + { + #if HAVE_GETMNTENT + #if HAVE_SYS_MNTTAB_H +@@ -480,7 +493,7 @@ find_and_add_allDisks(int minpercent) + return; + } + while (mntfp && NULL != (mntent = getmntent(mntfp))) { +- add_device(mntent->mnt_dir, mntent->mnt_fsname, -1, minpercent, 0); ++ add_device(mntent->mnt_dir, mntent->mnt_fsname, -1, minpercent, addNewDisks, 0); + dummy = 1; + } + if (mntfp) +@@ -497,7 +510,7 @@ find_and_add_allDisks(int minpercent) + return; + } + while ((i = getmntent(mntfp, &mnttab)) == 0) { +- add_device(mnttab.mnt_mountp, mnttab.mnt_special, -1, minpercent, 0); ++ add_device(mnttab.mnt_mountp, mnttab.mnt_special, -1, minpercent, addNewDisks, 0); + dummy = 1; + } + fclose(mntfp); +@@ -510,7 +523,7 @@ find_and_add_allDisks(int minpercent) + #elif HAVE_FSTAB_H + setfsent(); /* open /etc/fstab */ + while((fstab1 = getfsent()) != NULL) { +- add_device(fstab1->fs_file, fstab1->fs_spec, -1, minpercent, 0); ++ add_device(fstab1->fs_file, fstab1->fs_spec, -1, minpercent, addNewDisks, 0); + dummy = 1; + } + endfsent(); /* close /etc/fstab */ +@@ -521,7 +534,7 @@ find_and_add_allDisks(int minpercent) + mntsize = getmntinfo(&mntbuf, MNT_NOWAIT); + for (i = 0; i < mntsize; i++) { + if (strncmp(mntbuf[i].f_fstypename, "zfs", 3) == 0) { +- add_device(mntbuf[i].f_mntonname, mntbuf[i].f_mntfromname, -1, minpercent, 0); ++ add_device(mntbuf[i].f_mntonname, mntbuf[i].f_mntfromname, -1, minpercent, addNewDisks, 0); + } + } + } +@@ -537,7 +550,7 @@ find_and_add_allDisks(int minpercent) + * statfs we default to the root partition "/" + */ + if (statfs("/", &statf) == 0) { +- add_device("/", statf.f_mntfromname, -1, minpercent, 0); ++ add_device("/", statf.f_mntfromname, -1, minpercent, addNewDisks, 0); + } + #endif + else { +@@ -696,6 +709,10 @@ fill_dsk_entry(int disknum, struct dsk_e + #endif + #endif + ++ if (disks[disknum].alive == 0){ ++ return -1; ++ } ++ + entry->dskPercentInode = -1; + + #if defined(HAVE_STATVFS) || defined(HAVE_STATFS) +@@ -826,6 +843,13 @@ var_extensible_disk(struct variable *vp, + static long long_ret; + static char *errmsg; + ++ int i; ++ for (i = 0; i < numdisks; i++){ ++ disks[i].alive = 0; ++ } ++ /* dynamically add new disks + update alive flag */ ++ refresh_disk_table(allDisksIncluded, allDisksMinPercent); ++ + tryAgain: + if (header_simple_table + (vp, name, length, exact, var_len, write_method, numdisks)) diff --git a/net-snmp-5.8-duplicate-ipAddress.patch b/net-snmp-5.8-duplicate-ipAddress.patch new file mode 100644 index 0000000..075976a --- /dev/null +++ b/net-snmp-5.8-duplicate-ipAddress.patch @@ -0,0 +1,11 @@ +diff -urNp a/agent/mibgroup/ip-mib/data_access/ipaddress_common.c b/agent/mibgroup/ip-mib/data_access/ipaddress_common.c +--- a/agent/mibgroup/ip-mib/data_access/ipaddress_common.c 2020-06-10 13:27:03.213904398 +0200 ++++ b/agent/mibgroup/ip-mib/data_access/ipaddress_common.c 2020-06-10 13:28:41.025863050 +0200 +@@ -121,6 +121,7 @@ _remove_duplicates(netsnmp_container *co + for (entry = ITERATOR_FIRST(it); entry; entry = ITERATOR_NEXT(it)) { + if (prev_entry && _access_ipaddress_entry_compare_addr(prev_entry, entry) == 0) { + /* 'entry' is duplicate of the previous one -> delete it */ ++ NETSNMP_LOGONCE((LOG_ERR, "Duplicate IPv4 address detected, some interfaces may not be visible in IP-MIB\n")); + netsnmp_access_ipaddress_entry_free(entry); + } else { + CONTAINER_INSERT(ret, entry); diff --git a/net-snmp-5.8-empty-passphrase.patch b/net-snmp-5.8-empty-passphrase.patch new file mode 100644 index 0000000..deb0388 --- /dev/null +++ b/net-snmp-5.8-empty-passphrase.patch @@ -0,0 +1,30 @@ +From 09a0c9005fb72102bf4f4499b28282f823e3e526 Mon Sep 17 00:00:00 2001 +From: Josef Ridky +Date: Wed, 18 Nov 2020 20:54:34 -0800 +Subject: [PATCH] net-snmp-create-v3-user: Handle empty passphrases correctly + +See also https://github.com/net-snmp/net-snmp/issues/86. + +Fixes: e5ad10de8e17 ("Quote provided encryption key in createUser line") +Reported-by: Chris Cheney +--- + net-snmp-create-v3-user.in | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net-snmp-create-v3-user.in b/net-snmp-create-v3-user.in +index 452c2699d..31b4c58c1 100644 +--- a/net-snmp-create-v3-user.in ++++ b/net-snmp-create-v3-user.in +@@ -120,7 +120,11 @@ fi + fi + outdir="@PERSISTENT_DIRECTORY@" + outfile="$outdir/snmpd.conf" +-line="createUser $user $Aalgorithm \"$apassphrase\" $Xalgorithm \"$xpassphrase\"" ++if test "x$xpassphrase" = "x" ; then ++ line="createUser $user $Aalgorithm \"$apassphrase\" $Xalgorithm" ++else ++ line="createUser $user $Aalgorithm \"$apassphrase\" $Xalgorithm \"$xpassphrase\"" ++fi + echo "adding the following line to $outfile:" + echo " " $line + # in case it hasn't ever been started yet, start it. diff --git a/net-snmp-5.8-engine-id.patch b/net-snmp-5.8-engine-id.patch new file mode 100644 index 0000000..16c46a9 --- /dev/null +++ b/net-snmp-5.8-engine-id.patch @@ -0,0 +1,25 @@ +From 79f014464ba761e2430cc767b021993ab9379822 Mon Sep 17 00:00:00 2001 +From: Wes Hardaker +Date: Tue, 8 Jan 2019 08:52:29 -0800 +Subject: [PATCH] NEWS: snmptrap: BUG: 2899: Patch from Drew Roedersheimer to + set library engineboots/time values before sending + +--- + apps/snmptrap.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/apps/snmptrap.c b/apps/snmptrap.c +index d16d2fa671..12808d07e4 100644 +--- a/apps/snmptrap.c ++++ b/apps/snmptrap.c +@@ -237,6 +237,9 @@ main(int argc, char *argv[]) + session.engineBoots = 1; + if (session.engineTime == 0) /* not really correct, */ + session.engineTime = get_uptime(); /* but it'll work. Sort of. */ ++ ++ set_enginetime(session.securityEngineID, session.securityEngineIDLen, ++ session.engineBoots, session.engineTime, TRUE); + } + + ss = snmp_add(&session, + diff --git a/net-snmp-5.8-expand-SNMPCONFPATH.patch b/net-snmp-5.8-expand-SNMPCONFPATH.patch new file mode 100644 index 0000000..a812cf4 --- /dev/null +++ b/net-snmp-5.8-expand-SNMPCONFPATH.patch @@ -0,0 +1,12 @@ +diff -ruNp a/snmplib/read_config.c b/snmplib/read_config.c +--- a/snmplib/read_config.c 2020-06-10 09:51:57.184786510 +0200 ++++ b/snmplib/read_config.c 2020-06-10 09:53:13.257507112 +0200 +@@ -1642,7 +1642,7 @@ snmp_save_persistent(const char *type) + * save a warning header to the top of the new file + */ + snprintf(fileold, sizeof(fileold), +- "%s%s# Please save normal configuration tokens for %s in SNMPCONFPATH/%s.conf.\n# Only \"createUser\" tokens should be placed here by %s administrators.\n%s", ++ "%s%s# Please save normal configuration tokens for %s in /etc/snmp/%s.conf.\n# Only \"createUser\" tokens should be placed here by %s administrators.\n%s", + "#\n# net-snmp (or ucd-snmp) persistent data file.\n#\n############################################################################\n# STOP STOP STOP STOP STOP STOP STOP STOP STOP \n", + "#\n# **** DO NOT EDIT THIS FILE ****\n#\n# STOP STOP STOP STOP STOP STOP STOP STOP STOP \n############################################################################\n#\n# DO NOT STORE CONFIGURATION ENTRIES HERE.\n", + type, type, type, diff --git a/net-snmp-5.8-fix-cert-crash.patch b/net-snmp-5.8-fix-cert-crash.patch new file mode 100644 index 0000000..281bbae --- /dev/null +++ b/net-snmp-5.8-fix-cert-crash.patch @@ -0,0 +1,67 @@ +diff -urNp a/snmplib/snmp_openssl.c b/snmplib/snmp_openssl.c +--- a/snmplib/snmp_openssl.c 2021-06-09 12:38:23.196037329 +0200 ++++ b/snmplib/snmp_openssl.c 2021-06-09 12:44:11.782503048 +0200 +@@ -284,31 +284,30 @@ _cert_get_extension(X509_EXTENSION *oex + } + if (X509V3_EXT_print(bio, oext, 0, 0) != 1) { + snmp_log(LOG_ERR, "could not print extension!\n"); +- BIO_vfree(bio); +- return NULL; ++ goto out; + } + + space = BIO_get_mem_data(bio, &data); + if (buf && *buf) { +- if (*len < space) +- buf_ptr = NULL; +- else +- buf_ptr = *buf; ++ if (*len < space +1) { ++ snmp_log(LOG_ERR, "not enough buffer space to print extension\n"); ++ goto out; ++ } ++ buf_ptr = *buf; ++ } else { ++ buf_ptr = calloc(1, space + 1); + } +- else +- buf_ptr = calloc(1,space + 1); + + if (!buf_ptr) { +- snmp_log(LOG_ERR, +- "not enough space or error in allocation for extenstion\n"); +- BIO_vfree(bio); +- return NULL; ++ snmp_log(LOG_ERR, "error in allocation for extenstion\n"); ++ goto out; + } + memcpy(buf_ptr, data, space); + buf_ptr[space] = 0; + if (len) + *len = space; + ++out: + BIO_vfree(bio); + + return buf_ptr; +@@ -479,7 +478,7 @@ netsnmp_openssl_cert_dump_extensions(X50 + { + X509_EXTENSION *extension; + const char *extension_name; +- char buf[SNMP_MAXBUF_SMALL], *buf_ptr = buf, *str, *lf; ++ char buf[SNMP_MAXBUF], *buf_ptr = buf, *str, *lf; + int i, num_extensions, buf_len, nid; + + if (NULL == ocert) +@@ -499,6 +498,11 @@ netsnmp_openssl_cert_dump_extensions(X50 + extension_name = OBJ_nid2sn(nid); + buf_len = sizeof(buf); + str = _cert_get_extension_str_at(ocert, i, &buf_ptr, &buf_len, 0); ++ if (!str) { ++ DEBUGMSGT(("9:cert:dump", " %2d: %s\n", i, ++ extension_name)); ++ continue; ++ } + lf = strchr(str, '\n'); /* look for multiline strings */ + if (NULL != lf) + *lf = '\0'; /* only log first line of multiline here */ diff --git a/net-snmp-5.8-flood-messages.patch b/net-snmp-5.8-flood-messages.patch new file mode 100644 index 0000000..49e8e44 --- /dev/null +++ b/net-snmp-5.8-flood-messages.patch @@ -0,0 +1,26 @@ +From cd09fd82522861830aaf9d237b26eef5f9ba50d2 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Wed, 21 Nov 2018 20:47:42 -0800 +Subject: [PATCH] MIB-II: Only log once that opening /proc/net/if_inet6 failed + +If IPv6 has been disabled (ipv6.disable=1) then opening /proc/net/if_inet6 +fails. Only log this once instead of thousand of times a day. + +Reported-by: Fif +--- + agent/mibgroup/ip-mib/data_access/ipaddress_linux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c b/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c +index 5ddead3e0..280575ce3 100644 +--- a/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c ++++ b/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c +@@ -234,7 +234,7 @@ _load_v6(netsnmp_container *container, int idx_offset) + + #define PROCFILE "/proc/net/if_inet6" + if (!(in = fopen(PROCFILE, "r"))) { +- snmp_log_perror("ipaddress_linux: could not open " PROCFILE); ++ NETSNMP_LOGONCE((LOG_ERR, "ipaddress_linux: could not open " PROCFILE)); + return -2; + } + diff --git a/net-snmp-5.8-intermediate-certs.patch b/net-snmp-5.8-intermediate-certs.patch new file mode 100644 index 0000000..aff1ea2 --- /dev/null +++ b/net-snmp-5.8-intermediate-certs.patch @@ -0,0 +1,1066 @@ +diff -urNp a/include/net-snmp/library/cert_util.h b/include/net-snmp/library/cert_util.h +--- a/include/net-snmp/library/cert_util.h 2021-06-09 10:55:22.767954797 +0200 ++++ b/include/net-snmp/library/cert_util.h 2021-06-09 10:56:36.725272293 +0200 +@@ -55,7 +55,8 @@ extern "C" { + char *common_name; + + u_char hash_type; +- u_char _pad[3]; /* for future use */ ++ u_char _pad[1]; /* for future use */ ++ u_short offset; + } netsnmp_cert; + + /** types */ +@@ -100,6 +101,7 @@ extern "C" { + + NETSNMP_IMPORT + netsnmp_cert *netsnmp_cert_find(int what, int where, void *hint); ++ netsnmp_void_array *netsnmp_certs_find(int what, int where, void *hint); + + int netsnmp_cert_check_vb_fingerprint(const netsnmp_variable_list *var); + +diff -urNp a/include/net-snmp/library/dir_utils.h b/include/net-snmp/library/dir_utils.h +--- a/include/net-snmp/library/dir_utils.h 2021-06-09 10:55:22.767954797 +0200 ++++ b/include/net-snmp/library/dir_utils.h 2021-06-09 10:56:36.726272298 +0200 +@@ -53,6 +53,8 @@ extern "C" { + #define NETSNMP_DIR_NSFILE 0x0010 + /** load stats in netsnmp_file */ + #define NETSNMP_DIR_NSFILE_STATS 0x0020 ++/** allow files to be indexed more than once */ ++#define NETSNMP_DIR_ALLOW_DUPLICATES 0x0040 + + + +diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c +--- a/snmplib/cert_util.c 2021-06-09 10:55:22.785954874 +0200 ++++ b/snmplib/cert_util.c 2021-06-09 11:02:43.890848394 +0200 +@@ -104,7 +104,7 @@ netsnmp_feature_child_of(tls_fingerprint + * bump this value whenever cert index format changes, so indexes + * will be regenerated with new format. + */ +-#define CERT_INDEX_FORMAT 1 ++#define CERT_INDEX_FORMAT 2 + + static netsnmp_container *_certs = NULL; + static netsnmp_container *_keys = NULL; +@@ -130,6 +130,8 @@ static int _cert_fn_ncompare(netsnmp_ce + netsnmp_cert_common *rhs); + static void _find_partner(netsnmp_cert *cert, netsnmp_key *key); + static netsnmp_cert *_find_issuer(netsnmp_cert *cert); ++static netsnmp_void_array *_cert_reduce_subset_first(netsnmp_void_array *matching); ++static netsnmp_void_array *_cert_reduce_subset_what(netsnmp_void_array *matching, int what); + static netsnmp_void_array *_cert_find_subset_fn(const char *filename, + const char *directory); + static netsnmp_void_array *_cert_find_subset_sn(const char *subject); +@@ -349,6 +351,8 @@ _get_cert_container(const char *use) + { + netsnmp_container *c; + ++ int rc; ++ + c = netsnmp_container_find("certs:binary_array"); + if (NULL == c) { + snmp_log(LOG_ERR, "could not create container for %s\n", use); +@@ -358,6 +362,8 @@ _get_cert_container(const char *use) + c->free_item = (netsnmp_container_obj_func*)_cert_free; + c->compare = (netsnmp_container_compare*)_cert_compare; + ++ CONTAINER_SET_OPTIONS(c, CONTAINER_KEY_ALLOW_DUPLICATES, rc); ++ + return c; + } + +@@ -366,6 +372,8 @@ _setup_containers(void) + { + netsnmp_container *additional_keys; + ++ int rc; ++ + _certs = _get_cert_container("netsnmp certificates"); + if (NULL == _certs) + return; +@@ -380,6 +388,7 @@ _setup_containers(void) + additional_keys->container_name = strdup("certs_cn"); + additional_keys->free_item = NULL; + additional_keys->compare = (netsnmp_container_compare*)_cert_cn_compare; ++ CONTAINER_SET_OPTIONS(additional_keys, CONTAINER_KEY_ALLOW_DUPLICATES, rc); + netsnmp_container_add_index(_certs, additional_keys); + + /** additional keys: subject name */ +@@ -393,6 +402,7 @@ _setup_containers(void) + additional_keys->free_item = NULL; + additional_keys->compare = (netsnmp_container_compare*)_cert_sn_compare; + additional_keys->ncompare = (netsnmp_container_compare*)_cert_sn_ncompare; ++ CONTAINER_SET_OPTIONS(additional_keys, CONTAINER_KEY_ALLOW_DUPLICATES, rc); + netsnmp_container_add_index(_certs, additional_keys); + + /** additional keys: file name */ +@@ -406,6 +416,7 @@ _setup_containers(void) + additional_keys->free_item = NULL; + additional_keys->compare = (netsnmp_container_compare*)_cert_fn_compare; + additional_keys->ncompare = (netsnmp_container_compare*)_cert_fn_ncompare; ++ CONTAINER_SET_OPTIONS(additional_keys, CONTAINER_KEY_ALLOW_DUPLICATES, rc); + netsnmp_container_add_index(_certs, additional_keys); + + _keys = netsnmp_container_find("cert_keys:binary_array"); +@@ -428,9 +439,9 @@ netsnmp_cert_map_container(void) + } + + static netsnmp_cert * +-_new_cert(const char *dirname, const char *filename, int certType, +- int hashType, const char *fingerprint, const char *common_name, +- const char *subject) ++_new_cert(const char *dirname, const char *filename, int certType, int offset, ++ int allowed_uses, int hashType, const char *fingerprint, ++ const char *common_name, const char *subject) + { + netsnmp_cert *cert; + +@@ -450,8 +461,10 @@ _new_cert(const char *dirname, const cha + + cert->info.dir = strdup(dirname); + cert->info.filename = strdup(filename); +- cert->info.allowed_uses = NS_CERT_REMOTE_PEER; ++ /* only the first certificate is allowed to be a remote peer */ ++ cert->info.allowed_uses = allowed_uses; + cert->info.type = certType; ++ cert->offset = offset; + if (fingerprint) { + cert->hash_type = hashType; + cert->fingerprint = strdup(fingerprint); +@@ -888,14 +901,86 @@ _certindex_new( const char *dirname ) + * certificate utility functions + * + */ ++static BIO * ++netsnmp_open_bio(const char *dir, const char *filename) ++{ ++ BIO *certbio; ++ char file[SNMP_MAXPATH]; ++ ++ DEBUGMSGT(("9:cert:read", "Checking file %s\n", filename)); ++ ++ certbio = BIO_new(BIO_s_file()); ++ if (NULL == certbio) { ++ snmp_log(LOG_ERR, "error creating BIO\n"); ++ return NULL; ++ } ++ ++ snprintf(file, sizeof(file),"%s/%s", dir, filename); ++ if (BIO_read_filename(certbio, file) <=0) { ++ snmp_log(LOG_ERR, "error reading certificate/key %s into BIO\n", file); ++ BIO_vfree(certbio); ++ return NULL; ++ } ++ ++ return certbio; ++} ++ ++static void ++netsnmp_ocert_parse(netsnmp_cert *cert, X509 *ocert) ++{ ++ int is_ca; ++ ++ cert->ocert = ocert; ++ ++ /* ++ * X509_check_ca return codes: ++ * 0 not a CA ++ * 1 is a CA ++ * 2 basicConstraints absent so "maybe" a CA ++ * 3 basicConstraints absent but self signed V1. ++ * 4 basicConstraints absent but keyUsage present and keyCertSign asserted. ++ * 5 outdated Netscape Certificate Type CA extension. ++ */ ++ is_ca = X509_check_ca(ocert); ++ if (1 == is_ca) ++ cert->info.allowed_uses |= NS_CERT_CA; ++ ++ if (NULL == cert->subject) { ++ cert->subject = X509_NAME_oneline(X509_get_subject_name(ocert), NULL, ++ 0); ++ DEBUGMSGT(("9:cert:add:subject", "subject name: %s\n", cert->subject)); ++ } ++ ++ if (NULL == cert->issuer) { ++ cert->issuer = X509_NAME_oneline(X509_get_issuer_name(ocert), NULL, 0); ++ if (strcmp(cert->subject, cert->issuer) == 0) { ++ free(cert->issuer); ++ cert->issuer = strdup("self-signed"); ++ } ++ DEBUGMSGT(("9:cert:add:issuer", "CA issuer: %s\n", cert->issuer)); ++ } ++ ++ if (NULL == cert->fingerprint) { ++ cert->hash_type = netsnmp_openssl_cert_get_hash_type(ocert); ++ cert->fingerprint = ++ netsnmp_openssl_cert_get_fingerprint(ocert, cert->hash_type); ++ } ++ ++ if (NULL == cert->common_name) { ++ cert->common_name =netsnmp_openssl_cert_get_commonName(ocert, NULL, ++ NULL); ++ DEBUGMSGT(("9:cert:add:name","%s\n", cert->common_name)); ++ } ++ ++} ++ + static X509 * + netsnmp_ocert_get(netsnmp_cert *cert) + { + BIO *certbio; + X509 *ocert = NULL; ++ X509 *ncert = NULL; + EVP_PKEY *okey = NULL; +- char file[SNMP_MAXPATH]; +- int is_ca; + + if (NULL == cert) + return NULL; +@@ -912,51 +997,33 @@ netsnmp_ocert_get(netsnmp_cert *cert) + } + } + +- DEBUGMSGT(("9:cert:read", "Checking file %s\n", cert->info.filename)); +- +- certbio = BIO_new(BIO_s_file()); +- if (NULL == certbio) { +- snmp_log(LOG_ERR, "error creating BIO\n"); +- return NULL; +- } +- +- snprintf(file, sizeof(file),"%s/%s", cert->info.dir, cert->info.filename); +- if (BIO_read_filename(certbio, file) <=0) { +- snmp_log(LOG_ERR, "error reading certificate %s into BIO\n", file); +- BIO_vfree(certbio); ++ certbio = netsnmp_open_bio(cert->info.dir, cert->info.filename); ++ if (!certbio) { + return NULL; + } + +- if (NS_CERT_TYPE_UNKNOWN == cert->info.type) { +- char *pos = strrchr(cert->info.filename, '.'); +- if (NULL == pos) +- return NULL; +- cert->info.type = _cert_ext_type(++pos); +- netsnmp_assert(cert->info.type != NS_CERT_TYPE_UNKNOWN); +- } +- + switch (cert->info.type) { + + case NS_CERT_TYPE_DER: ++ (void)BIO_seek(certbio, cert->offset); + ocert = d2i_X509_bio(certbio,NULL); /* DER/ASN1 */ + if (NULL != ocert) + break; +- (void)BIO_reset(certbio); + /* Check for PEM if DER didn't work */ + /* FALLTHROUGH */ + + case NS_CERT_TYPE_PEM: +- ocert = PEM_read_bio_X509_AUX(certbio, NULL, NULL, NULL); ++ (void)BIO_seek(certbio, cert->offset); ++ ocert = ncert = PEM_read_bio_X509_AUX(certbio, NULL, NULL, NULL); + if (NULL == ocert) + break; + if (NS_CERT_TYPE_DER == cert->info.type) { + DEBUGMSGT(("9:cert:read", "Changing type from DER to PEM\n")); + cert->info.type = NS_CERT_TYPE_PEM; + } +- /** check for private key too */ +- if (NULL == cert->key) { +- (void)BIO_reset(certbio); +- okey = PEM_read_bio_PrivateKey(certbio, NULL, NULL, NULL); ++ /** check for private key too, but only if we're the first certificate */ ++ if (0 == cert->offset && NULL == cert->key) { ++ okey = PEM_read_bio_PrivateKey(certbio, NULL, NULL, NULL); + if (NULL != okey) { + netsnmp_key *key; + DEBUGMSGT(("cert:read:key", "found key with cert in %s\n", +@@ -983,7 +1050,7 @@ netsnmp_ocert_get(netsnmp_cert *cert) + break; + #ifdef CERT_PKCS12_SUPPORT_MAYBE_LATER + case NS_CERT_TYPE_PKCS12: +- (void)BIO_reset(certbio); ++ (void)BIO_seek(certbio, cert->offset); + PKCS12 *p12 = d2i_PKCS12_bio(certbio, NULL); + if ( (NULL != p12) && (PKCS12_verify_mac(p12, "", 0) || + PKCS12_verify_mac(p12, NULL, 0))) +@@ -1003,46 +1070,7 @@ netsnmp_ocert_get(netsnmp_cert *cert) + return NULL; + } + +- cert->ocert = ocert; +- /* +- * X509_check_ca return codes: +- * 0 not a CA +- * 1 is a CA +- * 2 basicConstraints absent so "maybe" a CA +- * 3 basicConstraints absent but self signed V1. +- * 4 basicConstraints absent but keyUsage present and keyCertSign asserted. +- * 5 outdated Netscape Certificate Type CA extension. +- */ +- is_ca = X509_check_ca(ocert); +- if (1 == is_ca) +- cert->info.allowed_uses |= NS_CERT_CA; +- +- if (NULL == cert->subject) { +- cert->subject = X509_NAME_oneline(X509_get_subject_name(ocert), NULL, +- 0); +- DEBUGMSGT(("9:cert:add:subject", "subject name: %s\n", cert->subject)); +- } +- +- if (NULL == cert->issuer) { +- cert->issuer = X509_NAME_oneline(X509_get_issuer_name(ocert), NULL, 0); +- if (strcmp(cert->subject, cert->issuer) == 0) { +- free(cert->issuer); +- cert->issuer = strdup("self-signed"); +- } +- DEBUGMSGT(("9:cert:add:issuer", "CA issuer: %s\n", cert->issuer)); +- } +- +- if (NULL == cert->fingerprint) { +- cert->hash_type = netsnmp_openssl_cert_get_hash_type(ocert); +- cert->fingerprint = +- netsnmp_openssl_cert_get_fingerprint(ocert, cert->hash_type); +- } +- +- if (NULL == cert->common_name) { +- cert->common_name =netsnmp_openssl_cert_get_commonName(ocert, NULL, +- NULL); +- DEBUGMSGT(("9:cert:add:name","%s\n", cert->common_name)); +- } ++ netsnmp_ocert_parse(cert, ocert); + + return ocert; + } +@@ -1052,7 +1080,6 @@ netsnmp_okey_get(netsnmp_key *key) + { + BIO *keybio; + EVP_PKEY *okey; +- char file[SNMP_MAXPATH]; + + if (NULL == key) + return NULL; +@@ -1060,19 +1087,8 @@ netsnmp_okey_get(netsnmp_key *key) + if (key->okey) + return key->okey; + +- snprintf(file, sizeof(file),"%s/%s", key->info.dir, key->info.filename); +- DEBUGMSGT(("cert:key:read", "Checking file %s\n", key->info.filename)); +- +- keybio = BIO_new(BIO_s_file()); +- if (NULL == keybio) { +- snmp_log(LOG_ERR, "error creating BIO\n"); +- return NULL; +- } +- +- if (BIO_read_filename(keybio, file) <=0) { +- snmp_log(LOG_ERR, "error reading certificate %s into BIO\n", +- key->info.filename); +- BIO_vfree(keybio); ++ keybio = netsnmp_open_bio(key->info.dir, key->info.filename); ++ if (!keybio) { + return NULL; + } + +@@ -1158,7 +1174,7 @@ netsnmp_cert_load_x509(netsnmp_cert *cer + cert->issuer_cert = _find_issuer(cert); + if (NULL == cert->issuer_cert) { + DEBUGMSGT(("cert:load:warn", +- "couldn't load CA chain for cert %s\n", ++ "couldn't load full CA chain for cert %s\n", + cert->info.filename)); + rc = CERT_LOAD_PARTIAL; + break; +@@ -1167,7 +1183,7 @@ netsnmp_cert_load_x509(netsnmp_cert *cer + /** get issuer ocert */ + if ((NULL == cert->issuer_cert->ocert) && + (netsnmp_ocert_get(cert->issuer_cert) == NULL)) { +- DEBUGMSGT(("cert:load:warn", "couldn't load cert chain for %s\n", ++ DEBUGMSGT(("cert:load:warn", "couldn't load full cert chain for %s\n", + cert->info.filename)); + rc = CERT_LOAD_PARTIAL; + break; +@@ -1188,7 +1204,7 @@ _find_partner(netsnmp_cert *cert, netsnm + return; + } + +- if(key) { ++ if (key) { + if (key->cert) { + DEBUGMSGT(("cert:partner", "key already has partner\n")); + return; +@@ -1201,7 +1217,8 @@ _find_partner(netsnmp_cert *cert, netsnm + return; + *pos = 0; + +- matching = _cert_find_subset_fn( filename, key->info.dir ); ++ matching = _cert_reduce_subset_first(_cert_find_subset_fn( filename, ++ key->info.dir )); + if (!matching) + return; + if (1 == matching->size) { +@@ -1221,7 +1238,7 @@ _find_partner(netsnmp_cert *cert, netsnm + DEBUGMSGT(("cert:partner", "%s matches multiple certs\n", + key->info.filename)); + } +- else if(cert) { ++ else if (cert) { + if (cert->key) { + DEBUGMSGT(("cert:partner", "cert already has partner\n")); + return; +@@ -1259,76 +1276,189 @@ _find_partner(netsnmp_cert *cert, netsnm + } + } + ++static netsnmp_key * ++_add_key(EVP_PKEY *okey, const char* dirname, const char* filename, FILE *index) ++{ ++ netsnmp_key *key; ++ ++ key = _new_key(dirname, filename); ++ if (NULL == key) { ++ return NULL; ++ } ++ ++ key->okey = okey; ++ ++ if (-1 == CONTAINER_INSERT(_keys, key)) { ++ DEBUGMSGT(("cert:key:file:add:err", ++ "error inserting key into container\n")); ++ netsnmp_key_free(key); ++ key = NULL; ++ } ++ if (index) { ++ fprintf(index, "k:%s\n", filename); ++ } ++ ++ return key; ++} ++ ++static netsnmp_cert * ++_add_cert(X509 *ocert, const char* dirname, const char* filename, int type, int offset, ++ int allowed_uses, FILE *index) ++{ ++ netsnmp_cert *cert; ++ ++ cert = _new_cert(dirname, filename, type, offset, ++ allowed_uses, -1, NULL, NULL, NULL); ++ if (NULL == cert) ++ return NULL; ++ ++ netsnmp_ocert_parse(cert, ocert); ++ ++ if (-1 == CONTAINER_INSERT(_certs, cert)) { ++ DEBUGMSGT(("cert:file:add:err", ++ "error inserting cert into container\n")); ++ netsnmp_cert_free(cert); ++ return NULL; ++ } ++ ++ if (index) { ++ /** filename = NAME_MAX = 255 */ ++ /** fingerprint max = 64*3=192 for sha512 */ ++ /** common name / CN = 64 */ ++ if (cert) ++ fprintf(index, "c:%s %d %d %d %d %s '%s' '%s'\n", filename, ++ cert->info.type, cert->offset, cert->info.allowed_uses, ++ cert->hash_type, cert->fingerprint, ++ cert->common_name, cert->subject); ++ } ++ ++ return cert; ++} ++ + static int + _add_certfile(const char* dirname, const char* filename, FILE *index) + { +- X509 *ocert; +- EVP_PKEY *okey; ++ BIO *certbio; ++ X509 *ocert = NULL; ++ X509 *ncert; ++ EVP_PKEY *okey = NULL; + netsnmp_cert *cert = NULL; + netsnmp_key *key = NULL; + char certfile[SNMP_MAXPATH]; + int type; ++ int offset = 0; + + if (((const void*)NULL == dirname) || (NULL == filename)) + return -1; + + type = _type_from_filename(filename); +- netsnmp_assert(type != NS_CERT_TYPE_UNKNOWN); ++ if (type == NS_CERT_TYPE_UNKNOWN) { ++ snmp_log(LOG_ERR, "certificate file '%s' type not recognised, ignoring\n", filename); ++ return -1; ++ } + +- snprintf(certfile, sizeof(certfile),"%s/%s", dirname, filename); ++ certbio = netsnmp_open_bio(dirname, filename); ++ if (!certbio) { ++ return -1; ++ } + +- DEBUGMSGT(("9:cert:file:add", "Checking file: %s (type %d)\n", filename, +- type)); ++ switch (type) { + +- if (NS_CERT_TYPE_KEY == type) { +- key = _new_key(dirname, filename); +- if (NULL == key) +- return -1; +- okey = netsnmp_okey_get(key); +- if (NULL == okey) { +- netsnmp_key_free(key); +- return -1; +- } +- key->okey = okey; +- if (-1 == CONTAINER_INSERT(_keys, key)) { +- DEBUGMSGT(("cert:key:file:add:err", +- "error inserting key into container\n")); +- netsnmp_key_free(key); +- key = NULL; +- } +- } +- else { +- cert = _new_cert(dirname, filename, type, -1, NULL, NULL, NULL); +- if (NULL == cert) +- return -1; +- ocert = netsnmp_ocert_get(cert); +- if (NULL == ocert) { +- netsnmp_cert_free(cert); +- return -1; +- } +- cert->ocert = ocert; +- if (-1 == CONTAINER_INSERT(_certs, cert)) { +- DEBUGMSGT(("cert:file:add:err", +- "error inserting cert into container\n")); +- netsnmp_cert_free(cert); +- cert = NULL; +- } +- } +- if ((NULL == cert) && (NULL == key)) { +- DEBUGMSGT(("cert:file:add:failure", "for %s\n", certfile)); +- return -1; ++ case NS_CERT_TYPE_KEY: ++ ++ okey = PEM_read_bio_PrivateKey(certbio, NULL, NULL, NULL); ++ if (NULL == okey) ++ snmp_log(LOG_ERR, "error parsing key file %s\n", ++ key->info.filename); ++ else { ++ key = _add_key(okey, dirname, filename, index); ++ if (NULL == key) { ++ EVP_PKEY_free(okey); ++ okey = NULL; ++ } ++ } ++ break; ++ ++ case NS_CERT_TYPE_DER: ++ ++ ocert = d2i_X509_bio(certbio, NULL); /* DER/ASN1 */ ++ if (NULL != ocert) { ++ if (!_add_cert(ocert, dirname, filename, type, 0, ++ NS_CERT_REMOTE_PEER, index)) { ++ X509_free(ocert); ++ ocert = NULL; ++ } ++ break; ++ } ++ (void)BIO_reset(certbio); ++ /* Check for PEM if DER didn't work */ ++ /* FALLTHROUGH */ ++ ++ case NS_CERT_TYPE_PEM: ++ ++ if (NS_CERT_TYPE_DER == type) { ++ DEBUGMSGT(("9:cert:read", "Changing type from DER to PEM\n")); ++ type = NS_CERT_TYPE_PEM; ++ } ++ ++ /* read the private key first so we can record this in the index */ ++ okey = PEM_read_bio_PrivateKey(certbio, NULL, NULL, NULL); ++ ++ (void)BIO_reset(certbio); ++ ++ /* certs are read after the key */ ++ ocert = ncert = PEM_read_bio_X509_AUX(certbio, NULL, NULL, NULL); ++ if (NULL != ocert) { ++ cert = _add_cert(ncert, dirname, filename, type, 0, ++ okey ? NS_CERT_IDENTITY | NS_CERT_REMOTE_PEER : ++ NS_CERT_REMOTE_PEER, index); ++ if (NULL == cert) { ++ X509_free(ocert); ++ ocert = ncert = NULL; ++ } ++ } ++ while (NULL != ncert) { ++ offset = BIO_tell(certbio); ++ ncert = PEM_read_bio_X509_AUX(certbio, NULL, NULL, NULL); ++ if (ncert) { ++ if (NULL == _add_cert(ncert, dirname, filename, type, offset, 0, index)) { ++ X509_free(ncert); ++ ncert = NULL; ++ } ++ } ++ } ++ ++ if (NULL != okey) { ++ DEBUGMSGT(("cert:read:key", "found key with cert in %s\n", ++ cert->info.filename)); ++ key = _add_key(okey, dirname, filename, NULL); ++ if (NULL != key) { ++ DEBUGMSGT(("cert:read:partner", "%s match found!\n", ++ cert->info.filename)); ++ key->cert = cert; ++ cert->key = key; ++ } ++ else { ++ EVP_PKEY_free(okey); ++ okey = NULL; ++ } ++ } ++ ++ break; ++ ++#ifdef CERT_PKCS12_SUPPORT_MAYBE_LATER ++ case NS_CERT_TYPE_PKCS12: ++#endif ++ ++ default: ++ break; + } + +- if (index) { +- /** filename = NAME_MAX = 255 */ +- /** fingerprint max = 64*3=192 for sha512 */ +- /** common name / CN = 64 */ +- if (cert) +- fprintf(index, "c:%s %d %d %s '%s' '%s'\n", filename, +- cert->info.type, cert->hash_type, cert->fingerprint, +- cert->common_name, cert->subject); +- else if (key) +- fprintf(index, "k:%s\n", filename); ++ BIO_vfree(certbio); ++ ++ if ((NULL == ocert) && (NULL == okey)) { ++ snmp_log(LOG_ERR, "certificate file '%s' contained neither certificate nor key, ignoring\n", certfile); ++ return -1; + } + + return 0; +@@ -1342,8 +1472,10 @@ _cert_read_index(const char *dirname, st + struct stat idx_stat; + char tmpstr[SNMP_MAXPATH + 5], filename[NAME_MAX]; + char fingerprint[EVP_MAX_MD_SIZE*3], common_name[64+1], type_str[15]; +- char subject[SNMP_MAXBUF_SMALL], hash_str[15]; +- int count = 0, type, hash, version; ++ char subject[SNMP_MAXBUF_SMALL], hash_str[15], offset_str[15]; ++ char allowed_uses_str[15]; ++ ssize_t offset; ++ int count = 0, type, allowed_uses, hash, version; + netsnmp_cert *cert; + netsnmp_key *key; + netsnmp_container *newer, *found; +@@ -1386,7 +1518,8 @@ _cert_read_index(const char *dirname, st + (netsnmp_directory_filter*) + _time_filter,(void*)&idx_stat, + NETSNMP_DIR_NSFILE | +- NETSNMP_DIR_NSFILE_STATS); ++ NETSNMP_DIR_NSFILE_STATS | ++ NETSNMP_DIR_ALLOW_DUPLICATES); + if (newer) { + DEBUGMSGT(("cert:index:parse", "Index outdated; files modified\n")); + CONTAINER_FREE_ALL(newer, NULL); +@@ -1430,6 +1563,8 @@ _cert_read_index(const char *dirname, st + pos = &tmpstr[2]; + if ((NULL == (pos=copy_nword(pos, filename, sizeof(filename)))) || + (NULL == (pos=copy_nword(pos, type_str, sizeof(type_str)))) || ++ (NULL == (pos=copy_nword(pos, offset_str, sizeof(offset_str)))) || ++ (NULL == (pos=copy_nword(pos, allowed_uses_str, sizeof(allowed_uses_str)))) || + (NULL == (pos=copy_nword(pos, hash_str, sizeof(hash_str)))) || + (NULL == (pos=copy_nword(pos, fingerprint, + sizeof(fingerprint)))) || +@@ -1442,9 +1577,11 @@ _cert_read_index(const char *dirname, st + break; + } + type = atoi(type_str); ++ offset = atoi(offset_str); ++ allowed_uses = atoi(allowed_uses_str); + hash = atoi(hash_str); +- cert = (void*)_new_cert(dirname, filename, type, hash, fingerprint, +- common_name, subject); ++ cert = _new_cert(dirname, filename, type, offset, allowed_uses, hash, ++ fingerprint, common_name, subject); + if (cert && 0 == CONTAINER_INSERT(found, cert)) + ++count; + else { +@@ -1549,7 +1686,8 @@ _add_certdir(const char *dirname) + (netsnmp_directory_filter*) + &_cert_cert_filter, NULL, + NETSNMP_DIR_RELATIVE_PATH | +- NETSNMP_DIR_EMPTY_OK ); ++ NETSNMP_DIR_EMPTY_OK | ++ NETSNMP_DIR_ALLOW_DUPLICATES); + if (NULL == cert_container) { + DEBUGMSGT(("cert:index:dir", + "error creating container for cert files\n")); +@@ -1637,7 +1775,7 @@ _cert_print(netsnmp_cert *c, void *conte + if (NULL == c) + return; + +- DEBUGMSGT(("cert:dump", "cert %s in %s\n", c->info.filename, c->info.dir)); ++ DEBUGMSGT(("cert:dump", "cert %s in %s at offset %d\n", c->info.filename, c->info.dir, c->offset)); + DEBUGMSGT(("cert:dump", " type %d flags 0x%x (%s)\n", + c->info.type, c->info.allowed_uses, + _mode_str(c->info.allowed_uses))); +@@ -1841,7 +1979,8 @@ netsnmp_cert_find(int what, int where, v + netsnmp_void_array *matching; + + DEBUGMSGT(("cert:find:params", " hint = %s\n", (char *)hint)); +- matching = _cert_find_subset_fn( filename, NULL ); ++ matching = _cert_reduce_subset_what(_cert_find_subset_fn( ++ filename, NULL ), what); + if (!matching) + return NULL; + if (1 == matching->size) +@@ -1887,6 +2026,32 @@ netsnmp_cert_find(int what, int where, v + return result; + } + ++netsnmp_void_array * ++netsnmp_certs_find(int what, int where, void *hint) ++{ ++ ++ DEBUGMSGT(("certs:find:params", "looking for %s(%d) in %s(0x%x), hint %p\n", ++ _mode_str(what), what, _where_str(where), where, hint)); ++ ++ if (NS_CERTKEY_FILE == where) { ++ /** hint == filename */ ++ char *filename = (char*)hint; ++ netsnmp_void_array *matching; ++ ++ DEBUGMSGT(("cert:find:params", " hint = %s\n", (char *)hint)); ++ matching = _cert_reduce_subset_what(_cert_find_subset_fn( ++ filename, NULL ), what); ++ ++ return matching; ++ } /* where = NS_CERTKEY_FILE */ ++ else { /* unknown location */ ++ ++ DEBUGMSGT(("certs:find:err", "unhandled location %d for %d\n", where, ++ what)); ++ return NULL; ++ } ++} ++ + #ifndef NETSNMP_FEATURE_REMOVE_CERT_FINGERPRINTS + int + netsnmp_cert_check_vb_fingerprint(const netsnmp_variable_list *var) +@@ -2284,6 +2449,124 @@ _reduce_subset_dir(netsnmp_void_array *m + } + } + ++/* ++ * reduce subset by eliminating any certificates that are not the ++ * first certficate in a file. This allows us to ignore certificate ++ * chains when testing for specific certificates, and to match keys ++ * to the first certificate only. ++ */ ++static netsnmp_void_array * ++_cert_reduce_subset_first(netsnmp_void_array *matching) ++{ ++ netsnmp_cert *cc; ++ int i = 0, j, newsize; ++ ++ if ((NULL == matching)) ++ return matching; ++ ++ newsize = matching->size; ++ ++ for( ; i < matching->size; ) { ++ /* ++ * if we've shifted matches down we'll hit a NULL entry before ++ * we hit the end of the array. ++ */ ++ if (NULL == matching->array[i]) ++ break; ++ /* ++ * skip over valid matches. The first entry has an offset of zero. ++ */ ++ cc = (netsnmp_cert*)matching->array[i]; ++ if (0 == cc->offset) { ++ ++i; ++ continue; ++ } ++ /* ++ * shrink array by shifting everything down a spot. Might not be ++ * the most efficient soloution, but this is just happening at ++ * startup and hopefully most certs won't have common prefixes. ++ */ ++ --newsize; ++ for ( j=i; j < newsize; ++j ) ++ matching->array[j] = matching->array[j+1]; ++ matching->array[j] = NULL; ++ /** no ++i; just shifted down, need to look at same position again */ ++ } ++ /* ++ * if we shifted, set the new size ++ */ ++ if (newsize != matching->size) { ++ DEBUGMSGT(("9:cert:subset:first", "shrank from %" NETSNMP_PRIz "d to %d\n", ++ matching->size, newsize)); ++ matching->size = newsize; ++ } ++ ++ if (0 == matching->size) { ++ free(matching->array); ++ SNMP_FREE(matching); ++ } ++ ++ return matching; ++} ++ ++/* ++ * reduce subset by eliminating any certificates that do not match ++ * purpose specified. ++ */ ++static netsnmp_void_array * ++_cert_reduce_subset_what(netsnmp_void_array *matching, int what) ++{ ++ netsnmp_cert_common *cc; ++ int i = 0, j, newsize; ++ ++ if ((NULL == matching)) ++ return matching; ++ ++ newsize = matching->size; ++ ++ for( ; i < matching->size; ) { ++ /* ++ * if we've shifted matches down we'll hit a NULL entry before ++ * we hit the end of the array. ++ */ ++ if (NULL == matching->array[i]) ++ break; ++ /* ++ * skip over valid matches. The first entry has an offset of zero. ++ */ ++ cc = (netsnmp_cert_common *)matching->array[i]; ++ if ((cc->allowed_uses & what)) { ++ ++i; ++ continue; ++ } ++ /* ++ * shrink array by shifting everything down a spot. Might not be ++ * the most efficient soloution, but this is just happening at ++ * startup and hopefully most certs won't have common prefixes. ++ */ ++ --newsize; ++ for ( j=i; j < newsize; ++j ) ++ matching->array[j] = matching->array[j+1]; ++ matching->array[j] = NULL; ++ /** no ++i; just shifted down, need to look at same position again */ ++ } ++ /* ++ * if we shifted, set the new size ++ */ ++ if (newsize != matching->size) { ++ DEBUGMSGT(("9:cert:subset:what", "shrank from %" NETSNMP_PRIz "d to %d\n", ++ matching->size, newsize)); ++ matching->size = newsize; ++ } ++ ++ if (0 == matching->size) { ++ free(matching->array); ++ SNMP_FREE(matching); ++ } ++ ++ return matching; ++} ++ + static netsnmp_void_array * + _cert_find_subset_common(const char *filename, netsnmp_container *container) + { +diff -urNp a/snmplib/transports/snmpTLSBaseDomain.c b/snmplib/transports/snmpTLSBaseDomain.c +--- a/snmplib/transports/snmpTLSBaseDomain.c 2021-06-09 10:55:22.791954900 +0200 ++++ b/snmplib/transports/snmpTLSBaseDomain.c 2021-06-09 10:56:36.727272302 +0200 +@@ -59,7 +59,7 @@ int openssl_local_index; + /* this is called during negotiation */ + int verify_callback(int ok, X509_STORE_CTX *ctx) { + int err, depth; +- char buf[1024], *fingerprint; ++ char subject[SNMP_MAXBUF_MEDIUM], issuer[SNMP_MAXBUF_MEDIUM], *fingerprint; + X509 *thecert; + netsnmp_cert *cert; + _netsnmp_verify_info *verify_info; +@@ -71,10 +71,12 @@ int verify_callback(int ok, X509_STORE_C + + /* things to do: */ + +- X509_NAME_oneline(X509_get_subject_name(thecert), buf, sizeof(buf)); ++ X509_NAME_oneline(X509_get_subject_name(thecert), subject, sizeof(subject)); ++ X509_NAME_oneline(X509_get_issuer_name(thecert), issuer, sizeof(issuer)); + fingerprint = netsnmp_openssl_cert_get_fingerprint(thecert, -1); +- DEBUGMSGTL(("tls_x509:verify", "Cert: %s\n", buf)); +- DEBUGMSGTL(("tls_x509:verify", " fp: %s\n", fingerprint ? ++ DEBUGMSGTL(("tls_x509:verify", " subject: %s\n", subject)); ++ DEBUGMSGTL(("tls_x509:verify", " issuer: %s\n", issuer)); ++ DEBUGMSGTL(("tls_x509:verify", " fp: %s\n", fingerprint ? + fingerprint : "unknown")); + + ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); +@@ -109,7 +111,7 @@ int verify_callback(int ok, X509_STORE_C + } else { + DEBUGMSGTL(("tls_x509:verify", " no matching fp found\n")); + /* log where we are and why called */ +- snmp_log(LOG_ERR, "tls verification failure: ok=%d ctx=%p depth=%d err=%i:%s\n", ok, ctx, depth, err, X509_verify_cert_error_string(err)); ++ snmp_log(LOG_ERR, "tls verification failure: ok=%d ctx=%p depth=%d fp=%s subject='%s' issuer='%s' err=%i:%s\n", ok, ctx, depth, fingerprint, subject, issuer, err, X509_verify_cert_error_string(err)); + SNMP_FREE(fingerprint); + return 0; + } +@@ -425,23 +427,50 @@ netsnmp_tlsbase_extract_security_name(SS + int + _trust_this_cert(SSL_CTX *the_ctx, char *certspec) { + netsnmp_cert *trustcert; ++ netsnmp_cert *candidate; ++ netsnmp_void_array *matching = NULL; ++ ++ int i; + + DEBUGMSGTL(("sslctx_client", "Trying to load a trusted certificate: %s\n", + certspec)); + + /* load this identifier into the trust chain */ + trustcert = netsnmp_cert_find(NS_CERT_CA, +- NS_CERTKEY_MULTIPLE, ++ NS_CERTKEY_FINGERPRINT, + certspec); ++ ++ /* loop through all CA certs in the given files */ ++ if (!trustcert) { ++ matching = netsnmp_certs_find(NS_CERT_CA, ++ NS_CERTKEY_FILE, ++ certspec); ++ for (i = 0; (matching) && (i < matching->size); ++i) { ++ candidate = (netsnmp_cert*)matching->array[i]; ++ if (netsnmp_cert_trust(the_ctx, candidate) != SNMPERR_SUCCESS) { ++ free(matching->array); ++ free(matching); ++ LOGANDDIE("failed to load trust certificate"); ++ } ++ } /** matching loop */ ++ ++ if (matching) { ++ free(matching->array); ++ free(matching); ++ return 1; ++ } ++ } ++ ++ /* fall back to trusting the remote peer certificate */ + if (!trustcert) + trustcert = netsnmp_cert_find(NS_CERT_REMOTE_PEER, + NS_CERTKEY_MULTIPLE, + certspec); + if (!trustcert) + LOGANDDIE("failed to find requested certificate to trust"); +- ++ + /* Add the certificate to the context */ +- if (netsnmp_cert_trust_ca(the_ctx, trustcert) != SNMPERR_SUCCESS) ++ if (netsnmp_cert_trust(the_ctx, trustcert) != SNMPERR_SUCCESS) + LOGANDDIE("failed to load trust certificate"); + + return 1; +@@ -481,7 +510,7 @@ _sslctx_common_setup(SSL_CTX *the_ctx, _ + NETSNMP_DS_LIB_X509_CRL_FILE); + if (NULL != crlFile) { + cert_store = SSL_CTX_get_cert_store(the_ctx); +- DEBUGMSGTL(("sslctx_client", "loading CRL: %s\n", crlFile)); ++ DEBUGMSGTL(("sslctx_common", "loading CRL: %s\n", crlFile)); + if (!cert_store) + LOGANDDIE("failed to find certificate store"); + if (!(lookup = X509_STORE_add_lookup(cert_store, X509_LOOKUP_file()))) +@@ -546,13 +575,19 @@ sslctx_client_setup(const SSL_METHOD *me + id_cert->key->info.filename)); + + if (SSL_CTX_use_certificate(the_ctx, id_cert->ocert) <= 0) +- LOGANDDIE("failed to set the certificate to use"); ++ LOGANDDIE("failed to set the client certificate to use"); + + if (SSL_CTX_use_PrivateKey(the_ctx, id_cert->key->okey) <= 0) +- LOGANDDIE("failed to set the private key to use"); ++ LOGANDDIE("failed to set the client private key to use"); + + if (!SSL_CTX_check_private_key(the_ctx)) +- LOGANDDIE("public and private keys incompatible"); ++ LOGANDDIE("client public and private keys incompatible"); ++ ++ while (id_cert->issuer_cert) { ++ id_cert = id_cert->issuer_cert; ++ if (!SSL_CTX_add_extra_chain_cert(the_ctx, id_cert->ocert)) ++ LOGANDDIE("failed to add intermediate client certificate"); ++ } + + if (tlsbase->their_identity) + peer_cert = netsnmp_cert_find(NS_CERT_REMOTE_PEER, +@@ -566,11 +601,11 @@ sslctx_client_setup(const SSL_METHOD *me + peer_cert ? peer_cert->info.filename : "none")); + + /* Trust the expected certificate */ +- if (netsnmp_cert_trust_ca(the_ctx, peer_cert) != SNMPERR_SUCCESS) ++ if (netsnmp_cert_trust(the_ctx, peer_cert) != SNMPERR_SUCCESS) + LOGANDDIE ("failed to set verify paths"); + } + +- /* trust a certificate (possibly a CA) aspecifically passed in */ ++ /* trust a certificate (possibly a CA) specifically passed in */ + if (tlsbase->trust_cert) { + if (!_trust_this_cert(the_ctx, tlsbase->trust_cert)) + return 0; +@@ -589,7 +624,7 @@ sslctx_server_setup(const SSL_METHOD *me + /* setting up for ssl */ + SSL_CTX *the_ctx = SSL_CTX_new(NETSNMP_REMOVE_CONST(SSL_METHOD *, method)); + if (!the_ctx) { +- LOGANDDIE("can't create a new context"); ++ LOGANDDIE("can't create a new server context"); + } + + id_cert = netsnmp_cert_find(NS_CERT_IDENTITY, NS_CERTKEY_DEFAULT, NULL); +@@ -597,7 +632,7 @@ sslctx_server_setup(const SSL_METHOD *me + LOGANDDIE ("error finding server identity keys"); + + if (!id_cert->key || !id_cert->key->okey) +- LOGANDDIE("failed to load private key"); ++ LOGANDDIE("failed to load server private key"); + + DEBUGMSGTL(("sslctx_server", "using public key: %s\n", + id_cert->info.filename)); +@@ -605,13 +640,19 @@ sslctx_server_setup(const SSL_METHOD *me + id_cert->key->info.filename)); + + if (SSL_CTX_use_certificate(the_ctx, id_cert->ocert) <= 0) +- LOGANDDIE("failed to set the certificate to use"); ++ LOGANDDIE("failed to set the server certificate to use"); + + if (SSL_CTX_use_PrivateKey(the_ctx, id_cert->key->okey) <= 0) +- LOGANDDIE("failed to set the private key to use"); ++ LOGANDDIE("failed to set the server private key to use"); + + if (!SSL_CTX_check_private_key(the_ctx)) +- LOGANDDIE("public and private keys incompatible"); ++ LOGANDDIE("server public and private keys incompatible"); ++ ++ while (id_cert->issuer_cert) { ++ id_cert = id_cert->issuer_cert; ++ if (!SSL_CTX_add_extra_chain_cert(the_ctx, id_cert->ocert)) ++ LOGANDDIE("failed to add intermediate server certificate"); ++ } + + SSL_CTX_set_read_ahead(the_ctx, 1); /* XXX: DTLS only? */ + diff --git a/net-snmp-5.8-ipAddress-faster-load.patch b/net-snmp-5.8-ipAddress-faster-load.patch new file mode 100644 index 0000000..db95998 --- /dev/null +++ b/net-snmp-5.8-ipAddress-faster-load.patch @@ -0,0 +1,82 @@ +diff -urNp a/agent/mibgroup/mibII/ipAddr.c b/agent/mibgroup/mibII/ipAddr.c +--- a/agent/mibgroup/mibII/ipAddr.c 2020-06-10 14:14:30.113696471 +0200 ++++ b/agent/mibgroup/mibII/ipAddr.c 2020-06-10 14:27:15.345354018 +0200 +@@ -495,14 +495,16 @@ Address_Scan_Next(Index, Retin_ifaddr) + } + + #elif defined(linux) ++#include + static struct ifreq *ifr; + static int ifr_counter; + + static void + Address_Scan_Init(void) + { +- int num_interfaces = 0; ++ int i; + int fd; ++ int lastlen = 0; + + /* get info about all interfaces */ + +@@ -510,28 +512,45 @@ Address_Scan_Init(void) + SNMP_FREE(ifc.ifc_buf); + ifr_counter = 0; + +- do +- { + if ((fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) + { + DEBUGMSGTL(("snmpd", "socket open failure in Address_Scan_Init\n")); + return; + } +- num_interfaces += 16; + +- ifc.ifc_len = sizeof(struct ifreq) * num_interfaces; +- ifc.ifc_buf = (char*) realloc(ifc.ifc_buf, ifc.ifc_len); +- +- if (ioctl(fd, SIOCGIFCONF, &ifc) < 0) +- { +- ifr=NULL; +- close(fd); +- return; +- } +- close(fd); ++ /* ++ * Cope with lots of interfaces and brokenness of ioctl SIOCGIFCONF ++ * on some platforms; see W. R. Stevens, ``Unix Network Programming ++ * Volume I'', p.435... ++ */ ++ ++ for (i = 8;; i *= 2) { ++ ifc.ifc_len = sizeof(struct ifreq) * i; ++ ifc.ifc_req = calloc(i, sizeof(struct ifreq)); ++ ++ if (ioctl(fd, SIOCGIFCONF, &ifc) < 0) { ++ if (errno != EINVAL || lastlen != 0) { ++ /* ++ * Something has gone genuinely wrong... ++ */ ++ snmp_log(LOG_ERR, "bad rc from ioctl, errno %d", errno); ++ SNMP_FREE(ifc.ifc_buf); ++ close(fd); ++ return; ++ } ++ } else { ++ if (ifc.ifc_len == lastlen) { ++ /* ++ * The length is the same as the last time; we're done... ++ */ ++ break; ++ } ++ lastlen = ifc.ifc_len; ++ } ++ free(ifc.ifc_buf); /* no SNMP_FREE, getting ready to reassign */ + } +- while (ifc.ifc_len >= (sizeof(struct ifreq) * num_interfaces)); +- ++ ++ close(fd); + ifr = ifc.ifc_req; + } + diff --git a/net-snmp-5.8-ipv6-clientaddr.patch b/net-snmp-5.8-ipv6-clientaddr.patch new file mode 100644 index 0000000..b8cadcf --- /dev/null +++ b/net-snmp-5.8-ipv6-clientaddr.patch @@ -0,0 +1,12 @@ +diff -urNp a/snmplib/transports/snmpUDPIPv6Domain.c b/snmplib/transports/snmpUDPIPv6Domain.c +--- a/snmplib/transports/snmpUDPIPv6Domain.c 2019-01-24 09:03:05.606441678 +0100 ++++ b/snmplib/transports/snmpUDPIPv6Domain.c 2019-02-07 08:59:26.434587244 +0100 +@@ -464,7 +464,7 @@ netsnmp_udp6_transport(const struct sock + NETSNMP_DS_LIB_CLIENT_ADDR); + if (client_socket) { + struct sockaddr_in6 client_addr; +- if(!netsnmp_sockaddr_in6_2(&client_addr, client_socket, NULL)) { ++ if(netsnmp_sockaddr_in6_2(&client_addr, client_socket, NULL)) { + return netsnmp_udp6_transport_with_source(addr, local, + &client_addr); + } diff --git a/net-snmp-5.8-ipv6-disabled.patch b/net-snmp-5.8-ipv6-disabled.patch new file mode 100644 index 0000000..824c09c --- /dev/null +++ b/net-snmp-5.8-ipv6-disabled.patch @@ -0,0 +1,31 @@ +diff -urNp a/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c b/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c +--- a/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c 2020-09-29 14:08:09.742478965 +0200 ++++ b/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c 2020-10-01 14:20:25.575174851 +0200 +@@ -19,6 +19,7 @@ + + #include + #include ++#include + + netsnmp_feature_require(prefix_info) + netsnmp_feature_require(find_prefix_info) +@@ -234,7 +235,18 @@ _load_v6(netsnmp_container *container, i + + #define PROCFILE "/proc/net/if_inet6" + if (!(in = fopen(PROCFILE, "r"))) { +- NETSNMP_LOGONCE((LOG_ERR, "ipaddress_linux: could not open " PROCFILE)); ++ ++ /* ++ * If PROCFILE exists, but isn't readable, file ERROR message. ++ * Otherwise log nothing, due of IPv6 support on this machine is ++ * intentionaly disabled/unavailable. ++ */ ++ ++ struct stat filestat; ++ ++ if(stat(PROCFILE, &filestat) == 0){ ++ NETSNMP_LOGONCE((LOG_ERR, "ipaddress_linux: could not open " PROCFILE)); ++ } + return -2; + } + diff --git a/net-snmp-5.8-libnetsnmptrapd-against-MYSQL_LIBS.patch b/net-snmp-5.8-libnetsnmptrapd-against-MYSQL_LIBS.patch new file mode 100644 index 0000000..1d1fafb --- /dev/null +++ b/net-snmp-5.8-libnetsnmptrapd-against-MYSQL_LIBS.patch @@ -0,0 +1,12 @@ +diff -urNp a/apps/Makefile.in b/apps/Makefile.in +--- a/apps/Makefile.in 2018-07-18 15:39:28.069251000 +0200 ++++ b/apps/Makefile.in 2018-07-18 15:54:52.261943123 +0200 +@@ -230,7 +230,7 @@ snmppcap$(EXEEXT): snmppcap.$(OSUFFIX + $(LINK) ${CFLAGS} -o $@ snmppcap.$(OSUFFIX) ${LDFLAGS} ${LIBS} -lpcap + + libnetsnmptrapd.$(LIB_EXTENSION)$(LIB_VERSION): $(LLIBTRAPD_OBJS) +- $(LIB_LD_CMD) $@ ${LLIBTRAPD_OBJS} $(MIBLIB) $(USELIBS) $(PERLLDOPTS_FOR_LIBS) $(LIB_LD_LIBS) ++ $(LIB_LD_CMD) $@ ${LLIBTRAPD_OBJS} $(MIBLIB) $(USELIBS) $(PERLLDOPTS_FOR_LIBS) $(LIB_LD_LIBS) $(MYSQL_LIBS) + $(RANLIB) $@ + + snmpinforminstall: diff --git a/net-snmp-5.8-man-page.patch b/net-snmp-5.8-man-page.patch new file mode 100644 index 0000000..dc78e14 --- /dev/null +++ b/net-snmp-5.8-man-page.patch @@ -0,0 +1,36 @@ +diff -urNp a/man/net-snmp-create-v3-user.1.def b/man/net-snmp-create-v3-user.1.def +--- a/man/net-snmp-create-v3-user.1.def 2020-06-10 13:43:18.443070961 +0200 ++++ b/man/net-snmp-create-v3-user.1.def 2020-06-10 13:49:25.975363441 +0200 +@@ -3,7 +3,7 @@ + net-snmp-create-v3-user \- create a SNMPv3 user in net-snmp configuration file + .SH SYNOPSIS + .PP +-.B net-snmp-create-v3-user [-ro] [-a authpass] [-x privpass] [-X DES|AES] ++.B net-snmp-create-v3-user [-ro] [-A authpass] [-a MD5|SHA] [-X privpass] [-x DES|AES] + .B [username] + .SH DESCRIPTION + .PP +@@ -16,13 +16,16 @@ new user in net-snmp configuration file + displays the net-snmp version number + .TP + \fB\-ro\fR +-create an user with read-only permissions ++creates a user with read-only permissions + .TP +-\fB\-a authpass\fR +-specify authentication password ++\fB\-A authpass\fR ++specifies the authentication password + .TP +-\fB\-x privpass\fR +-specify encryption password ++\fB\-a MD5|SHA\fR ++specifies the authentication password hashing algorithm + .TP +-\fB\-X DES|AES\fR +-specify encryption algorithm ++\fB\-X privpass\fR ++specifies the encryption password ++.TP ++\fB\-x DES|AES\fR ++specifies the encryption algorithm diff --git a/net-snmp-5.8-memleak-backport.patch b/net-snmp-5.8-memleak-backport.patch new file mode 100644 index 0000000..90b6835 --- /dev/null +++ b/net-snmp-5.8-memleak-backport.patch @@ -0,0 +1,92 @@ +From c6facf2f080c9e1ea803e4884dc92889ec83d990 Mon Sep 17 00:00:00 2001 +From: Drew A Roedersheimer +Date: Wed, 10 Oct 2018 21:42:35 -0700 +Subject: [PATCH] snmplib/keytools: Fix a memory leak + +Avoid that Valgrind reports the following memory leak: + +17,328 bytes in 361 blocks are definitely lost in loss record 696 of 704 + at 0x4C29BE3: malloc (vg_replace_malloc.c:299) + by 0x52223B7: CRYPTO_malloc (in /usr/lib64/libcrypto.so.1.0.2k) + by 0x52DDB06: EVP_MD_CTX_create (in /usr/lib64/libcrypto.so.1.0.2k) + by 0x4E9885D: generate_Ku (keytools.c:186) + by 0x40171F: asynchronous (leaktest.c:276) + by 0x400FE7: main (leaktest.c:356) +--- + snmplib/keytools.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/snmplib/keytools.c b/snmplib/keytools.c +index 2cf0240abf..dcdae044ac 100644 +--- a/snmplib/keytools.c ++++ b/snmplib/keytools.c +@@ -186,11 +186,15 @@ generate_Ku(const oid * hashtype, u_int hashtype_len, + ctx = EVP_MD_CTX_create(); + #else + ctx = malloc(sizeof(*ctx)); +- if (!EVP_MD_CTX_init(ctx)) +- return SNMPERR_GENERR; ++ if (!EVP_MD_CTX_init(ctx)) { ++ rval = SNMPERR_GENERR; ++ goto generate_Ku_quit; ++ } + #endif +- if (!EVP_DigestInit(ctx, hashfn)) +- return SNMPERR_GENERR; ++ if (!EVP_DigestInit(ctx, hashfn)) { ++ rval = SNMPERR_GENERR; ++ goto generate_Ku_quit; ++ } + + #elif NETSNMP_USE_INTERNAL_CRYPTO + #ifndef NETSNMP_DISABLE_MD5 +From 67726f2a74007b5b4117fe49ca1e02c86110b624 Mon Sep 17 00:00:00 2001 +From: Drew A Roedersheimer +Date: Tue, 9 Oct 2018 23:28:25 +0000 +Subject: [PATCH] snmplib: Fix a memory leak in scapi.c + +This patch avoids that Valgrind reports the following leak: + +==1069== 3,456 bytes in 72 blocks are definitely lost in loss record 1,568 of 1,616 +==1069== at 0x4C29BE3: malloc (vg_replace_malloc.c:299) +==1069== by 0x70A63B7: CRYPTO_malloc (in /usr/lib64/libcrypto.so.1.0.2k) +==1069== by 0x7161B06: EVP_MD_CTX_create (in /usr/lib64/libcrypto.so.1.0.2k) +==1069== by 0x4EA3017: sc_hash (in /usr/lib64/libnetsnmp.so.31.0.2) +==1069== by 0x4EA1CD8: hash_engineID (in /usr/lib64/libnetsnmp.so.31.0.2) +==1069== by 0x4EA1DEC: search_enginetime_list (in /usr/lib64/libnetsnmp.so.31.0.2) +==1069== by 0x4EA2256: set_enginetime (in /usr/lib64/libnetsnmp.so.31.0.2) +==1069== by 0x4EC495E: usm_process_in_msg (in /usr/lib64/libnetsnmp.so.31.0.2) +==1069== by 0x4EC58CA: usm_secmod_process_in_msg (in /usr/lib64/libnetsnmp.so.31.0.2) +==1069== by 0x4E7B91D: snmpv3_parse (in /usr/lib64/libnetsnmp.so.31.0.2) +==1069== by 0x4E7C1F6: ??? (in /usr/lib64/libnetsnmp.so.31.0.2) +==1069== by 0x4E7CE94: ??? (in /usr/lib64/libnetsnmp.so.31.0.2) + +[ bvanassche: minimized diffs / edited commit message ] +--- + snmplib/scapi.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/snmplib/scapi.c b/snmplib/scapi.c +index 8ad1d70d90..54310099d8 100644 +--- a/snmplib/scapi.c ++++ b/snmplib/scapi.c +@@ -967,7 +967,8 @@ sc_hash_type(int auth_type, const u_char * buf, size_t buf_len, u_char * MAC, + #endif + if (!EVP_DigestInit(cptr, hashfn)) { + /* requested hash function is not available */ +- return SNMPERR_SC_NOT_CONFIGURED; ++ rval = SNMPERR_SC_NOT_CONFIGURED; ++ goto sc_hash_type_quit; + } + + /** pass the data */ +@@ -976,6 +977,8 @@ sc_hash_type(int auth_type, const u_char * buf, size_t buf_len, u_char * MAC, + /** do the final pass */ + EVP_DigestFinal(cptr, MAC, &tmp_len); + *MAC_len = tmp_len; ++ ++sc_hash_type_quit: + #if defined(HAVE_EVP_MD_CTX_FREE) + EVP_MD_CTX_free(cptr); + #elif defined(HAVE_EVP_MD_CTX_DESTROY) + diff --git a/net-snmp-5.8-memory-reporting.patch b/net-snmp-5.8-memory-reporting.patch new file mode 100644 index 0000000..da03a37 --- /dev/null +++ b/net-snmp-5.8-memory-reporting.patch @@ -0,0 +1,35 @@ +diff -urNp a/agent/mibgroup/hardware/memory/memory_linux.c b/agent/mibgroup/hardware/memory/memory_linux.c +--- a/agent/mibgroup/hardware/memory/memory_linux.c 2020-06-10 13:36:40.164588176 +0200 ++++ b/agent/mibgroup/hardware/memory/memory_linux.c 2020-06-10 13:38:59.398944829 +0200 +@@ -29,7 +29,7 @@ int netsnmp_mem_arch_load( netsnmp_cache + ssize_t bytes_read; + char *b; + unsigned long memtotal = 0, memfree = 0, memshared = 0, +- buffers = 0, cached = 0, ++ buffers = 0, cached = 0, sreclaimable = 0, + swaptotal = 0, swapfree = 0; + + netsnmp_memory_info *mem; +@@ -127,6 +127,13 @@ int netsnmp_mem_arch_load( netsnmp_cache + if (first) + snmp_log(LOG_ERR, "No SwapTotal line in /proc/meminfo\n"); + } ++ b = strstr(buff, "SReclaimable: "); ++ if (b) ++ sscanf(b, "SReclaimable: %lu", &sreclaimable); ++ else { ++ if (first) ++ snmp_log(LOG_ERR, "No SReclaimable line in /proc/meminfo\n"); ++ } + b = strstr(buff, "SwapFree: "); + if (b) + sscanf(b, "SwapFree: %lu", &swapfree); +@@ -183,7 +190,7 @@ int netsnmp_mem_arch_load( netsnmp_cache + if (!mem->descr) + mem->descr = strdup("Cached memory"); + mem->units = 1024; +- mem->size = cached; ++ mem->size = cached+sreclaimable; + mem->free = 0; /* Report cached size/used as equal */ + mem->other = -1; + } diff --git a/net-snmp-5.8-modern-rpm-api.patch b/net-snmp-5.8-modern-rpm-api.patch new file mode 100644 index 0000000..93fcc63 --- /dev/null +++ b/net-snmp-5.8-modern-rpm-api.patch @@ -0,0 +1,83 @@ +diff -urNp a/agent/mibgroup/host/data_access/swinst_rpm.c b/agent/mibgroup/host/data_access/swinst_rpm.c +--- a/agent/mibgroup/host/data_access/swinst_rpm.c 2018-07-18 16:12:19.583503903 +0200 ++++ b/agent/mibgroup/host/data_access/swinst_rpm.c 2018-07-18 16:50:38.599703588 +0200 +@@ -102,7 +102,6 @@ netsnmp_swinst_arch_load( netsnmp_contai + rpmtd td_name, td_version, td_release, td_group, td_time; + #else + char *n, *v, *r, *g; +- int32_t *t; + #endif + time_t install_time; + size_t date_len; +@@ -146,14 +145,13 @@ netsnmp_swinst_arch_load( netsnmp_contai + install_time = rpmtdGetNumber(td_time); + g = rpmtdGetString(td_group); + #else +- headerGetEntry( h, RPMTAG_NAME, NULL, (void**)&n, NULL); +- headerGetEntry( h, RPMTAG_VERSION, NULL, (void**)&v, NULL); +- headerGetEntry( h, RPMTAG_RELEASE, NULL, (void**)&r, NULL); +- headerGetEntry( h, RPMTAG_GROUP, NULL, (void**)&g, NULL); +- headerGetEntry( h, RPMTAG_INSTALLTIME, NULL, (void**)&t, NULL); ++ n = headerGetString( h, RPMTAG_NAME); ++ v = headerGetString( h, RPMTAG_VERSION); ++ r = headerGetString( h, RPMTAG_RELEASE); ++ g = headerGetString( h, RPMTAG_GROUP); ++ install_time = headerGetNumber( h, RPMTAG_INSTALLTIME); + entry->swName_len = snprintf( entry->swName, sizeof(entry->swName), + "%s-%s-%s", n, v, r); +- install_time = *t; + #endif + entry->swType = (g && NULL != strstr( g, "System Environment")) + ? 2 /* operatingSystem */ +diff -urNp a/agent/mibgroup/host/hr_swinst.c b/agent/mibgroup/host/hr_swinst.c +--- a/agent/mibgroup/host/hr_swinst.c 2018-07-18 16:12:19.582503907 +0200 ++++ b/agent/mibgroup/host/hr_swinst.c 2018-07-18 17:09:29.716564197 +0200 +@@ -479,9 +479,9 @@ var_hrswinst(struct variable * vp, + } + #else + # ifdef HAVE_LIBRPM +- char *rpm_groups; +- if ( headerGetEntry(swi->swi_h, RPMTAG_GROUP, NULL, (void **) &rpm_groups, NULL) ) { +- if ( strstr(rpm_groups, "System Environment") != NULL ) ++ const char *rpm_group = headerGetString(swi->swi_h, RPMTAG_GROUP); ++ if ( NULL != rpm_group ) { ++ if ( strstr(rpm_group, "System Environment") != NULL ) + long_return = 2; /* operatingSystem */ + else + long_return = 4; /* applcation */ +@@ -498,9 +498,8 @@ var_hrswinst(struct variable * vp, + case HRSWINST_DATE: + { + #ifdef HAVE_LIBRPM +- int32_t *rpm_data; +- if ( headerGetEntry(swi->swi_h, RPMTAG_INSTALLTIME, NULL, (void **) &rpm_data, NULL) ) { +- time_t installTime = *rpm_data; ++ time_t installTime = headerGetNumber(swi->swi_h, RPMTAG_INSTALLTIME); ++ if ( 0 != installTime ) { + ret = date_n_time(&installTime, var_len); + } else { + ret = date_n_time(NULL, var_len); +@@ -660,7 +659,7 @@ Save_HR_SW_info(int ix) + if (1 <= ix && ix <= swi->swi_nrec && ix != swi->swi_prevx) { + int offset; + Header h; +- char *n, *v, *r; ++ const char *n, *v, *r; + + offset = swi->swi_recs[ix - 1]; + +@@ -685,11 +684,9 @@ Save_HR_SW_info(int ix) + swi->swi_h = h; + swi->swi_prevx = ix; + +- headerGetEntry(swi->swi_h, RPMTAG_NAME, NULL, (void **) &n, NULL); +- headerGetEntry(swi->swi_h, RPMTAG_VERSION, NULL, (void **) &v, +- NULL); +- headerGetEntry(swi->swi_h, RPMTAG_RELEASE, NULL, (void **) &r, +- NULL); ++ n = headerGetString(swi->swi_h, RPMTAG_NAME); ++ v = headerGetString(swi->swi_h, RPMTAG_VERSION); ++ r = headerGetString(swi->swi_h, RPMTAG_RELEASE); + snprintf(swi->swi_name, sizeof(swi->swi_name), "%s-%s-%s", n, v, r); + swi->swi_name[ sizeof(swi->swi_name)-1 ] = 0; + } diff --git a/net-snmp-5.8-multilib.patch b/net-snmp-5.8-multilib.patch new file mode 100644 index 0000000..b8f3fea --- /dev/null +++ b/net-snmp-5.8-multilib.patch @@ -0,0 +1,45 @@ +diff -urNp a/man/netsnmp_config_api.3.def b/man/netsnmp_config_api.3.def +--- a/man/netsnmp_config_api.3.def 2018-07-18 11:18:06.196792766 +0200 ++++ b/man/netsnmp_config_api.3.def 2018-07-18 11:20:04.631679886 +0200 +@@ -295,7 +295,7 @@ for one particular machine. + .PP + The default list of directories to search is \fC SYSCONFDIR/snmp\fP, + followed by \fC DATADIR/snmp\fP, +-followed by \fC LIBDIR/snmp\fP, ++followed by \fC /usr/lib(64)/snmp\fP, + followed by \fC $HOME/.snmp\fP. + This list can be changed by setting the environmental variable + .I SNMPCONFPATH +@@ -367,7 +367,7 @@ A colon separated list of directories to + files in. + Default: + .br +-SYSCONFDIR/snmp:\:DATADIR/snmp:\:LIBDIR/snmp:\:$HOME/.snmp ++SYSCONFDIR/snmp:\:DATADIR/snmp:\:/usr/lib(64)/snmp:\:$HOME/.snmp + .SH "SEE ALSO" + netsnmp_mib_api(3), snmp_api(3) + .\" Local Variables: +diff -urNp a/man/snmp_config.5.def b/man/snmp_config.5.def +--- a/man/snmp_config.5.def 2018-07-18 11:18:06.194792767 +0200 ++++ b/man/snmp_config.5.def 2018-07-18 11:20:56.423626117 +0200 +@@ -10,7 +10,7 @@ First off, there are numerous places tha + found and read from. By default, the applications look for + configuration files in the following 4 directories, in order: + SYSCONFDIR/snmp, +-DATADIR/snmp, LIBDIR/snmp, and $HOME/.snmp. In each of these ++DATADIR/snmp, /usr/lib(64)/snmp, and $HOME/.snmp. In each of these + directories, it looks for files snmp.conf, snmpd.conf and/or + snmptrapd.conf, as well as snmp.local.conf, snmpd.local.conf + and/or snmptrapd.local.conf. *.local.conf are always +diff -urNp a/man/snmpd.conf.5.def b/man/snmpd.conf.5.def +--- a/man/snmpd.conf.5.def 2018-07-18 11:18:06.196792766 +0200 ++++ b/man/snmpd.conf.5.def 2018-07-18 11:21:44.263574388 +0200 +@@ -1559,7 +1559,7 @@ filename), and call the initialisation r + .RS + .IP "Note:" + If the specified PATH is not a fully qualified filename, it will +-be interpreted relative to LIBDIR/snmp/dlmod, and \fC.so\fR ++be interpreted relative to /usr/lib(64)/snmp/dlmod, and \fC.so\fR + will be appended to the filename. + .RE + .PP diff --git a/net-snmp-5.8-proxy-getnext.patch b/net-snmp-5.8-proxy-getnext.patch new file mode 100644 index 0000000..ff2294f --- /dev/null +++ b/net-snmp-5.8-proxy-getnext.patch @@ -0,0 +1,12 @@ +diff -ruNp a/agent/mibgroup/ucd-snmp/proxy.c b/agent/mibgroup/ucd-snmp/proxy.c +--- a/agent/mibgroup/ucd-snmp/proxy.c 2020-06-10 09:24:24.933347483 +0200 ++++ b/agent/mibgroup/ucd-snmp/proxy.c 2020-06-10 09:25:49.007148474 +0200 +@@ -460,7 +460,7 @@ proxy_handler(netsnmp_mib_handler *handl + if (sp->base_len && + reqinfo->mode == MODE_GETNEXT && + (snmp_oid_compare(ourname, ourlength, +- sp->base, sp->base_len) < 0)) { ++ sp->name, sp->name_len) < 0)) { + DEBUGMSGTL(( "proxy", "request is out of registered range\n")); + /* + * Create GETNEXT request with an OID so the diff --git a/net-snmp-5.8-rpm-memory-leak.patch b/net-snmp-5.8-rpm-memory-leak.patch new file mode 100644 index 0000000..33b8d29 --- /dev/null +++ b/net-snmp-5.8-rpm-memory-leak.patch @@ -0,0 +1,26 @@ +diff -urNp a/agent/mibgroup/host/data_access/swinst_rpm.c b/agent/mibgroup/host/data_access/swinst_rpm.c +--- a/agent/mibgroup/host/data_access/swinst_rpm.c 2020-06-10 14:32:43.330486233 +0200 ++++ b/agent/mibgroup/host/data_access/swinst_rpm.c 2020-06-10 14:35:46.672298741 +0200 +@@ -75,6 +75,9 @@ netsnmp_swinst_arch_init(void) + snprintf( pkg_directory, SNMP_MAXPATH, "%s/Packages", dbpath ); + SNMP_FREE(rpmdbpath); + dbpath = NULL; ++#ifdef HAVE_RPMGETPATH ++ rpmFreeRpmrc(); ++#endif + if (-1 == stat( pkg_directory, &stat_buf )) { + snmp_log(LOG_ERR, "Can't find directory of RPM packages"); + pkg_directory[0] = '\0'; +diff -urNp a/agent/mibgroup/host/hr_swinst.c b/agent/mibgroup/host/hr_swinst.c +--- a/agent/mibgroup/host/hr_swinst.c 2020-06-10 14:32:43.325486184 +0200 ++++ b/agent/mibgroup/host/hr_swinst.c 2020-06-10 14:36:44.423872418 +0200 +@@ -231,6 +231,9 @@ init_hr_swinst(void) + snprintf(path, sizeof(path), "%s/packages.rpm", swi->swi_dbpath); + path[ sizeof(path)-1 ] = 0; + swi->swi_directory = strdup(path); ++#ifdef HAVE_RPMGETPATH ++ rpmFreeRpmrc(); ++#endif + } + #else + # ifdef _PATH_HRSW_directory diff --git a/net-snmp-5.8-sec-counter.patch b/net-snmp-5.8-sec-counter.patch new file mode 100644 index 0000000..9514e5b --- /dev/null +++ b/net-snmp-5.8-sec-counter.patch @@ -0,0 +1,146 @@ +diff -urNp a/include/net-snmp/library/snmpusm.h b/include/net-snmp/library/snmpusm.h +--- a/include/net-snmp/library/snmpusm.h 2020-03-16 09:54:29.883655600 +0100 ++++ b/include/net-snmp/library/snmpusm.h 2020-03-16 09:55:24.142944520 +0100 +@@ -43,6 +43,7 @@ extern "C" { + * Structures. + */ + struct usmStateReference { ++ int refcnt; + char *usr_name; + size_t usr_name_length; + u_char *usr_engine_id; +diff -urNp a/snmplib/snmp_client.c b/snmplib/snmp_client.c +--- a/snmplib/snmp_client.c 2020-03-16 09:54:29.892655813 +0100 ++++ b/snmplib/snmp_client.c 2020-03-16 09:58:13.214021890 +0100 +@@ -402,27 +402,16 @@ _clone_pdu_header(netsnmp_pdu *pdu) + return NULL; + } + +- if (pdu->securityStateRef && +- pdu->command == SNMP_MSG_TRAP2) { +- +- ret = usm_clone_usmStateReference((struct usmStateReference *) pdu->securityStateRef, +- (struct usmStateReference **) &newpdu->securityStateRef ); +- +- if (ret) +- { ++ sptr = find_sec_mod(newpdu->securityModel); ++ if (sptr && sptr->pdu_clone) { ++ /* call security model if it needs to know about this */ ++ ret = sptr->pdu_clone(pdu, newpdu); ++ if (ret) { + snmp_free_pdu(newpdu); + return NULL; + } + } + +- if ((sptr = find_sec_mod(newpdu->securityModel)) != NULL && +- sptr->pdu_clone != NULL) { +- /* +- * call security model if it needs to know about this +- */ +- (*sptr->pdu_clone) (pdu, newpdu); +- } +- + return newpdu; + } + +diff -urNp a/snmplib/snmpusm.c b/snmplib/snmpusm.c +--- a/snmplib/snmpusm.c 2020-03-16 09:54:29.894655860 +0100 ++++ b/snmplib/snmpusm.c 2020-03-16 10:03:38.870027530 +0100 +@@ -285,43 +285,64 @@ free_enginetime_on_shutdown(int majorid, + struct usmStateReference * + usm_malloc_usmStateReference(void) + { +- struct usmStateReference *retval = (struct usmStateReference *) +- calloc(1, sizeof(struct usmStateReference)); ++ struct usmStateReference *retval; ++ ++ retval = calloc(1, sizeof(struct usmStateReference)); ++ if (retval) ++ retval->refcnt = 1; + + return retval; + } /* end usm_malloc_usmStateReference() */ + ++static int ++usm_clone(netsnmp_pdu *pdu, netsnmp_pdu *new_pdu) ++{ ++ struct usmStateReference *ref = pdu->securityStateRef; ++ struct usmStateReference **new_ref = ++ (struct usmStateReference **)&new_pdu->securityStateRef; ++ int ret = 0; ++ ++ if (!ref) ++ return ret; ++ ++ if (pdu->command == SNMP_MSG_TRAP2) { ++ netsnmp_assert(pdu->securityModel == SNMP_DEFAULT_SECMODEL); ++ ret = usm_clone_usmStateReference(ref, new_ref); ++ } else { ++ netsnmp_assert(ref == *new_ref); ++ ref->refcnt++; ++ } ++ ++ return ret; ++} ++ + + void + usm_free_usmStateReference(void *old) + { +- struct usmStateReference *old_ref = (struct usmStateReference *) old; ++ struct usmStateReference *ref = old; + +- if (old_ref) { ++ if (!ref) ++ return; + +- if (old_ref->usr_name_length) +- SNMP_FREE(old_ref->usr_name); +- if (old_ref->usr_engine_id_length) +- SNMP_FREE(old_ref->usr_engine_id); +- if (old_ref->usr_auth_protocol_length) +- SNMP_FREE(old_ref->usr_auth_protocol); +- if (old_ref->usr_priv_protocol_length) +- SNMP_FREE(old_ref->usr_priv_protocol); +- +- if (old_ref->usr_auth_key_length && old_ref->usr_auth_key) { +- SNMP_ZERO(old_ref->usr_auth_key, old_ref->usr_auth_key_length); +- SNMP_FREE(old_ref->usr_auth_key); +- } +- if (old_ref->usr_priv_key_length && old_ref->usr_priv_key) { +- SNMP_ZERO(old_ref->usr_priv_key, old_ref->usr_priv_key_length); +- SNMP_FREE(old_ref->usr_priv_key); +- } ++ if (--ref->refcnt > 0) ++ return; + +- SNMP_ZERO(old_ref, sizeof(*old_ref)); +- SNMP_FREE(old_ref); ++ SNMP_FREE(ref->usr_name); ++ SNMP_FREE(ref->usr_engine_id); ++ SNMP_FREE(ref->usr_auth_protocol); ++ SNMP_FREE(ref->usr_priv_protocol); + ++ if (ref->usr_auth_key_length && ref->usr_auth_key) { ++ SNMP_ZERO(ref->usr_auth_key, ref->usr_auth_key_length); ++ SNMP_FREE(ref->usr_auth_key); ++ } ++ if (ref->usr_priv_key_length && ref->usr_priv_key) { ++ SNMP_ZERO(ref->usr_priv_key, ref->usr_priv_key_length); ++ SNMP_FREE(ref->usr_priv_key); + } + ++ SNMP_FREE(ref); + } /* end usm_free_usmStateReference() */ + + struct usmUser * +@@ -3316,6 +3337,7 @@ init_usm(void) + def->encode_reverse = usm_secmod_rgenerate_out_msg; + def->encode_forward = usm_secmod_generate_out_msg; + def->decode = usm_secmod_process_in_msg; ++ def->pdu_clone = usm_clone; + def->pdu_free_state_ref = usm_free_usmStateReference; + def->session_setup = usm_session_init; + def->handle_report = usm_handle_report; diff --git a/net-snmp-5.8-sec-memory-leak.patch b/net-snmp-5.8-sec-memory-leak.patch new file mode 100644 index 0000000..2d5a986 --- /dev/null +++ b/net-snmp-5.8-sec-memory-leak.patch @@ -0,0 +1,84 @@ +diff -urNp a/agent/snmp_agent.c b/agent/snmp_agent.c +--- a/agent/snmp_agent.c 2020-06-11 10:20:31.646339191 +0200 ++++ b/agent/snmp_agent.c 2020-06-11 10:23:41.178056889 +0200 +@@ -1605,12 +1605,6 @@ free_agent_snmp_session(netsnmp_agent_se + DEBUGMSGTL(("verbose:asp", "asp %p reqinfo %p freed\n", + asp, asp->reqinfo)); + +- /* Clean up securityStateRef here to prevent a double free */ +- if (asp->orig_pdu && asp->orig_pdu->securityStateRef) +- snmp_free_securityStateRef(asp->orig_pdu); +- if (asp->pdu && asp->pdu->securityStateRef) +- snmp_free_securityStateRef(asp->pdu); +- + if (asp->orig_pdu) + snmp_free_pdu(asp->orig_pdu); + if (asp->pdu) +diff -urNp a/include/net-snmp/pdu_api.h b/include/net-snmp/pdu_api.h +--- a/include/net-snmp/pdu_api.h 2020-06-11 10:20:31.631339058 +0200 ++++ b/include/net-snmp/pdu_api.h 2020-06-11 10:24:17.261390028 +0200 +@@ -19,8 +19,6 @@ NETSNMP_IMPORT + netsnmp_pdu *snmp_fix_pdu( netsnmp_pdu *pdu, int idx); + NETSNMP_IMPORT + void snmp_free_pdu( netsnmp_pdu *pdu); +-NETSNMP_IMPORT +-void snmp_free_securityStateRef( netsnmp_pdu *pdu); + + #ifdef __cplusplus + } +diff -urNp a/snmplib/snmp_api.c b/snmplib/snmp_api.c +--- a/snmplib/snmp_api.c 2020-06-11 10:20:31.695339627 +0200 ++++ b/snmplib/snmp_api.c 2020-06-11 10:33:55.510891945 +0200 +@@ -4034,17 +4034,6 @@ free_securityStateRef(netsnmp_pdu* pdu) + pdu->securityStateRef = NULL; + } + +-/* +- * This function is here to provide a separate call to +- * free the securityStateRef memory. This is needed to prevent +- * a double free if this memory is freed in snmp_free_pdu. +- */ +-void +-snmp_free_securityStateRef(netsnmp_pdu* pdu) +-{ +- free_securityStateRef(pdu); +-} +- + #define ERROR_STAT_LENGTH 11 + + int +@@ -5473,6 +5462,8 @@ snmp_free_pdu(netsnmp_pdu *pdu) + if (!pdu) + return; + ++ free_securityStateRef(pdu); ++ + /* + * If the command field is empty, that probably indicates + * that this PDU structure has already been freed. +@@ -5647,12 +5638,6 @@ _sess_process_packet_parse_pdu(void *ses + } + + if (ret != SNMP_ERR_NOERROR) { +- /* +- * Call the security model to free any securityStateRef supplied w/ msg. +- */ +- if (pdu->securityStateRef != NULL) { +- free_securityStateRef(pdu); +- } + snmp_free_pdu(pdu); + return NULL; + } +@@ -5826,12 +5811,6 @@ _sess_process_packet_handle_pdu(void *se + } + } + +- /* +- * Call USM to free any securityStateRef supplied with the message. +- */ +- if (pdu->securityStateRef && pdu->command == SNMP_MSG_TRAP2) +- free_securityStateRef(pdu); +- + if (!handled) { + if (sp->flags & SNMP_FLAGS_SHARED_SOCKET) + return -2; diff --git a/net-snmp-5.8-test-debug.patch b/net-snmp-5.8-test-debug.patch new file mode 100644 index 0000000..1ecd2ab --- /dev/null +++ b/net-snmp-5.8-test-debug.patch @@ -0,0 +1,30 @@ +Don't check tests which depend on DNS - it's disabled in Koji + +diff -urNp a/testing/fulltests/default/T070com2sec_simple b/testing/fulltests/default/T070com2sec_simple +--- a/testing/fulltests/default/T070com2sec_simple 2018-07-18 11:52:56.081185545 +0200 ++++ b/testing/fulltests/default/T070com2sec_simple 2018-07-18 11:54:18.843968880 +0200 +@@ -134,6 +134,10 @@ SAVECHECKAGENT '<"c406a", 255.255.255.25 + SAVECHECKAGENT 'line 30: Error:' # msg from h_strerror so it varies + SAVECHECKAGENT 'line 31: Error:' # msg from h_strerror so it varies + ++FINISHED ++ ++# don't test the rest, it depends on DNS, which is not available in Koji ++ + CHECKAGENT '<"c408a"' + if [ "$snmp_last_test_result" -eq 0 ] ; then + CHECKAGENT 'line 32: Error:' +diff -urNp a/testing/fulltests/default/T071com2sec6_simple b/testing/fulltests/default/T071com2sec6_simple +--- a/testing/fulltests/default/T071com2sec6_simple 2018-07-18 11:52:56.080185548 +0200 ++++ b/testing/fulltests/default/T071com2sec6_simple 2018-07-18 11:55:17.779818732 +0200 +@@ -132,6 +132,10 @@ SAVECHECKAGENT '<"c606a", ffff:ffff:ffff + SAVECHECKAGENT 'line 27: Error:' + SAVECHECKAGENT 'line 28: Error:' + ++FINISHED ++ ++# don't test the rest, it depends on DNS, which is not available in Koji ++ + # 608 + CHECKAGENT '<"c608a"' + if [ "$snmp_last_test_result" -eq 0 ] ; then diff --git a/net-snmp-5.8-trapsink.patch b/net-snmp-5.8-trapsink.patch new file mode 100644 index 0000000..5027d7e --- /dev/null +++ b/net-snmp-5.8-trapsink.patch @@ -0,0 +1,21 @@ +diff -urNp old/snmplib/transports/snmpUDPIPv4BaseDomain.c new/snmplib/transports/snmpUDPIPv4BaseDomain.c +--- old/snmplib/transports/snmpUDPIPv4BaseDomain.c 2019-06-27 08:40:48.663969034 +0200 ++++ new/snmplib/transports/snmpUDPIPv4BaseDomain.c 2019-06-27 08:42:05.293723487 +0200 +@@ -317,7 +317,7 @@ netsnmp_udpipv4base_tspec_transport(nets + if (NULL != tspec->source) { + struct sockaddr_in src_addr, *srcp = &src_addr; + /** get sockaddr from source */ +- if (!netsnmp_sockaddr_in2(&src_addr, tspec->source, NULL)) ++ if (!netsnmp_sockaddr_in2(&src_addr, tspec->source, ":0")) + return NULL; + return netsnmp_udpipv4base_transport_with_source(&addr, local, srcp); + } else { +@@ -364,7 +364,7 @@ netsnmp_udpipv4base_transport(const stru + strcat(client_address, ":0"); + have_port = 1; + } +- rc = netsnmp_sockaddr_in2(&client_addr, client_socket, NULL); ++ rc = netsnmp_sockaddr_in2(&client_addr, client_socket, ":0"); + if (client_address != client_socket) + free(client_address); + if(rc) { diff --git a/net-snmp-5.8-usage-exit.patch b/net-snmp-5.8-usage-exit.patch new file mode 100644 index 0000000..38b80ac --- /dev/null +++ b/net-snmp-5.8-usage-exit.patch @@ -0,0 +1,11 @@ +diff -urNp a/agent/snmpd.c b/agent/snmpd.c +--- a/agent/snmpd.c 2018-10-04 10:34:10.939728847 +0200 ++++ b/agent/snmpd.c 2018-10-04 10:34:43.910625603 +0200 +@@ -325,6 +325,7 @@ usage(char *prog) + " -S d|i|0-7\t\tuse -Ls instead\n" + "\n" + ); ++ exit(1); + } + + static void diff --git a/net-snmp-5.8-util-fix.patch b/net-snmp-5.8-util-fix.patch new file mode 100644 index 0000000..3b73b45 --- /dev/null +++ b/net-snmp-5.8-util-fix.patch @@ -0,0 +1,13 @@ +diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c +--- a/snmplib/cert_util.c 2021-12-09 08:45:23.217942229 +0100 ++++ b/snmplib/cert_util.c 2021-12-09 08:46:56.567562352 +0100 +@@ -1368,8 +1368,7 @@ _add_certfile(const char* dirname, const + + okey = PEM_read_bio_PrivateKey(certbio, NULL, NULL, NULL); + if (NULL == okey) +- snmp_log(LOG_ERR, "error parsing key file %s\n", +- key->info.filename); ++ snmp_log(LOG_ERR, "error parsing key file %s\n", filename); + else { + key = _add_key(okey, dirname, filename, index); + if (NULL == key) { diff --git a/net-snmp-5.8-v3-forward.patch b/net-snmp-5.8-v3-forward.patch new file mode 100644 index 0000000..24ac379 --- /dev/null +++ b/net-snmp-5.8-v3-forward.patch @@ -0,0 +1,357 @@ +diff -urNp c/agent/snmp_agent.c d/agent/snmp_agent.c +--- c/agent/snmp_agent.c 2019-09-18 08:44:53.833601845 +0200 ++++ d/agent/snmp_agent.c 2019-09-18 08:46:38.176595597 +0200 +@@ -1604,6 +1604,13 @@ free_agent_snmp_session(netsnmp_agent_se + + DEBUGMSGTL(("verbose:asp", "asp %p reqinfo %p freed\n", + asp, asp->reqinfo)); ++ ++ /* Clean up securityStateRef here to prevent a double free */ ++ if (asp->orig_pdu && asp->orig_pdu->securityStateRef) ++ snmp_free_securityStateRef(asp->orig_pdu); ++ if (asp->pdu && asp->pdu->securityStateRef) ++ snmp_free_securityStateRef(asp->pdu); ++ + if (asp->orig_pdu) + snmp_free_pdu(asp->orig_pdu); + if (asp->pdu) +diff -urNp c/include/net-snmp/pdu_api.h d/include/net-snmp/pdu_api.h +--- c/include/net-snmp/pdu_api.h 2019-09-18 08:44:53.822601740 +0200 ++++ d/include/net-snmp/pdu_api.h 2019-09-18 08:47:03.620838212 +0200 +@@ -19,6 +19,8 @@ NETSNMP_IMPORT + netsnmp_pdu *snmp_fix_pdu( netsnmp_pdu *pdu, int idx); + NETSNMP_IMPORT + void snmp_free_pdu( netsnmp_pdu *pdu); ++NETSNMP_IMPORT ++void snmp_free_securityStateRef( netsnmp_pdu *pdu); + + #ifdef __cplusplus + } +diff -urNp c/snmplib/snmp_api.c d/snmplib/snmp_api.c +--- c/snmplib/snmp_api.c 2019-09-18 08:44:53.807601597 +0200 ++++ d/snmplib/snmp_api.c 2019-09-18 08:53:19.937435576 +0200 +@@ -4012,7 +4012,12 @@ snmpv3_parse(netsnmp_pdu *pdu, + static void + free_securityStateRef(netsnmp_pdu* pdu) + { +- struct snmp_secmod_def *sptr = find_sec_mod(pdu->securityModel); ++ struct snmp_secmod_def *sptr; ++ ++ if(!pdu->securityStateRef) ++ return; ++ ++ sptr = find_sec_mod(pdu->securityModel); + if (sptr) { + if (sptr->pdu_free_state_ref) { + (*sptr->pdu_free_state_ref) (pdu->securityStateRef); +@@ -4029,6 +4034,17 @@ free_securityStateRef(netsnmp_pdu* pdu) + pdu->securityStateRef = NULL; + } + ++/* ++ * This function is here to provide a separate call to ++ * free the securityStateRef memory. This is needed to prevent ++ * a double free if this memory is freed in snmp_free_pdu. ++ */ ++void ++snmp_free_securityStateRef(netsnmp_pdu* pdu) ++{ ++ free_securityStateRef(pdu); ++} ++ + #define ERROR_STAT_LENGTH 11 + + int +diff -urNp c/snmplib/snmpusm.c d/snmplib/snmpusm.c +--- c/snmplib/snmpusm.c 2019-09-18 08:44:53.802601550 +0200 ++++ d/snmplib/snmpusm.c 2019-09-18 08:57:35.696872662 +0200 +@@ -299,16 +299,20 @@ usm_free_usmStateReference(void *old) + + if (old_ref) { + +- SNMP_FREE(old_ref->usr_name); +- SNMP_FREE(old_ref->usr_engine_id); +- SNMP_FREE(old_ref->usr_auth_protocol); +- SNMP_FREE(old_ref->usr_priv_protocol); ++ if (old_ref->usr_name_length) ++ SNMP_FREE(old_ref->usr_name); ++ if (old_ref->usr_engine_id_length) ++ SNMP_FREE(old_ref->usr_engine_id); ++ if (old_ref->usr_auth_protocol_length) ++ SNMP_FREE(old_ref->usr_auth_protocol); ++ if (old_ref->usr_priv_protocol_length) ++ SNMP_FREE(old_ref->usr_priv_protocol); + +- if (old_ref->usr_auth_key) { ++ if (old_ref->usr_auth_key_length && old_ref->usr_auth_key) { + SNMP_ZERO(old_ref->usr_auth_key, old_ref->usr_auth_key_length); + SNMP_FREE(old_ref->usr_auth_key); + } +- if (old_ref->usr_priv_key) { ++ if (old_ref->usr_priv_key_length && old_ref->usr_priv_key) { + SNMP_ZERO(old_ref->usr_priv_key, old_ref->usr_priv_key_length); + SNMP_FREE(old_ref->usr_priv_key); + } +@@ -1039,7 +1043,6 @@ usm_generate_out_msg(int msgProcModel, + if ((user = usm_get_user(secEngineID, secEngineIDLen, secName)) + == NULL && secLevel != SNMP_SEC_LEVEL_NOAUTH) { + DEBUGMSGTL(("usm", "Unknown User(%s)\n", secName)); +- usm_free_usmStateReference(secStateRef); + return SNMPERR_USM_UNKNOWNSECURITYNAME; + } + +@@ -1091,7 +1094,6 @@ usm_generate_out_msg(int msgProcModel, + thePrivProtocolLength) == 1) { + DEBUGMSGTL(("usm", "Unsupported Security Level (%d)\n", + theSecLevel)); +- usm_free_usmStateReference(secStateRef); + return SNMPERR_USM_UNSUPPORTEDSECURITYLEVEL; + } + +@@ -1121,7 +1123,6 @@ usm_generate_out_msg(int msgProcModel, + &msgAuthParmLen, &msgPrivParmLen, &otstlen, + &seq_len, &msgSecParmLen) == -1) { + DEBUGMSGTL(("usm", "Failed calculating offsets.\n")); +- usm_free_usmStateReference(secStateRef); + return SNMPERR_USM_GENERICERROR; + } + +@@ -1143,7 +1144,6 @@ usm_generate_out_msg(int msgProcModel, + ptr = *wholeMsg = globalData; + if (theTotalLength > *wholeMsgLen) { + DEBUGMSGTL(("usm", "Message won't fit in buffer.\n")); +- usm_free_usmStateReference(secStateRef); + return SNMPERR_USM_GENERICERROR; + } + +@@ -1169,7 +1169,6 @@ usm_generate_out_msg(int msgProcModel, + htonl(boots_uint), htonl(time_uint), + &ptr[privParamsOffset]) == -1) { + DEBUGMSGTL(("usm", "Can't set AES iv.\n")); +- usm_free_usmStateReference(secStateRef); + return SNMPERR_USM_GENERICERROR; + } + } +@@ -1185,7 +1184,6 @@ usm_generate_out_msg(int msgProcModel, + &ptr[privParamsOffset]) + == -1)) { + DEBUGMSGTL(("usm", "Can't set DES-CBC salt.\n")); +- usm_free_usmStateReference(secStateRef); + return SNMPERR_USM_GENERICERROR; + } + } +@@ -1198,7 +1196,6 @@ usm_generate_out_msg(int msgProcModel, + &ptr[dataOffset], &encrypted_length) + != SNMP_ERR_NOERROR) { + DEBUGMSGTL(("usm", "encryption error.\n")); +- usm_free_usmStateReference(secStateRef); + return SNMPERR_USM_ENCRYPTIONERROR; + } + #ifdef NETSNMP_ENABLE_TESTING_CODE +@@ -1226,7 +1223,6 @@ usm_generate_out_msg(int msgProcModel, + if ((encrypted_length != (theTotalLength - dataOffset)) + || (salt_length != msgPrivParmLen)) { + DEBUGMSGTL(("usm", "encryption length error.\n")); +- usm_free_usmStateReference(secStateRef); + return SNMPERR_USM_ENCRYPTIONERROR; + } + +@@ -1362,7 +1358,6 @@ usm_generate_out_msg(int msgProcModel, + + if (temp_sig == NULL) { + DEBUGMSGTL(("usm", "Out of memory.\n")); +- usm_free_usmStateReference(secStateRef); + return SNMPERR_USM_GENERICERROR; + } + +@@ -1376,7 +1371,6 @@ usm_generate_out_msg(int msgProcModel, + SNMP_ZERO(temp_sig, temp_sig_len); + SNMP_FREE(temp_sig); + DEBUGMSGTL(("usm", "Signing failed.\n")); +- usm_free_usmStateReference(secStateRef); + return SNMPERR_USM_AUTHENTICATIONFAILURE; + } + +@@ -1384,7 +1378,6 @@ usm_generate_out_msg(int msgProcModel, + SNMP_ZERO(temp_sig, temp_sig_len); + SNMP_FREE(temp_sig); + DEBUGMSGTL(("usm", "Signing lengths failed.\n")); +- usm_free_usmStateReference(secStateRef); + return SNMPERR_USM_AUTHENTICATIONFAILURE; + } + +@@ -1398,7 +1391,6 @@ usm_generate_out_msg(int msgProcModel, + /* + * endif -- create keyed hash + */ +- usm_free_usmStateReference(secStateRef); + + DEBUGMSGTL(("usm", "USM processing completed.\n")); + +@@ -1548,7 +1540,6 @@ usm_rgenerate_out_msg(int msgProcModel, + if ((user = usm_get_user(secEngineID, secEngineIDLen, secName)) + == NULL && secLevel != SNMP_SEC_LEVEL_NOAUTH) { + DEBUGMSGTL(("usm", "Unknown User\n")); +- usm_free_usmStateReference(secStateRef); + return SNMPERR_USM_UNKNOWNSECURITYNAME; + } + +@@ -1601,7 +1592,6 @@ usm_rgenerate_out_msg(int msgProcModel, + DEBUGMSGTL(("usm", "Unsupported Security Level or type (%d)\n", + theSecLevel)); + +- usm_free_usmStateReference(secStateRef); + return SNMPERR_USM_UNSUPPORTEDSECURITYLEVEL; + } + +@@ -1636,7 +1626,6 @@ usm_rgenerate_out_msg(int msgProcModel, + DEBUGMSGTL(("usm", + "couldn't malloc %d bytes for encrypted PDU\n", + (int)ciphertextlen)); +- usm_free_usmStateReference(secStateRef); + return SNMPERR_MALLOC; + } + +@@ -1652,7 +1641,6 @@ usm_rgenerate_out_msg(int msgProcModel, + htonl(boots_uint), htonl(time_uint), + iv) == -1) { + DEBUGMSGTL(("usm", "Can't set AES iv.\n")); +- usm_free_usmStateReference(secStateRef); + SNMP_FREE(ciphertext); + return SNMPERR_USM_GENERICERROR; + } +@@ -1667,7 +1655,6 @@ usm_rgenerate_out_msg(int msgProcModel, + thePrivKeyLength - 8, + iv) == -1)) { + DEBUGMSGTL(("usm", "Can't set DES-CBC salt.\n")); +- usm_free_usmStateReference(secStateRef); + SNMP_FREE(ciphertext); + return SNMPERR_USM_GENERICERROR; + } +@@ -1686,7 +1673,6 @@ usm_rgenerate_out_msg(int msgProcModel, + scopedPdu, scopedPduLen, + ciphertext, &ciphertextlen) != SNMP_ERR_NOERROR) { + DEBUGMSGTL(("usm", "encryption error.\n")); +- usm_free_usmStateReference(secStateRef); + SNMP_FREE(ciphertext); + return SNMPERR_USM_ENCRYPTIONERROR; + } +@@ -1703,7 +1689,6 @@ usm_rgenerate_out_msg(int msgProcModel, + ciphertext, ciphertextlen); + if (rc == 0) { + DEBUGMSGTL(("usm", "Encryption failed.\n")); +- usm_free_usmStateReference(secStateRef); + SNMP_FREE(ciphertext); + return SNMPERR_USM_ENCRYPTIONERROR; + } +@@ -1743,7 +1728,6 @@ usm_rgenerate_out_msg(int msgProcModel, + DEBUGINDENTLESS(); + if (rc == 0) { + DEBUGMSGTL(("usm", "building privParams failed.\n")); +- usm_free_usmStateReference(secStateRef); + return SNMPERR_TOO_LONG; + } + +@@ -1766,7 +1750,6 @@ usm_rgenerate_out_msg(int msgProcModel, + DEBUGINDENTLESS(); + if (rc == 0) { + DEBUGMSGTL(("usm", "building authParams failed.\n")); +- usm_free_usmStateReference(secStateRef); + return SNMPERR_TOO_LONG; + } + +@@ -1789,7 +1772,6 @@ usm_rgenerate_out_msg(int msgProcModel, + DEBUGINDENTLESS(); + if (rc == 0) { + DEBUGMSGTL(("usm", "building authParams failed.\n")); +- usm_free_usmStateReference(secStateRef); + return SNMPERR_TOO_LONG; + } + +@@ -1805,7 +1787,6 @@ usm_rgenerate_out_msg(int msgProcModel, + if (rc == 0) { + DEBUGMSGTL(("usm", + "building msgAuthoritativeEngineTime failed.\n")); +- usm_free_usmStateReference(secStateRef); + return SNMPERR_TOO_LONG; + } + +@@ -1821,7 +1802,6 @@ usm_rgenerate_out_msg(int msgProcModel, + if (rc == 0) { + DEBUGMSGTL(("usm", + "building msgAuthoritativeEngineBoots failed.\n")); +- usm_free_usmStateReference(secStateRef); + return SNMPERR_TOO_LONG; + } + +@@ -1833,7 +1813,6 @@ usm_rgenerate_out_msg(int msgProcModel, + DEBUGINDENTLESS(); + if (rc == 0) { + DEBUGMSGTL(("usm", "building msgAuthoritativeEngineID failed.\n")); +- usm_free_usmStateReference(secStateRef); + return SNMPERR_TOO_LONG; + } + +@@ -1846,7 +1825,6 @@ usm_rgenerate_out_msg(int msgProcModel, + *offset - sp_offset); + if (rc == 0) { + DEBUGMSGTL(("usm", "building usm security parameters failed.\n")); +- usm_free_usmStateReference(secStateRef); + return SNMPERR_TOO_LONG; + } + +@@ -1860,7 +1838,6 @@ usm_rgenerate_out_msg(int msgProcModel, + + if (rc == 0) { + DEBUGMSGTL(("usm", "building msgSecurityParameters failed.\n")); +- usm_free_usmStateReference(secStateRef); + return SNMPERR_TOO_LONG; + } + +@@ -1870,7 +1847,6 @@ usm_rgenerate_out_msg(int msgProcModel, + while ((*wholeMsgLen - *offset) < globalDataLen) { + if (!asn_realloc(wholeMsg, wholeMsgLen)) { + DEBUGMSGTL(("usm", "building global data failed.\n")); +- usm_free_usmStateReference(secStateRef); + return SNMPERR_TOO_LONG; + } + } +@@ -1886,7 +1862,6 @@ usm_rgenerate_out_msg(int msgProcModel, + ASN_CONSTRUCTOR), *offset); + if (rc == 0) { + DEBUGMSGTL(("usm", "building master packet sequence failed.\n")); +- usm_free_usmStateReference(secStateRef); + return SNMPERR_TOO_LONG; + } + +@@ -1904,7 +1879,6 @@ usm_rgenerate_out_msg(int msgProcModel, + + if (temp_sig == NULL) { + DEBUGMSGTL(("usm", "Out of memory.\n")); +- usm_free_usmStateReference(secStateRef); + return SNMPERR_USM_GENERICERROR; + } + +@@ -1915,14 +1889,12 @@ usm_rgenerate_out_msg(int msgProcModel, + != SNMP_ERR_NOERROR) { + SNMP_FREE(temp_sig); + DEBUGMSGTL(("usm", "Signing failed.\n")); +- usm_free_usmStateReference(secStateRef); + return SNMPERR_USM_AUTHENTICATIONFAILURE; + } + + if (temp_sig_len != msgAuthParmLen) { + SNMP_FREE(temp_sig); + DEBUGMSGTL(("usm", "Signing lengths failed.\n")); +- usm_free_usmStateReference(secStateRef); + return SNMPERR_USM_AUTHENTICATIONFAILURE; + } + +@@ -1933,7 +1905,6 @@ usm_rgenerate_out_msg(int msgProcModel, + /* + * endif -- create keyed hash + */ +- usm_free_usmStateReference(secStateRef); + DEBUGMSGTL(("usm", "USM processing completed.\n")); + return SNMPERR_SUCCESS; + } /* end usm_rgenerate_out_msg() */ diff --git a/net-snmp-config b/net-snmp-config new file mode 100755 index 0000000..7607ea7 --- /dev/null +++ b/net-snmp-config @@ -0,0 +1,62 @@ +#!/bin/sh +# +# net-snmp-config +# +# this shell script is designed to merely dump the configuration +# information about how the net-snmp package was compiled. The +# information is particularily useful for applications that need to +# link against the net-snmp libraries and hence must know about any +# other libraries that must be linked in as well. + +# this particular shell script calls arch specific script to avoid +# multilib conflicts + +# Supported arches ix86 ia64 ppc ppc64 s390 s390x x86_64 alpha sparc sparc64 + +arch=`arch` +echo $arch | grep -q i.86 +if [ $? -eq 0 ] ; then + net-snmp-config-i386 $* + exit 0 +fi +if [ "$arch" = "ia64" ] ; then + net-snmp-config-ia64 $* + exit 0 +fi +if [ "$arch" = "ppc" ] ; then + net-snmp-config-ppc $* + exit 0 +fi +if [ "$arch" = "ppc64" ] ; then + net-snmp-config-ppc64 $* + exit 0 +fi +if [ "$arch" = "s390" ] ; then + net-snmp-config-s390 $* + exit 0 +fi +if [ "$arch" = "s390x" ] ; then + net-snmp-config-s390x $* + exit 0 +fi +if [ "$arch" = "x86_64" ] ; then + net-snmp-config-x86_64 $* + exit 0 +fi +if [ "$arch" = "alpha" ] ; then + net-snmp-config-alpha $* + exit 0 +fi +if [ "$arch" = "sparc" ] ; then + net-snmp-config-sparc $* + exit 0 +fi +if [ "$arch" = "sparc64" ] ; then + net-snmp-config-sparc64 $* + exit 0 +fi +if [ "$arch" = "aarch64" ] ; then + net-snmp-config-aarch64 $* + exit 0 +fi +echo "Cannot determine architecture" diff --git a/net-snmp-config.h b/net-snmp-config.h new file mode 100644 index 0000000..b8f44d5 --- /dev/null +++ b/net-snmp-config.h @@ -0,0 +1,38 @@ +/* This file is here to prevent a file conflict on multiarch systems. A + * conflict will frequently occur because arch-specific build-time + * configuration options are stored (and used, so they can't just be stripped + * out) in net-snmp-config.h. The original net-snmp-config.h has been renamed. + * DO NOT INCLUDE THE NEW FILE DIRECTLY -- ALWAYS INCLUDE THIS ONE INSTEAD. */ + +#ifdef net_snmp_config_multilib_redirection_h +#error "Do not define net_snmp_config_multilib_redirection_h!" +#endif +#define net_snmp_config_multilib_redirection_h + +#if defined(__i386__) +#include "net-snmp-config-i386.h" +#elif defined(__ia64__) +#include "net-snmp-config-ia64.h" +#elif defined(__powerpc64__) +#include "net-snmp-config-ppc64.h" +#elif defined(__powerpc__) +#include "net-snmp-config-ppc.h" +#elif defined(__s390x__) +#include "net-snmp-config-s390x.h" +#elif defined(__s390__) +#include "net-snmp-config-s390.h" +#elif defined(__x86_64__) +#include "net-snmp-config-x86_64.h" +#elif defined(__alpha__) +#include "net-snmp-config-alpha.h" +#elif defined(__sparc__) && defined (__arch64__) +#include "net-snmp-config-sparc64.h" +#elif defined(__sparc__) +#include "net-snmp-config-sparc.h" +#elif defined(__aarch64__) +#include "net-snmp-config-aarch64.h" +#else +#error "net-snmp-devel package does not work on your architecture" +#endif + +#undef net_snmp_config_multilib_redirection_h diff --git a/net-snmp-tmpfs.conf b/net-snmp-tmpfs.conf new file mode 100644 index 0000000..9f782d6 --- /dev/null +++ b/net-snmp-tmpfs.conf @@ -0,0 +1 @@ +d /run/net-snmp 0755 root root diff --git a/net-snmp-trapd.redhat.conf b/net-snmp-trapd.redhat.conf new file mode 100644 index 0000000..72ce1cc --- /dev/null +++ b/net-snmp-trapd.redhat.conf @@ -0,0 +1,6 @@ +# Example configuration file for snmptrapd +# +# No traps are handled by default, you must edit this file! +# +# authCommunity log,execute,net public +# traphandle SNMPv2-MIB::coldStart /usr/bin/bin/my_great_script cold diff --git a/net-snmp.redhat.conf b/net-snmp.redhat.conf new file mode 100644 index 0000000..ee19ab8 --- /dev/null +++ b/net-snmp.redhat.conf @@ -0,0 +1,462 @@ +############################################################################### +# +# snmpd.conf: +# An example configuration file for configuring the ucd-snmp snmpd agent. +# +############################################################################### +# +# This file is intended to only be as a starting point. Many more +# configuration directives exist than are mentioned in this file. For +# full details, see the snmpd.conf(5) manual page. +# +# All lines beginning with a '#' are comments and are intended for you +# to read. All other lines are configuration commands for the agent. + +############################################################################### +# Access Control +############################################################################### + +# As shipped, the snmpd demon will only respond to queries on the +# system mib group until this file is replaced or modified for +# security purposes. Examples are shown below about how to increase the +# level of access. + +# By far, the most common question I get about the agent is "why won't +# it work?", when really it should be "how do I configure the agent to +# allow me to access it?" +# +# By default, the agent responds to the "public" community for read +# only access, if run out of the box without any configuration file in +# place. The following examples show you other ways of configuring +# the agent so that you can change the community names, and give +# yourself write access to the mib tree as well. +# +# For more information, read the FAQ as well as the snmpd.conf(5) +# manual page. + +#### +# First, map the community name "public" into a "security name" + +# sec.name source community +com2sec notConfigUser default public + +#### +# Second, map the security name into a group name: + +# groupName securityModel securityName +group notConfigGroup v1 notConfigUser +group notConfigGroup v2c notConfigUser + +#### +# Third, create a view for us to let the group have rights to: + +# Make at least snmpwalk -v 1 localhost -c public system fast again. +# name incl/excl subtree mask(optional) +view systemview included .1.3.6.1.2.1.1 +view systemview included .1.3.6.1.2.1.25.1.1 + +#### +# Finally, grant the group read-only access to the systemview view. + +# group context sec.model sec.level prefix read write notif +access notConfigGroup "" any noauth exact systemview none none + +# ----------------------------------------------------------------------------- + +# Here is a commented out example configuration that allows less +# restrictive access. + +# YOU SHOULD CHANGE THE "COMMUNITY" TOKEN BELOW TO A NEW KEYWORD ONLY +# KNOWN AT YOUR SITE. YOU *MUST* CHANGE THE NETWORK TOKEN BELOW TO +# SOMETHING REFLECTING YOUR LOCAL NETWORK ADDRESS SPACE. + +## sec.name source community +#com2sec local localhost COMMUNITY +#com2sec mynetwork NETWORK/24 COMMUNITY + +## group.name sec.model sec.name +#group MyRWGroup any local +#group MyROGroup any mynetwork +# +#group MyRWGroup any otherv3user +#... + +## incl/excl subtree mask +#view all included .1 80 + +## -or just the mib2 tree- + +#view mib2 included .iso.org.dod.internet.mgmt.mib-2 fc + + +## context sec.model sec.level prefix read write notif +#access MyROGroup "" any noauth 0 all none none +#access MyRWGroup "" any noauth 0 all all all + + +############################################################################### +# Sample configuration to make net-snmpd RFC 1213. +# Unfortunately v1 and v2c don't allow any user based authentification, so +# opening up the default config is not an option from a security point. +# +# WARNING: If you uncomment the following lines you allow write access to your +# snmpd daemon from any source! To avoid this use different names for your +# community or split out the write access to a different community and +# restrict it to your local network. +# Also remember to comment the syslocation and syscontact parameters later as +# otherwise they are still read only (see FAQ for net-snmp). +# + +# First, map the community name "public" into a "security name" +# sec.name source community +#com2sec notConfigUser default public + +# Second, map the security name into a group name: +# groupName securityModel securityName +#group notConfigGroup v1 notConfigUser +#group notConfigGroup v2c notConfigUser + +# Third, create a view for us to let the group have rights to: +# Open up the whole tree for ro, make the RFC 1213 required ones rw. +# name incl/excl subtree mask(optional) +#view roview included .1 +#view rwview included system.sysContact +#view rwview included system.sysName +#view rwview included system.sysLocation +#view rwview included interfaces.ifTable.ifEntry.ifAdminStatus +#view rwview included at.atTable.atEntry.atPhysAddress +#view rwview included at.atTable.atEntry.atNetAddress +#view rwview included ip.ipForwarding +#view rwview included ip.ipDefaultTTL +#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteDest +#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex +#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric1 +#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric2 +#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric3 +#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric4 +#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteType +#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteAge +#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMask +#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric5 +#view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaIfIndex +#view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress +#view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaNetAddress +#view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaType +#view rwview included tcp.tcpConnTable.tcpConnEntry.tcpConnState +#view rwview included egp.egpNeighTable.egpNeighEntry.egpNeighEventTrigger +#view rwview included snmp.snmpEnableAuthenTraps + +# Finally, grant the group read-only access to the systemview view. +# group context sec.model sec.level prefix read write notif +#access notConfigGroup "" any noauth exact roview rwview none + + + +############################################################################### +# System contact information +# + +# It is also possible to set the sysContact and sysLocation system +# variables through the snmpd.conf file: + +syslocation Unknown (edit /etc/snmp/snmpd.conf) +syscontact Root (configure /etc/snmp/snmp.local.conf) + +# Example output of snmpwalk: +# % snmpwalk -v 1 localhost -c public system +# system.sysDescr.0 = "SunOS name sun4c" +# system.sysObjectID.0 = OID: enterprises.ucdavis.ucdSnmpAgent.sunos4 +# system.sysUpTime.0 = Timeticks: (595637548) 68 days, 22:32:55 +# system.sysContact.0 = "Me " +# system.sysName.0 = "name" +# system.sysLocation.0 = "Right here, right now." +# system.sysServices.0 = 72 + + +############################################################################### +# Logging +# + +# We do not want annoying "Connection from UDP: " messages in syslog. +# If the following option is commented out, snmpd will print each incoming +# connection, which can be useful for debugging. + +dontLogTCPWrappersConnects yes + +# ----------------------------------------------------------------------------- + + +############################################################################### +# Process checks. +# +# The following are examples of how to use the agent to check for +# processes running on the host. The syntax looks something like: +# +# proc NAME [MAX=0] [MIN=0] +# +# NAME: the name of the process to check for. It must match +# exactly (ie, http will not find httpd processes). +# MAX: the maximum number allowed to be running. Defaults to 0. +# MIN: the minimum number to be running. Defaults to 0. + +# +# Examples (commented out by default): +# + +# Make sure mountd is running +#proc mountd + +# Make sure there are no more than 4 ntalkds running, but 0 is ok too. +#proc ntalkd 4 + +# Make sure at least one sendmail, but less than or equal to 10 are running. +#proc sendmail 10 1 + +# A snmpwalk of the process mib tree would look something like this: +# +# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.2 +# enterprises.ucdavis.procTable.prEntry.prIndex.1 = 1 +# enterprises.ucdavis.procTable.prEntry.prIndex.2 = 2 +# enterprises.ucdavis.procTable.prEntry.prIndex.3 = 3 +# enterprises.ucdavis.procTable.prEntry.prNames.1 = "mountd" +# enterprises.ucdavis.procTable.prEntry.prNames.2 = "ntalkd" +# enterprises.ucdavis.procTable.prEntry.prNames.3 = "sendmail" +# enterprises.ucdavis.procTable.prEntry.prMin.1 = 0 +# enterprises.ucdavis.procTable.prEntry.prMin.2 = 0 +# enterprises.ucdavis.procTable.prEntry.prMin.3 = 1 +# enterprises.ucdavis.procTable.prEntry.prMax.1 = 0 +# enterprises.ucdavis.procTable.prEntry.prMax.2 = 4 +# enterprises.ucdavis.procTable.prEntry.prMax.3 = 10 +# enterprises.ucdavis.procTable.prEntry.prCount.1 = 0 +# enterprises.ucdavis.procTable.prEntry.prCount.2 = 0 +# enterprises.ucdavis.procTable.prEntry.prCount.3 = 1 +# enterprises.ucdavis.procTable.prEntry.prErrorFlag.1 = 1 +# enterprises.ucdavis.procTable.prEntry.prErrorFlag.2 = 0 +# enterprises.ucdavis.procTable.prEntry.prErrorFlag.3 = 0 +# enterprises.ucdavis.procTable.prEntry.prErrMessage.1 = "No mountd process running." +# enterprises.ucdavis.procTable.prEntry.prErrMessage.2 = "" +# enterprises.ucdavis.procTable.prEntry.prErrMessage.3 = "" +# enterprises.ucdavis.procTable.prEntry.prErrFix.1 = 0 +# enterprises.ucdavis.procTable.prEntry.prErrFix.2 = 0 +# enterprises.ucdavis.procTable.prEntry.prErrFix.3 = 0 +# +# Note that the errorFlag for mountd is set to 1 because one is not +# running (in this case an rpc.mountd is, but thats not good enough), +# and the ErrMessage tells you what's wrong. The configuration +# imposed in the snmpd.conf file is also shown. +# +# Special Case: When the min and max numbers are both 0, it assumes +# you want a max of infinity and a min of 1. +# + + +# ----------------------------------------------------------------------------- + + +############################################################################### +# Executables/scripts +# + +# +# You can also have programs run by the agent that return a single +# line of output and an exit code. Here are two examples. +# +# exec NAME PROGRAM [ARGS ...] +# +# NAME: A generic name. The name must be unique for each exec statement. +# PROGRAM: The program to run. Include the path! +# ARGS: optional arguments to be passed to the program + +# a simple hello world + +#exec echotest /bin/echo hello world + +# Run a shell script containing: +# +# #!/bin/sh +# echo hello world +# echo hi there +# exit 35 +# +# Note: this has been specifically commented out to prevent +# accidental security holes due to someone else on your system writing +# a /tmp/shtest before you do. Uncomment to use it. +# +#exec shelltest /bin/sh /tmp/shtest + +# Then, +# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.8 +# enterprises.ucdavis.extTable.extEntry.extIndex.1 = 1 +# enterprises.ucdavis.extTable.extEntry.extIndex.2 = 2 +# enterprises.ucdavis.extTable.extEntry.extNames.1 = "echotest" +# enterprises.ucdavis.extTable.extEntry.extNames.2 = "shelltest" +# enterprises.ucdavis.extTable.extEntry.extCommand.1 = "/bin/echo hello world" +# enterprises.ucdavis.extTable.extEntry.extCommand.2 = "/bin/sh /tmp/shtest" +# enterprises.ucdavis.extTable.extEntry.extResult.1 = 0 +# enterprises.ucdavis.extTable.extEntry.extResult.2 = 35 +# enterprises.ucdavis.extTable.extEntry.extOutput.1 = "hello world." +# enterprises.ucdavis.extTable.extEntry.extOutput.2 = "hello world." +# enterprises.ucdavis.extTable.extEntry.extErrFix.1 = 0 +# enterprises.ucdavis.extTable.extEntry.extErrFix.2 = 0 + +# Note that the second line of the /tmp/shtest shell script is cut +# off. Also note that the exit status of 35 was returned. + +# ----------------------------------------------------------------------------- + + +############################################################################### +# disk checks +# + +# The agent can check the amount of available disk space, and make +# sure it is above a set limit. + +# disk PATH [MIN=100000] +# +# PATH: mount path to the disk in question. +# MIN: Disks with space below this value will have the Mib's errorFlag set. +# Default value = 100000. + +# Check the / partition and make sure it contains at least 10 megs. + +#disk / 10000 + +# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.9 +# enterprises.ucdavis.diskTable.dskEntry.diskIndex.1 = 0 +# enterprises.ucdavis.diskTable.dskEntry.diskPath.1 = "/" Hex: 2F +# enterprises.ucdavis.diskTable.dskEntry.diskDevice.1 = "/dev/dsk/c201d6s0" +# enterprises.ucdavis.diskTable.dskEntry.diskMinimum.1 = 10000 +# enterprises.ucdavis.diskTable.dskEntry.diskTotal.1 = 837130 +# enterprises.ucdavis.diskTable.dskEntry.diskAvail.1 = 316325 +# enterprises.ucdavis.diskTable.dskEntry.diskUsed.1 = 437092 +# enterprises.ucdavis.diskTable.dskEntry.diskPercent.1 = 58 +# enterprises.ucdavis.diskTable.dskEntry.diskErrorFlag.1 = 0 +# enterprises.ucdavis.diskTable.dskEntry.diskErrorMsg.1 = "" + +# ----------------------------------------------------------------------------- + + +############################################################################### +# load average checks +# + +# load [1MAX=12.0] [5MAX=12.0] [15MAX=12.0] +# +# 1MAX: If the 1 minute load average is above this limit at query +# time, the errorFlag will be set. +# 5MAX: Similar, but for 5 min average. +# 15MAX: Similar, but for 15 min average. + +# Check for loads: +#load 12 14 14 + +# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.10 +# enterprises.ucdavis.loadTable.laEntry.loadaveIndex.1 = 1 +# enterprises.ucdavis.loadTable.laEntry.loadaveIndex.2 = 2 +# enterprises.ucdavis.loadTable.laEntry.loadaveIndex.3 = 3 +# enterprises.ucdavis.loadTable.laEntry.loadaveNames.1 = "Load-1" +# enterprises.ucdavis.loadTable.laEntry.loadaveNames.2 = "Load-5" +# enterprises.ucdavis.loadTable.laEntry.loadaveNames.3 = "Load-15" +# enterprises.ucdavis.loadTable.laEntry.loadaveLoad.1 = "0.49" Hex: 30 2E 34 39 +# enterprises.ucdavis.loadTable.laEntry.loadaveLoad.2 = "0.31" Hex: 30 2E 33 31 +# enterprises.ucdavis.loadTable.laEntry.loadaveLoad.3 = "0.26" Hex: 30 2E 32 36 +# enterprises.ucdavis.loadTable.laEntry.loadaveConfig.1 = "12.00" +# enterprises.ucdavis.loadTable.laEntry.loadaveConfig.2 = "14.00" +# enterprises.ucdavis.loadTable.laEntry.loadaveConfig.3 = "14.00" +# enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.1 = 0 +# enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.2 = 0 +# enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.3 = 0 +# enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.1 = "" +# enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.2 = "" +# enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.3 = "" + +# ----------------------------------------------------------------------------- + + +############################################################################### +# Extensible sections. +# + +# This alleviates the multiple line output problem found in the +# previous executable mib by placing each mib in its own mib table: + +# Run a shell script containing: +# +# #!/bin/sh +# echo hello world +# echo hi there +# exit 35 +# +# Note: this has been specifically commented out to prevent +# accidental security holes due to someone else on your system writing +# a /tmp/shtest before you do. Uncomment to use it. +# +# exec .1.3.6.1.4.1.2021.50 shelltest /bin/sh /tmp/shtest + +# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.50 +# enterprises.ucdavis.50.1.1 = 1 +# enterprises.ucdavis.50.2.1 = "shelltest" +# enterprises.ucdavis.50.3.1 = "/bin/sh /tmp/shtest" +# enterprises.ucdavis.50.100.1 = 35 +# enterprises.ucdavis.50.101.1 = "hello world." +# enterprises.ucdavis.50.101.2 = "hi there." +# enterprises.ucdavis.50.102.1 = 0 + +# Now the Output has grown to two lines, and we can see the 'hi +# there.' output as the second line from our shell script. +# +# Note that you must alter the mib.txt file to be correct if you want +# the .50.* outputs above to change to reasonable text descriptions. + +# Other ideas: +# +# exec .1.3.6.1.4.1.2021.51 ps /bin/ps +# exec .1.3.6.1.4.1.2021.52 top /usr/local/bin/top +# exec .1.3.6.1.4.1.2021.53 mailq /usr/bin/mailq + +# ----------------------------------------------------------------------------- + + +############################################################################### +# Pass through control. +# + +# Usage: +# pass MIBOID EXEC-COMMAND +# +# This will pass total control of the mib underneath the MIBOID +# portion of the mib to the EXEC-COMMAND. +# +# Note: You'll have to change the path of the passtest script to your +# source directory or install it in the given location. +# +# Example: (see the script for details) +# (commented out here since it requires that you place the +# script in the right location. (its not installed by default)) + +# pass .1.3.6.1.4.1.2021.255 /bin/sh /usr/local/local/passtest + +# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.255 +# enterprises.ucdavis.255.1 = "life the universe and everything" +# enterprises.ucdavis.255.2.1 = 42 +# enterprises.ucdavis.255.2.2 = OID: 42.42.42 +# enterprises.ucdavis.255.3 = Timeticks: (363136200) 42 days, 0:42:42 +# enterprises.ucdavis.255.4 = IpAddress: 127.0.0.1 +# enterprises.ucdavis.255.5 = 42 +# enterprises.ucdavis.255.6 = Gauge: 42 +# +# % snmpget -v 1 localhost public .1.3.6.1.4.1.2021.255.5 +# enterprises.ucdavis.255.5 = 42 +# +# % snmpset -v 1 localhost public .1.3.6.1.4.1.2021.255.1 s "New string" +# enterprises.ucdavis.255.1 = "New string" +# + +# For specific usage information, see the man/snmpd.conf.5 manual page +# as well as the local/passtest script used in the above example. + +############################################################################### +# Further Information +# +# See the snmpd.conf manual page, and the output of "snmpd -H". diff --git a/net-snmp.spec b/net-snmp.spec new file mode 100644 index 0000000..661e638 --- /dev/null +++ b/net-snmp.spec @@ -0,0 +1,1900 @@ +# use nestnmp_check 0 to speed up packaging by disabling 'make test' +%{!?netsnmp_check: %global netsnmp_check 1} + +# Arches on which we need to prevent arch conflicts on net-snmp-config.h +%global multilib_arches %{ix86} ia64 ppc ppc64 s390 s390x x86_64 sparc sparcv9 sparc64 aarch64 + +# actual soname version +%global soname 35 + +Summary: A collection of SNMP protocol tools and libraries +Name: net-snmp +Version: 5.8 +Release: 26%{?dist} +Epoch: 1 + +License: BSD +URL: http://net-snmp.sourceforge.net/ +Source0: https://downloads.sourceforge.net/project/net-snmp/net-snmp/%{version}/net-snmp-%{version}.tar.gz +Source1: net-snmp.redhat.conf +Source2: net-snmp-config.h +Source3: net-snmp-config +Source4: net-snmp-trapd.redhat.conf +Source5: net-snmpd.sysconfig +Source6: net-snmptrapd.sysconfig +Source7: net-snmp-tmpfs.conf +Source8: snmpd.service +Source9: snmptrapd.service +Source10: IETF-MIB-LICENSE.txt +Patch1: net-snmp-5.7.2-pie.patch +Patch2: net-snmp-5.8-dir-fix.patch +Patch3: net-snmp-5.8-multilib.patch +Patch4: net-snmp-5.8-test-debug.patch +Patch5: net-snmp-5.7.2-autoreconf.patch +Patch6: net-snmp-5.8-agentx-disconnect-crash.patch +Patch7: net-snmp-5.7.2-cert-path.patch +Patch8: net-snmp-5.8-cflags.patch +Patch9: net-snmp-5.8-Remove-U64-typedef.patch +Patch10: net-snmp-5.8-libnetsnmptrapd-against-MYSQL_LIBS.patch +Patch11: net-snmp-5.7.3-iterator-fix.patch +Patch12: net-snmp-5.8-autofs-skip.patch +Patch13: net-snmp-5.8-usage-exit.patch +Patch14: net-snmp-5.8-coverity.patch +Patch15: net-snmp-5.8-ipv6-clientaddr.patch +Patch16: net-snmp-5.8-agent-of-death.patch +Patch17: net-snmp-5.8-trapsink.patch +Patch18: net-snmp-5.8-flood-messages.patch +Patch19: net-snmp-5.8-v3-forward.patch +Patch20: net-snmp-5.8-sec-counter.patch +Patch21: net-snmp-5.8-proxy-getnext.patch +Patch22: net-snmp-5.8-dskTable-dynamic.patch +Patch23: net-snmp-5.8-expand-SNMPCONFPATH.patch +Patch24: net-snmp-5.8-duplicate-ipAddress.patch +Patch25: net-snmp-5.8-memory-reporting.patch +Patch26: net-snmp-5.8-man-page.patch +Patch27: net-snmp-5.8-ipAddress-faster-load.patch +Patch28: net-snmp-5.8-rpm-memory-leak.patch +Patch29: net-snmp-5.8-sec-memory-leak.patch +Patch30: net-snmp-5.8-aes-config.patch +Patch31: net-snmp-5.7.2-CVE-2020-15862.patch +Patch32: net-snmp-5.8-bulk.patch +Patch33: net-snmp-5.8-clientaddr-error-message.patch +Patch34: net-snmp-5.8-ipv6-disabled.patch +Patch35: net-snmp-5.8-empty-passphrase.patch +Patch36: net-snmp-5.8-asn-parse-nlength.patch +Patch37: net-snmp-5.8-double-IP-parsing.patch +Patch38: net-snmp-5.8-digest-from-ECC.patch +Patch39: net-snmp-5.8-broken-errmsg.patch +Patch40: net-snmp-5.8-intermediate-certs.patch +Patch41: net-snmp-5.8-fix-cert-crash.patch +Patch42: net-snmp-5.8-engine-id.patch +Patch43: net-snmp-5.8-certs.patch +Patch44: net-snmp-5.8-util-fix.patch +Patch45: net-snmp-5.8-deleted-iface.patch +Patch46: net-snmp-5.8-memleak-backport.patch + +# Modern RPM API means at least EL6 +Patch101: net-snmp-5.8-modern-rpm-api.patch + +Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} +Requires: %{name}-agent-libs%{?_isa} = %{epoch}:%{version}-%{release} +BuildRequires: gcc +# This is actually needed for the %%triggerun script but Requires(triggerun) +# is not valid. We can use %%post because this particular %%triggerun script +# should fire just after this package is installed. +%{?systemd_requires} +BuildRequires: systemd + +BuildRequires: openssl-devel, bzip2-devel, elfutils-devel +BuildRequires: libselinux-devel, elfutils-libelf-devel, rpm-devel +BuildRequires: perl-devel, perl(ExtUtils::Embed), procps +BuildRequires: python3-devel, python3-setuptools +BuildRequires: chrpath +BuildRequires: mariadb-connector-c-devel +# for netstat, needed by 'make test' +BuildRequires: net-tools +# for make test +BuildRequires: perl(TAP::Harness) +%ifnarch s390 s390x ppc64le +BuildRequires: lm_sensors-devel >= 3 +%endif +BuildRequires: autoconf, automake + +%description +SNMP (Simple Network Management Protocol) is a protocol used for +network management. The NET-SNMP project includes various SNMP tools: +an extensible agent, an SNMP library, tools for requesting or setting +information from SNMP agents, tools for generating and handling SNMP +traps, a version of the netstat command which uses SNMP, and a Tk/Perl +mib browser. This package contains the snmpd and snmptrapd daemons, +documentation, etc. + +You will probably also want to install the net-snmp-utils package, +which contains NET-SNMP utilities. + +%package utils +Summary: Network management utilities using SNMP, from the NET-SNMP project +Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} +BuildRequires: gcc + +%description utils +The net-snmp-utils package contains various utilities for use with the +NET-SNMP network management project. + +Install this package if you need utilities for managing your network +using the SNMP protocol. You will also need to install the net-snmp +package. + +%package devel +Summary: The development environment for the NET-SNMP project +Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} +Requires: %{name}-agent-libs%{?_isa} = %{epoch}:%{version}-%{release} +Requires: elfutils-devel, rpm-devel, elfutils-libelf-devel, openssl-devel +%ifnarch s390 s390x ppc64le +Requires: lm_sensors-devel +%endif +# pull perl development libraries, net-snmp agent libraries may link to them +Requires: perl-devel%{?_isa}, gcc + +%description devel +The net-snmp-devel package contains the development libraries and +header files for use with the NET-SNMP project's network management +tools. + +Install the net-snmp-devel package if you would like to develop +applications for use with the NET-SNMP project's network management +tools. You'll also need to have the net-snmp and net-snmp-utils +packages installed. + +%package perl +Summary: The perl NET-SNMP module and the mib2c tool +Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}, perl-interpreter +Requires: %{name}-agent-libs%{?_isa} = %{epoch}:%{version}-%{release} +BuildRequires: perl-interpreter +BuildRequires: perl-generators + +%description perl +The net-snmp-perl package contains the perl files to use SNMP from within +Perl. + +Install the net-snmp-perl package, if you want to use mib2c or SNMP +with perl. + +%package gui +Summary: An interactive graphical MIB browser for SNMP +Requires: perl-Tk, net-snmp-perl%{?_isa} = %{epoch}:%{version}-%{release} + +%description gui +The net-snmp-gui package contains tkmib utility, which is a graphical user +interface for browsing the Message Information Bases (MIBs). It is also +capable of sending or retrieving the SNMP management information to/from +the remote agents interactively. + +Install the net-snmp-gui package, if you want to use this interactive utility. + +%package libs +Summary: The NET-SNMP runtime client libraries + +%description libs +The net-snmp-libs package contains the runtime client libraries for shared +binaries and applications. + +%package agent-libs +Summary: The NET-SNMP runtime agent libraries +# the libs link against libperl.so: +Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) +Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} + +%description agent-libs +The net-snmp-agent-libs package contains the runtime agent libraries for shared +binaries and applications. + +%prep +%setup -q +cp %{SOURCE10} . +rm -r python + +%ifnarch ia64 +%patch1 -p1 -b .pie +%endif + +%patch2 -p1 -b .dir-fix +%patch3 -p1 -b .multilib +%patch4 -p1 +%patch5 -p1 -b .autoreconf +%patch6 -p1 -b .agentx-disconnect-crash +%patch7 -p1 -b .cert-path +%patch8 -p1 -b .cflags +%patch9 -p1 -b .u64-remove +%patch10 -p1 -b .perlfix +%patch11 -p1 -b .iterator-fix +%patch12 -p1 -b .autofs-skip +%patch13 -p1 -b .usage-fix +%patch14 -p1 -b .coverity +%patch15 -p1 -b .ipv6-clientaddr +%patch16 -p1 -b .agent-of-death +%patch17 -p1 -b .trapsink +%patch18 -p1 -b .flood-messages +%patch19 -p1 -b .v3-forward +%patch20 -p1 -b .sec-counter +%patch21 -p1 -b .proxy-getnext +%patch22 -p1 -b .dskTable-dynamic +%patch23 -p1 -b .expand-SNMPCONFPATH +%patch24 -p1 -b .duplicate-ipAddress +%patch25 -p1 -b .memory-reporting +%patch26 -p1 -b .man-page +%patch27 -p1 -b .ipAddress-faster-load +%patch28 -p1 -b .rpm-memory-leak +%patch29 -p1 -b .sec-memory-leak +%patch30 -p1 -b .aes-config +%patch31 -p1 -b .CVE-2020-15862 +%patch32 -p1 -b .bulk +%patch33 -p1 -b .clientaddr-error-message +%patch34 -p1 -b .ipv6-disabled +%patch35 -p1 -b .empty-passphrase +%patch36 -p1 -b .asn-parse-nlength +%patch37 -p1 -b .double-IP-parsing +%patch38 -p1 -b .digest-from-ECC +%patch39 -p1 -b .broken-errmsg +%patch40 -p1 -b .intermediate-certs +%patch41 -p1 -b .fix-cert-crash +%patch42 -p1 -b .engine-id +%patch43 -p1 -b .certs +%patch44 -p1 -b .utils +%patch45 -p1 -b .ifaces +%patch46 -p1 -b .memleak-backport + +%patch101 -p1 -b .modern-rpm-api + +%ifarch sparc64 s390 s390x +# disable failing test - see https://bugzilla.redhat.com/show_bug.cgi?id=680697 +rm testing/fulltests/default/T200* +%endif + +%build + +# Autoreconf to get autoconf 2.69 for ARM (#926223) +autoreconf + +MIBS="host agentx smux \ + ucd-snmp/diskio tcp-mib udp-mib mibII/mta_sendmail \ + ip-mib/ipv4InterfaceTable ip-mib/ipv6InterfaceTable \ + ip-mib/ipAddressPrefixTable/ipAddressPrefixTable \ + ip-mib/ipDefaultRouterTable/ipDefaultRouterTable \ + ip-mib/ipv6ScopeZoneIndexTable ip-mib/ipIfStatsTable \ + sctp-mib rmon-mib etherlike-mib" + +%ifnarch s390 s390x ppc64le +# there are no lm_sensors on s390 +MIBS="$MIBS ucd-snmp/lmsensorsMib" +%endif + +%configure \ + --disable-static --enable-shared \ + --enable-as-needed \ + --enable-blumenthal-aes \ + --enable-embedded-perl \ + --enable-ipv6 \ + --enable-local-smux \ + --enable-mfd-rewrites \ + --enable-ucd-snmp-compatibility \ + --sysconfdir=%{_sysconfdir} \ + --with-cflags="$RPM_OPT_FLAGS" \ + --with-ldflags="-Wl,-z,relro -Wl,-z,now -lm" \ + --with-logfile="/var/log/snmpd.log" \ + --with-mib-modules="$MIBS" \ + --with-mysql \ + --with-openssl \ + --with-persistent-directory="/var/lib/net-snmp" \ + --with-perl-modules="INSTALLDIRS=vendor" \ + --with-pic \ + --with-security-modules=tsm \ + --with-sys-location="Unknown" \ + --with-systemd \ + --with-temp-file-pattern=/run/net-snmp/snmp-tmp-XXXXXX \ + --with-transports="DTLSUDP TLSTCP" \ + --with-sys-contact="root@localhost" <$file.utf8 + mv $file.utf8 $file +done + +# remove executable bit from documentation samples +chmod 644 local/passtest local/ipf-mod.pl + +# dirty hack for #603243, until it's fixed properly upstream +install -m 755 -d %{buildroot}/usr/include/net-snmp/agent/util_funcs +install -m 644 agent/mibgroup/util_funcs/*.h %{buildroot}/usr/include/net-snmp/agent/util_funcs + +# systemd stuff +install -m 755 -d %{buildroot}/%{_tmpfilesdir} +install -m 644 %SOURCE7 %{buildroot}/%{_tmpfilesdir}/net-snmp.conf +install -m 755 -d %{buildroot}/%{_unitdir} +install -m 644 %SOURCE8 %SOURCE9 %{buildroot}/%{_unitdir}/ + +%check +%if %{netsnmp_check} +%ifarch ppc ppc64 +rm -vf testing/fulltests/default/T200snmpv2cwalkall_simple +%endif +# restore libtool, for unknown reason it does not work with the one without rpath +cp -f libtool.orig libtool +# temporary workaround to make test "extending agent functionality with pass" working +chmod 755 local/passtest + +LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test +%endif + + +%post +%systemd_post snmpd.service snmptrapd.service + +%preun +%systemd_preun snmpd.service snmptrapd.service + + +%postun +%systemd_postun_with_restart snmpd.service snmptrapd.service + +%ldconfig_scriptlets libs +%ldconfig_scriptlets agent-libs + +%files +%doc COPYING ChangeLog.trimmed EXAMPLE.conf FAQ NEWS TODO +%doc README README.agent-mibs README.agentx README.krb5 README.snmpv3 +%doc local/passtest local/ipf-mod.pl +%doc README.thread AGENT.txt PORTING local/README.mib2c +%doc IETF-MIB-LICENSE.txt +%dir %{_sysconfdir}/snmp +%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/snmp/snmpd.conf +%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/snmp/snmptrapd.conf +%{_bindir}/snmpconf +%{_bindir}/net-snmp-create-v3-user +%{_sbindir}/* +%attr(0644,root,root) %{_mandir}/man[58]/snmp*d* +%attr(0644,root,root) %{_mandir}/man5/snmp_config.5.gz +%attr(0644,root,root) %{_mandir}/man5/variables* +%attr(0644,root,root) %{_mandir}/man1/net-snmp-create-v3-user* +%attr(0644,root,root) %{_mandir}/man1/snmpconf.1.gz +%dir %{_datadir}/snmp +%{_datadir}/snmp/snmpconf-data +%dir %{_localstatedir}/run/net-snmp +%{_tmpfilesdir}/net-snmp.conf +%{_unitdir}/snmp* +%config(noreplace) %{_sysconfdir}/sysconfig/snmpd +%config(noreplace) %{_sysconfdir}/sysconfig/snmptrapd +%{_bindir}/agentxtrap +%attr(0644,root,root) %{_mandir}/man1/agentxtrap.1* + +%files utils +%{_bindir}/encode_keychange +%{_bindir}/snmp[^c-]* +%attr(0644,root,root) %{_mandir}/man1/snmp[^-]*.1* +%attr(0644,root,root) %{_mandir}/man1/encode_keychange*.1* +%attr(0644,root,root) %{_mandir}/man5/snmp.conf.5.gz +%attr(0644,root,root) %{_mandir}/man5/variables.5.gz + +%files devel +%{_libdir}/lib*.so +/usr/include/* +%attr(0644,root,root) %{_mandir}/man3/*.3.* +%attr(0755,root,root) %{_bindir}/net-snmp-config* +%attr(0644,root,root) %{_mandir}/man1/net-snmp-config*.1.* + +%files perl +%{_bindir}/mib2c-update +%{_bindir}/mib2c +%{_bindir}/snmp-bridge-mib +%{_bindir}/net-snmp-cert +%{_bindir}/checkbandwidth +%dir %{_datadir}/snmp +%{_datadir}/snmp/mib2c* +%{_datadir}/snmp/*.pl +%{_bindir}/traptoemail +%attr(0644,root,root) %{_mandir}/man[15]/mib2c* +%attr(0644,root,root) %{_mandir}/man3/*.3pm.* +%attr(0644,root,root) %{_mandir}/man1/traptoemail*.1* +%attr(0644,root,root) %{_mandir}/man1/snmp-bridge-mib.1* +%{perl_vendorarch}/*SNMP* +%{perl_vendorarch}/auto/*SNMP* +%{perl_vendorarch}/auto/Bundle/*SNMP* +%{perl_vendorarch}/Bundle/MakefileSubs.pm + +%files gui +%{_bindir}/tkmib +%attr(0644,root,root) %{_mandir}/man1/tkmib.1* + +%files libs +%doc COPYING README ChangeLog.trimmed FAQ NEWS TODO +%doc IETF-MIB-LICENSE.txt +%{_libdir}/libnetsnmp.so.%{soname}* +%dir %{_datadir}/snmp +%dir %{_datadir}/snmp/mibs +%{_datadir}/snmp/mibs/* +%dir %{_localstatedir}/lib/net-snmp +%dir %{_localstatedir}/lib/net-snmp/mib_indexes +%dir %{_localstatedir}/lib/net-snmp/cert_indexes + +%files agent-libs +%{_libdir}/libnetsnmpagent*.so.%{soname}* +%{_libdir}/libnetsnmphelpers*.so.%{soname}* +%{_libdir}/libnetsnmpmibs*.so.%{soname}* +%{_libdir}/libnetsnmptrapd*.so.%{soname}* + +%changelog +* Mon Oct 17 2022 Josef Ridky - 1:5.8-26 +- backport two memory leaks from upstream (#2134635) + +* Mon Feb 21 2022 Josef Ridky - 1:5.8-25 +- fix segfault with error on subcontainer (#2051370) + +* Thu Dec 09 2021 Josef Ridky - 1:5.8-24 +- fix dereferencing null pointer (#2021403) + +* Mon Oct 11 2021 Josef Ridky - 1:5.8-23 +- net-snmp-cert gencert create SHA512 (#1908331) + +* Mon Jun 28 2021 Josef Ridky - 1:5.8-22 +- update engineTime when sending traps (#1973252) + +* Wed Jun 09 2021 Josef Ridky - 1:5.8-21 +- prevent parsing IP address twice (#1768908) +- add support for digests detected from ECC certs (#1919714) +- fix broken ErrorMsg at ucd-snmp (#1933150) +- add support for intermediate certs (#1914656) +- fix crash of certs with longer extension (#1908718) + +* Tue Jan 05 2021 Josef Ridky - 1:5.8-20 +- fix issue with parsing of long traps (#1912242) +- modify fix for #1877375 + +* Tue Dec 01 2020 Josef Ridky - 1:5.8-19 +- revert permission of config files to 600 (#1601060) +- fix error message when the address specified by clientaddr option + is wrong or cannot be bound (#1877375) +- log error with /proc/net/if_inet6 only when IPv6 is enabled (#1824367) +- fix issue with quoting empty passphrase (#1817225) + +* Wed Nov 11 2020 Josef Ridky - 1:5.8-18 +- fix CVE-2020-15862 (#1875497) +- fix bulk responses for invalid PID (#1817190) + +* Tue Aug 11 2020 Josef Ridky - 1:5.8-17 +- add math library in LDFLAGS (#1846252) + +* Thu Jul 16 2020 Josef Ridky - 1:5.8-16 +- remove file due licensing issues (#1690936) + +* Wed Jun 10 2020 Josef Ridky - 1:5.8-15 +- proxied OIDs unspecified in proxy statement in snmpd.conf (#1658134) +- UCD-SNMP-MIB::dskTable doesn't update dynamically (#1658185) +- expand SNMPCONFPATH variable (#1660146) +- remove file with Apple license (#1690936) +- log meningful message on duplicate IP address (#1692286) +- memory reporting adjustment (#1695497 and #1766521) +- fix typos in man page (#1700262) +- speedup ipAddressTable loading(#1700391) +- fix memory leak when shut down librpm (#1763008) +- services starts after network-online.target (#1775304) +- add missing part of memory leak patch (#1829860) +- add support for AES192 and AES256 (#1846252) + +* Mon Mar 16 2020 Josef Ridky - 1:5.8-14 +- fix double free or corruption error when freeing security context (#1809077) +- remove deprecated CFLAG + +* Mon Feb 17 2020 Josef Ridky - 1:5.8-13 +- fix double free or corruption error (#1726373) + +* Wed Nov 06 2019 Josef Ridky - 1:5.8-12 +- fix tmpfiles path (#1710784) + +* Tue Oct 15 2019 Jiri Kucera - 1:5.8-11 +- fix issue with flood messages (#1719350) + +* Thu Jun 27 2019 Josef Ridky - 1:5.8-10 +- fix trapsink port issue (#1677192) + +* Fri May 24 2019 Josef Ridky - 1:5.8-9 +- rebuild for autoconf + +* Tue May 07 2019 Josef Ridky - 1:5.8-8 +- fix daemon crash on resend request (#1694047) + +* Thu Feb 07 2019 Josef Ridky - 1:5.8-7 +- fix address assigning for IPv6 clientaddr option (#1672668) + +* Wed Dec 05 2018 Josef Ridky - 1:5.8-6 +- fix discovered issues from coverity scan (#1602630) + +* Thu Oct 04 2018 Josef Ridky - 1:5.8-5 +- exit snmpd after snmpd -h command (#1634811) + +* Tue Sep 25 2018 Josef Ridky - 1:5.8-4 +- fix annocheck distro flag failures (#1624151) + +* Tue Sep 04 2018 Josh Boyer - 1:5.8-3 +- Change gcc Requires to BuildRequires (#1625189) + +* Mon Aug 13 2018 Josef Ridky - 1:5.8-2 +- fix default configuration file (#1589480 and #1594147) +- modify permissions for config files (#1601060) + +* Thu Aug 09 2018 Josef Ridky - 1:5.8-1 +- remove python package and update to the last upstream version (#1584510) + +* Thu Mar 08 2018 Josef Ridky - 1:5.7.3-36 +- CVE-2018-1000116 Heap corruption in snmp_pdu_parse (#1552844) + +* Tue Feb 27 2018 Josef Ridky - 1:5.7.3-35 +- compile against Python3 +- add gcc requirement +- remove rm buildroot + +* Fri Feb 16 2018 Josef Ridky - 1:5.7.3-34 +- fix wrong systemd patch (#1545946) + +* Thu Feb 08 2018 Josef Ridky - 1:5.7.3-33 +- Fix strstr() crash when looking for RPM Group tag +- Fix wrong usage of structure iterator +- Fix issue with statistics from autofs + +* Thu Feb 08 2018 Fedora Release Engineering - 1:5.7.3-32 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sat Feb 03 2018 Igor Gnatenko - 1:5.7.3-31 +- Switch to %%ldconfig_scriptlets + +* Wed Jan 31 2018 Josef Ridky - 1:5.7.3-30 +- remove Group tag +- remove sysvinit package and init files (no longer needed) +- fix python2 references and dependencies in spec file + +* Sat Jan 20 2018 Björn Esser - 1:5.7.3-29 +- Rebuilt for switch to libxcrypt + +* Wed Dec 13 2017 Josef Ridky - 1:5.7.3-28 +- remove tcp_wrapper (#1518768) +- use mariadb-connector instead of mysql-devel (#1339272) + +* Sun Aug 20 2017 Zbigniew Jędrzejewski-Szmek - 1:5.7.3-27 +- Add Provides for the old name without %%_isa + +* Sat Aug 19 2017 Zbigniew Jędrzejewski-Szmek - 1:5.7.3-26 +- Python 2 binary package renamed to python2-net-snmp + See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 + +* Fri Aug 11 2017 Igor Gnatenko - 1:5.7.3-25 +- Rebuilt after RPM update (№ 3) + +* Thu Aug 10 2017 Igor Gnatenko - 1:5.7.3-24 +- Rebuilt for RPM soname bump + +* Thu Aug 10 2017 Igor Gnatenko - 1:5.7.3-23 +- Rebuilt for RPM soname bump + +* Thu Aug 03 2017 Fedora Release Engineering - 1:5.7.3-22 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 1:5.7.3-21 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Thu Jul 20 2017 Adam Williamson -1:5.7.3-20 +- Edit fix of issue with undefined symbol my_progname when try to load + NetSNMP::TrapReceiver in perl script (#1470004) + +* Thu Jul 20 2017 Josef Ridky - 1:5.7.3-19 +- Fix issue with undefined symbol my_progname when try to load NetSNMP::TrapReceiver in perl script. (#1470004) + +* Wed Jul 19 2017 Adam Williamson - 1:5.7.3-18 +- Fix build with MariaDB 10.2 + +* Thu Jul 13 2017 Petr Pisar - 1:5.7.3-17 +- perl dependency renamed to perl-interpreter + + +* Sun Jun 04 2017 Jitka Plesnikova - 1:5.7.3-16 +- Perl 5.26 rebuild + +* Wed Feb 15 2017 Josef Ridky - 1:5.7.3-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild +- Add support for new version of OpenSSL library (#1423984) + +* Fri Feb 10 2017 Fedora Release Engineering - 1:5.7.3-14 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Aug 12 2016 Josef Ridky - 1:5.7.3-13 +- net-snmp.redhat.conf: update default configuration to conform to the best practices (#1359123) +- nmp_transport.c: use strtok_r for strtok to avoid a race condition (#1366282) + +* Tue Jul 19 2016 Fedora Release Engineering - 1:5.7.3-12 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Sun May 15 2016 Jitka Plesnikova - 1:5.7.3-11 +- Perl 5.24 rebuild + +* Mon May 09 2016 Jitka Plesnikova - 1:5.7.3-10 +- Updated net-snmp to build against Perl 5.24 + +* Wed Feb 24 2016 Jan Safranek - 1:5.7.3-9 +- Trim net-snmp-config --cflags output (#1309080) + +* Thu Feb 04 2016 Fedora Release Engineering - 1:5.7.3-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Mon Jul 27 2015 Richard W.M. Jones - 1:5.7.3-7 +- Bump version to rebuild against new RPM in Rawhide. + +* Tue Jul 14 2015 Jan Safranek - 1:5.7.3-6 +- Recompile with -Wformat (#1242766) + +* Fri Jun 26 2015 Jan Safranek - 1:5.7.3-5 +- Fixed snmpstatus crashing when receiving invalid response (#1233738) + +* Wed Jun 17 2015 Fedora Release Engineering - 1:5.7.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed Jun 03 2015 Jitka Plesnikova - 1:5.7.3-3 +- Perl 5.22 rebuild + +* Thu Mar 05 2015 Adam Jackson 1:5.7.3-2 +- Disable sysvinit subpackage on F23+ + +* Tue Feb 17 2015 Jan Safranek - 1:5.7.3-1 +- Update to 5.7.3 + +* Fri Sep 05 2014 Jitka Plesnikova - 1:5.7.2-24 +- Perl 5.20 rebuild + +* Mon Sep 1 2014 Jan Safranek - 1:5.7.2-23 +- Fixed CVE-2014-3565 +- Fixed net-snmp-cert tool, now it does not depend on net-snmp-devel (#1134475) + +* Tue Aug 26 2014 Jitka Plesnikova - 1:5.7.2-22 +- Perl 5.20 rebuild + +* Sun Aug 17 2014 Fedora Release Engineering - 1:5.7.2-21 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 1:5.7.2-20 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue Mar 4 2014 Jan Safranek - 1:5.7.2-19 +- Fixed buffer overflow in ICMP-MIB (#1071753) + +* Wed Jan 15 2014 Jan Safranek - 1:5.7.2-18 +- Added support for ppc64le architecture (#1052431) + +* Thu Jan 9 2014 Jan Safranek - 1:5.7.2-17 +- Moved tmpfiles.d config file to /usr/lib + +* Thu Dec 5 2013 Jan Safranek - 1:5.7.2-16 +- Fixed snmpd crashing when AgentX subagent disconnects in the middle of + request processing (#1038011) + +* Sat Aug 03 2013 Fedora Release Engineering - 1:5.7.2-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Wed Jul 17 2013 Petr Pisar - 1:5.7.2-14 +- Perl 5.18 rebuild + +* Thu Jun 27 2013 Jan Safranek - 1:5.7.2-13 +- set permissions of snmpd.conf and snmptrapd conf to 0600 to prevent + users from reading passwords and community strings. + +* Tue May 21 2013 Jan Safranek - 1:5.7.2-12 +- added btrfs support to hrFSTable (#965348) + +* Mon May 6 2013 Jan Safranek - 1:5.7.2-11 +- added aarch64 to multilib architectures. + +* Mon Apr 22 2013 Jan Safranek - 1:5.7.2-10 +- moved agentxtrap utility to net-snmp subpackage, + it needs libraries provided by net-snmp-agent-libs. + +* Thu Apr 18 2013 Jan Safranek - 1:5.7.2-9 +- moved agentxtrap utility to net-snmp-utils subpackage, + it's an utility, not a daemon. + +* Mon Mar 25 2013 Jan Safranek - 1:5.7.2-8 +- added autoreconf to be able to build on aarch64 (#926223) + +* Thu Feb 14 2013 Tom Callaway 1:5.7.2-7 +- add missing IETF MIB license text (BSD) + +* Thu Feb 7 2013 Jan Safranek - 1:5.7.2-6 +- fixed net-snmp-create-v3-user to have the same content on all architectures +- /var/lib/net-snmp/mib_indexes and cert_indexes added to net-snmp-libs + (#906761) + +* Thu Jan 17 2013 Jan Safranek - 1:5.7.2-5 +- Python: fixed IPADDRESS size on 64-bit systems (#895357) + +* Mon Nov 12 2012 Jan Safranek - 1:5.7.2-4 +- Fixed systemd support (#875632). + +* Mon Oct 29 2012 Jan Safranek - 1:5.7.2-3 +- Added direct dependency on perl-devel with architectute in + net-snmp-devel package to pull proper dependencies. + +* Wed Oct 24 2012 Jan Safranek - 1:5.7.2-2 +- Fixed net-snmp dependency on net-snmp-agent-libs. + +* Thu Oct 18 2012 Jan Safranek - 1:5.7.2-1 +- Updated to 5.7.2 + +* Mon Aug 27 2012 Jan Safranek - 1:5.7.1-10 +- Updated RPM scriplets with latest systemd-rpm macros (#850403). +- Fixed fedora-review tool complaints. + +* Fri Jul 20 2012 Fedora Release Engineering - 1:5.7.1-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Jun 08 2012 Petr Pisar - 1:5.7.1-8 +- Perl 5.16 rebuild + +* Fri May 18 2012 Jan Safranek 5.7.1-7 +- Move /var/lib/net-snmp from net-snmp to net-snmp-libs (#822508) + +* Mon Apr 23 2012 Karsten Hopp 5.7.1-6 +- Temporarily disable T200snmpv2cwalkall_simple test on ppc(64) until + bug 814829 is fixed + +* Fri Mar 30 2012 Jan Safranek - 1:5.7.1-5 +- Rebuilt for new rpm + +* Fri Jan 13 2012 Fedora Release Engineering - 1:5.7.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Nov 28 2011 Jan Safranek - 1:5.7.1-3 +- re-introduced /etc/sysconfig files (#752821) + +* Wed Oct 5 2011 Jan Safranek - 1:5.7.1-2 +- fixed perl linking (#742678) + +* Tue Oct 4 2011 Jan Safranek - 1:5.7.1-1 +- updated to 5.7.1: + - Fixed the mib-parsing-bug introduced shortly before 5.7 + - fixed rounding errors for disk percentage calculations + - Many other miscellaneous minor bug fixes + +* Tue Sep 06 2011 Dan Horák - 1:5.7-7 +- disable failing test on s390(x) (#680697) + +* Thu Aug 11 2011 Jan Safranek - 1:5.7-6 +- added new net-snmp-agent-libs subpackage with agent libraries + -> net-snmp-libs do not need perl and lm_sensors libs +- removed libsnmp.so, it's not used in Fedora (#729811) +- added README.systemd +- added new net-snmp-sysvinit subpackage with legacy init scripts + (#718183) + +* Tue Aug 9 2011 Jan Safranek - 1:5.7-5 +- integrated with systemd (#718183) + +* Thu Jul 21 2011 Petr Sabata - 1:5.7-4 +- Perl mass rebuild + +* Wed Jul 20 2011 Petr Sabata - 1:5.7-3 +- Perl mass rebuild + +* Fri Jul 8 2011 Jan Safranek - 1:5.7-2 +- restored rpath in net-snmp-config output - SNMP subagent won't link + with libsnmpagent.so without it, linker needs to know location + of libperl.so +- fixed check section to make tests pass on machine without DNS + +* Thu Jul 7 2011 Jan Safranek - 1:5.7-1 +- updated to net-snmp-5.7 + +* Mon Jun 20 2011 Marcela Mašláňová - 1:5.6.1-9 +- Perl mass rebuild + +* Thu Jun 09 2011 Marcela Mašláňová - 1:5.6.1-8 +- Perl 5.14 mass rebuild + +* Wed Mar 23 2011 Jan Safranek - 1:5.6.1-7 +- Rebuild against newer mysql + +* Sat Feb 26 2011 Dennis Gilmore - 1:5.6.1-6 +- disable failing test on sparc64 + +* Tue Feb 15 2011 Jan Safranek - 1:5.6.1-5 +- enabled MySQL support in snmptrapd + +* Tue Feb 08 2011 Fedora Release Engineering - 1:5.6.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Jan 19 2011 Jan Safranek - 1:5.6.1-3 +- Rebuild (again) against newer rpm, now with proper rpm-4.9 detection + +* Wed Jan 19 2011 Matthias Clasen - 1:5.6.1-2 +- Rebuild against newer rpm + +* Tue Jan 4 2011 Jan Safranek - 1:5.6.1-1 +- updated to net-snmp-5.6.1 + +* Mon Dec 6 2010 Jan Safranek - 1:5.6-5 +- re-create /var/run/net-snmp on boot using tmpfiles.d (#656637) +- move snmp-bridge-mib and net-snmp-cert utilities to net-snmp-perl + subpackage, net-snmp-utils subpackage does not depend on Perl now + +* Tue Nov 23 2010 Jan Safranek - 1:5.6-4 +- properly fix failing tests on ppc/s390 (#655731) + +* Mon Nov 22 2010 Dan Horák - 1:5.6-3 +- temporarily disable a test failing on ppc/s390 arches + +* Fri Nov 5 2010 Jan Safranek - 1:5.6-2 +- fixed c++ guards in net-snmp header files (#650219) + +* Mon Oct 25 2010 Jan Safranek - 1:5.6-1 +- updated to net-snmp-5.6 + +* Mon Oct 11 2010 Jan Safranek - 1:5.5-21 +- fixed truncation of sysObjectID (#640848) + +* Thu Aug 19 2010 Jan Safranek - 1:5.5-20 +- Remove rpath from net-snmp-config output (#554747) + +* Wed Aug 4 2010 Jan Safranek - 1:5.5-19 +- Add APSL 2.0 license to COPYING file + +* Wed Jul 21 2010 David Malcolm - 1:5.5-18 +- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild + +* Tue Jul 20 2010 Jan Safranek - 1:5.5-17 +- fixed temporary filename generation in snmptrapd (#616347) + +* Mon Jun 28 2010 Jan Safranek - 1:5.5-16 +- rebuild for new perl + +* Wed Jun 16 2010 Jan Safranek - 1:5.5-14 +- add missing struct.h header file (#603243) + +* Wed Jun 16 2010 Jan Safranek - 1:5.5-13 +- add missing include files from util_funcs directory (#603243) + +* Tue Jun 01 2010 Marcela Maslanova - 1:5.5-13 +- Mass rebuild with perl-5.12.0 + +* Tue Feb 2 2010 Jan Safranek - 1:5.5-12 +- store temporary files in /var/run/net-snmp instead of /tmp - + SELinux does not like it. + +* Tue Jan 12 2010 Stepan Kasal - 1:5.5-11 +- move the perl(:MODULE_COMPAT_5.10.x) require to net-snmp-libs + +* Tue Jan 12 2010 Jan Safranek - 1:5.5-10 +- document various legacy options in this spec file + +* Tue Jan 12 2010 Stepan Kasal - 1:5.5-9 +- require perl(:MODULE_COMPAT_5.10.x) because the package links against + libperl.so + +* Tue Jan 5 2010 Jan Safranek - 1:5.5-8 +- fix invalid access to memory in tcpListenerTable (#551030) + +* Mon Dec 21 2009 Jan Safranek - 1:5.5-7 +- fix crash with interfaces without broadcast addresses (like OpenVPN's tun0) + (#544849) + +* Tue Dec 8 2009 Jan Safranek - 1:5.5-6 +- fix compilation of the python module + +* Mon Dec 7 2009 Stepan Kasal - 1:5.5-5 +- rebuild against perl 5.10.1 + +* Wed Dec 2 2009 Jan Safranek 1:5.5-4 +- fix udpTable indexes on big-endian systems (#543352) +- fix snmptrapd init script to survive with empty /etc/sysconfig/snmptrapd +- lower the default log level of snmpd to get rid of the debug messages + +* Wed Nov 25 2009 Jan Safranek 1:5.5-3 +- prepare the .spec file for review +- run automatic regression suite after the compilation of the package + to check for obvious regressions +- remove unnecessary package dependencies + +* Tue Nov 24 2009 Jan Safranek 1:5.5-2 +- introduce /etc/sysconfig/snmptrapd. Use it to specify snmptrapd command + line options. /etc/snmp/snmptrapd.options is not used anymore (#540799) +- build-in ipAddressPrefixTable, ipDefaultRouterTable, ipv6ScopeZoneIndexTable, + ipIfStatsTable, SCTP-MIB, RMON-MIB and Etherlike-MIBs +- remove ucd5820stat helper script, it depends on get5820stats, which is not + available in Fedora +- move sample services ipf-mod.pl to documentation +- remove logrotate config, snmpd logs into syslog + +* Tue Sep 29 2009 Jan Safranek Jan Safranek 5.5-1 +- update to Net-SNMP 5.5 +- remove static libraries from -devel subpackage + +* Mon Sep 14 2009 Jan Safranek 1:5.4.2.1-17 +- implement force-reload command in initscripts (#523126) + +* Fri Aug 21 2009 Tomas Mraz - 1:5.4.2.1-16 +- rebuilt with new openssl + +* Fri Aug 14 2009 Orion Poplawski 1:5.4.2.1-15 +- Prevent post script failure on fresh installs + +* Sat Jul 25 2009 Fedora Release Engineering - 1:5.4.2.1-14 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Jul 1 2009 Jan Safranek 5.4.2.1-13 +- package cleanup, remove unnecessary patches +- move local state file from /var/net-snmp/ to /var/lib/net-snmp + +* Wed Jul 1 2009 Jan Safranek 5.4.2.1-12 +- make the default configuration less noisy, i.e. do not print "Connection from + UDP:" and "Received SNMP packet(s) from UDP:" messages on each connection. + (#509055) + +* Mon May 18 2009 Jan Safranek 5.4.2.1-11 +- fix divison-by-zero in cpu statistics (#501210) + +* Fri Mar 06 2009 Jesse Keating - 5.4.2.1-10 +- Rebuild for new rpm + +* Wed Feb 25 2009 Fedora Release Engineering - 1:5.4.2.1-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Mon Feb 16 2009 Jan Safranek 5.4.2.1-8 +- fix tcp_wrappers integration (CVE-2008-6123) + +* Fri Jan 30 2009 Karsten Hopp 5.4.2.1-7 +- fix build on s390x which has no libsensors + +* Sat Jan 17 2009 Tomas Mraz 5.4.2.1-7 +- rebuild with new openssl + +* Wed Dec 17 2008 Jan Safranek 5.4.2.1-6 +- rebuilt for new python again... + +* Mon Dec 1 2008 Jan Safranek 5.4.2.1-5 +- fix rpm ownership of all created directories (#473582) + +* Mon Dec 1 2008 Jan Safranek 5.4.2.1-4 +- Rebuild for fixed rpm (#473420) + +* Sat Nov 29 2008 Ignacio Vazquez-Abrams - 1:5.4.2.1-3 +- Rebuild for Python 2.6 + +* Mon Nov 3 2008 Jan Safranek 5.4.2.1-1 +- explicitly require the right version and release of net-snmp and + net-snmp-libs +- update to net-snmp-5.4.2.1 to fix CVE-2008-4309 + +* Fri Sep 26 2008 Jan Safranek 5.4.2-3 +- further tune up the distribution of files among subpackages + and dependencies + +* Fri Sep 26 2008 Jan Safranek 5.4.2-2 +- redistribute the perl scripts to the net-snmp package, + net-snmp-utils doesn't depend on perl now (#462484) + +* Wed Sep 17 2008 Jan Safranek 5.4.2-1 +- update to net-snmp-5.4.2 + +* Wed Sep 10 2008 John A. Khvatov 5.4.1-22 +- add net-snmp-python + +* Tue Jul 22 2008 Jan Safranek 5.4.1-21 +- fix perl SNMP::Session::set (#452131) + +* Fri Jul 11 2008 Jan Safranek 5.4.1-20 +- prepare for new rpm version + +* Tue Jun 10 2008 Jan Safranek 5.4.1-19 +- fix various flaws (CVE-2008-2292 CVE-2008-0960) + +* Sat May 31 2008 Dennis Gilmore 5.4.1-18 +- fix sparc handling in /usr/bin/net-snmp-config + +* Thu May 29 2008 Dennis Gilmore 5.4.1-17 +- fix sparc handling in /usr/include/net-snmp/net-snmp-config-sparc.h + +* Sun May 25 2008 Dennis Gilmore 5.4.1-16 +-sparc multilib handling + +* Mon Apr 21 2008 Jan Safranek 5.4.1-15 +- explicitly require lm_sensor > 3 for build (#442718) +- create multilib net-snmp-config on multilib architectures only + +* Tue Mar 18 2008 Tom "spot" Callaway 5.4.1-14 +- add Requires for versioned perl (libperl.so) +- get rid of silly file Requires + +* Thu Mar 6 2008 Tom "spot" Callaway 5.4.1-13 +- BR: perl(ExtUtils::Embed) + +* Thu Mar 6 2008 Tom "spot" Callaway 5.4.1-12 +- rebuild for new perl + +* Thu Feb 21 2008 Jan Safranek 5.4.1-11 +- add openssl-devel to the list of netsnmp-devel deps + +* Thu Feb 14 2008 Jan Safranek 5.4.1-10 +- fixing ipNetToMediaNetAddress to show IP address (#432780) + +* Tue Feb 12 2008 Jan Safranek 5.4.1-9 +- introduce /etc/sysconfig/snmpd. Use it to specify snmpd command line options. + /etc/snmp/snmpd.options is not used anymore (#431391) + +* Mon Jan 28 2008 Jan Safranek 5.4.1-8 +- init scripts made LSB compliant + +* Wed Dec 5 2007 Jan Safranek 5.4.1-7 +- rebuild for openssl soname bump + +* Wed Nov 14 2007 Jan Safranek 5.4.1-6 +- add support of lm_sensors v3 +- added procps to build dependencies (#380321) +- removed beecrypt from dependencies +- fixed crash on reading xen interfaces (#386611) + +* Thu Oct 25 2007 Jan Safranek 5.4.1-5 +- move mib2c-update from net-snmp-utils to net-snmp-perl, where + mib2c is located +- add tkmib to net-snmp-gui package (#167933) + +* Tue Oct 16 2007 Jan Safranek 5.4.1-4 +- License: field fixed to "BSD and CMU" + +* Thu Aug 23 2007 Jan Safranek 5.4.1-3 +- include these tables: ip-mib/ipv4InterfaceTable + ip-mib/ipv6InterfaceTable, ip-mib/ipAddressPrefixTable +- fix Requires of net-snmp-devel to include lmsensors-devel on supported + architectures + +* Wed Aug 22 2007 Jan Safranek 5.4.1-2 +- gawk added to build dependencies + +* Tue Aug 7 2007 Jan Safranek 5.4.1-1 +- License: field changed to MIT +- 5.4.1 integrated + +* Tue Jul 31 2007 Jan Safranek 5.4-16 +- supported lm_sensors on ppc64 (#249255) +- snmpconf generates config files with proper selinux context + (#247462) +- fix leak in udp transport (#247771) +- add alpha to supported archs in net-snmp-config (#246825) +- fix hrSWInst (#250237) + +* Thu Jun 28 2007 Jan Safranek 5.4-15 +- fix default snmptrapd.conf + +* Thu May 3 2007 Jan Safranek 5.4-14 +- fix snmptrapd hostname logging (#238587) +- fix udpEndpointProcess remote IP address (#236551) +- fix -M option of net-snmp-utils (#244784) +- default snmptrapd.conf added (#243536) +- fix crash when multiple exec statements have the same name + (#243536) +- fix ugly error message when more interfaces share + one IP address (#209861) + +* Mon Mar 12 2007 Radek Vokál - 1:5.4-13 +- fix overly verbose log message (#221911) +- few minor tweaks for review - still not perfect +- fix linking with lcrypto (#231805) + +* Fri Mar 9 2007 Radek Vokál - 5.4-12 +- lm_sensors-devel only where avaliable + +* Thu Mar 1 2007 Radek Vokál - 5.4-11 +- fix lm_sensors-devel Requires (#229109) + +* Mon Feb 26 2007 Vitezslav Crhonek - 5.4-10 +- fix net-snmp-config strange values for --libs (#228588) + +* Fri Feb 23 2007 Radek Vokál - 5.4-9 +- fix dependency on lm_sensors-devel (#229109) +- spec file cleanups + +* Tue Jan 23 2007 Radek Vokál - 5.4-8 +- fix occasional segfaults when snmpd starts + +* Thu Jan 11 2007 Radek Vokál - 5.4-7 +- fix ethtool extension (#222268) + +* Thu Jan 11 2007 Radek Vokál - 5.4-6 +- swith to new disman implementation + +* Tue Dec 12 2006 Radek Vokál - 5.4-5 +- fix memleaks in ip-addr and tcpConn + +* Thu Dec 7 2006 Radek Vokál - 5.4-4 +- fix rtnetlink.h/if_addr.h + +* Thu Dec 7 2006 Joe Orton - 5.4-3 +- add Requires for tcp_wrappers-devel for -devel + +* Mon Dec 4 2006 Radek Vokál - 5.4-2 +- rebuilt against tcp_wrappers-devel + +* Mon Nov 27 2006 Radek Vokal - 5.4-1 +- upgrade to 5.4 +- patch cleanup +- snmpd uses /var/run/snmpd.pid (#211264) + +* Sun Oct 01 2006 Jesse Keating - 5.3.1-11 +- rebuilt for unwind info generation, broken in gcc-4.1.1-21 + +* Mon Sep 25 2006 Radek Vokal 5.3.1-10 +- add mibII/mta_sendmail (#207909) + +* Fri Sep 22 2006 Radek Vokal 5.3.1-9 +- fix deprecated syscall base_reachable_time (#207273) + +* Wed Sep 13 2006 Radek Vokal 5.3.1-8 +- enable smux to listen only on LOCAL by default (#181667) +- use correct answer adrress + +* Tue Sep 5 2006 Radek Vokal 5.3.1-7 +- better upstream patch for byteorder +- add epoch to corespond with upstream versioning + +* Wed Aug 30 2006 Radek Vokal 5.3.1.0-6 +- fix IPv4/IPv6 address presentation (#200255) + +* Wed Aug 23 2006 Radek Vokal 5.3.1.0-5 +- SMUX support is still needed .. will disappear later! +- static libs should be in devel not libs (#203571) +- fix lm_sensors issues + +* Tue Aug 22 2006 Radek Vokal 5.3.1.0-4 +- turn off SMUX support (#110931) +- add dist tag + +* Thu Aug 10 2006 Radek Vokal 5.3.1.0-3 +- fix lib dirs in configure (#197684) + +* Thu Aug 3 2006 Radek Vokal 5.3.1.0-2 +- better patch for depreciated sysctl call + +* Mon Jul 17 2006 Radek Vokal 5.3.1.0-1 +- update to 5.3.1 final version, fix version number + +* Wed Jul 12 2006 Radek Vokál 5.3.1.rc4-2 +- fix init script, read .options files from /etc/snmp (#195702) + +* Wed Jul 12 2006 Jesse Keating - 5.3.1.rc4-1.1 +- rebuild + +* Mon Jul 10 2006 Radek Vokal 5.3.1.rc4-1 +- update to release candidate 4 +- fix lib dependencies on 64bit archs +- supress perl build + +* Tue Jun 13 2006 Radek Vokal 5.3.1.pre3-2 +- add tcp-mib (#194856) + +* Fri Jun 2 2006 Radek Vokal 5.3.1.pre3-1 +- update to another prerelease (fixes perl agents) + +* Fri May 26 2006 Radek Vokal 5.3.1.pre2-4 +- fix lib version + +* Thu May 25 2006 Radek Vokal 5.3.1.pre2-3 +- another multilib fix. Fix also net-snmp-config script + +* Wed May 24 2006 Radek Vokal 5.3.1.pre2-2 +- another attempt to fix multilib issue. Generate dummy net-snmp-config.h file + +* Tue May 23 2006 Radek Vokal 5.3.1.pre2-1 +- update to 5.3.1.pre2 +- fix multilib issues (#192736) + On system with /usr/lib64 use net-snmp-config64 and net-snmp-config64.h + +* Sat Apr 15 2006 Radek Vokál 5.3-8 +- fix missing IF-MIB::ifNumber.0 (#189007) + +* Wed Apr 05 2006 Radek Vokál 5.3-7 +- fix parsing of /proc/diskstats +- fix disman monitor crash +- fix perl vendor name +- fix OID lookup fail + +* Sat Mar 25 2006 Radek Vokal 5.3-6 +- use net.ipv6.neigh.lo.retrans_time_ms (#186546) + +* Mon Mar 20 2006 Radek Vokal 5.3-5 +- allow disman/event-mib + +* Fri Feb 10 2006 Jesse Keating - 5.3-4.2 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 5.3-4.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Thu Feb 2 2006 Radek Vokál 5.3-4 +- fix crash on s390x and ppc64 + +* Mon Jan 30 2006 Radek Vokál 5.3-3 +- fix for lm_Senors, the max is no longer a fixed value +- parsing fixed for /proc/net/if_inet6 + +* Wed Jan 18 2006 Radek Vokal 5.3-2 +- Security fix. Bug granting write access to read-only users + or communities which were configured using the "rocommunity" + or "rouser" snmpd.conf tokens fixed + +* Fri Dec 30 2005 Radek Vokal +- upgrade to 5.3 + +* Fri Dec 16 2005 Jesse Keating +- rebuilt for new gcj + +* Fri Dec 16 2005 Radek Vokal - 5.2.2-4 +- check for header files in configure +- patch for SNMPv3 traps / session user creation (net-snmp bz#1374087) + +* Fri Dec 09 2005 Radek Vokal - 5.2.2-3 +- fix ipaddr return type on 64bit machines + +* Wed Dec 07 2005 Radek Vokal - 5.2.2-2 +- fix read problem on stream sockets (net-snmp bz#1337534) + +* Tue Nov 29 2005 Radek Vokal - 5.2.2-1 +- upgrade to 5.2.2 final + +* Mon Nov 21 2005 Radek Vokal - 5.2.2-0.rc6.1 +- update to rc6, snmpnetstat changes due to license problems +- persistent files in directory defined by snmp.conf persistentDir are + loaded at startup + +* Tue Nov 15 2005 Radek Vokal - 5.2.2-0.rc5.1 +- another release candidate + +* Tue Nov 08 2005 Radek Vokal - 5.2.2-0.rc4.2 +- Remove .la file from net-snmp-libs (#172618) +- grab new openssl + +* Mon Nov 07 2005 Radek Vokal - 5.2.2-0.rc4.1 +- update to release candidate 4 + +* Tue Nov 01 2005 Radek Vokal - 5.2.2-0.rc3.1 +- release candidate 3 of net-snmp-5.2.2 + +* Tue Oct 25 2005 Radek Vokal - 5.2.2.rc2-1 +- rc2 prebuilt + +* Tue Sep 20 2005 Radek Vokal - 5.2.1.2-3 +- fix endian issues for addresses + +* Fri Aug 12 2005 Radek Vokal - 5.2.1.2-2 +- fix for s390x counter32 overflow (sachinp@in.ibm.com) + +* Wed Jul 13 2005 Radek Vokal - 5.2.1.2-1 +- CAN-2005-2177 new upstream version fixing DoS (#162908) + +* Tue May 31 2005 Radek Vokal - 5.2.1-13 +- CAN-2005-1740 net-snmp insecure temporary file usage (#158770) +- patch from suse.de + +* Wed May 18 2005 Radek Vokal - 5.2.1-12 +- session free fixed, agentx modules build fine (#157851) +- fixed dependency for net-snmp libs (#156932) + +* Wed May 04 2005 Radek Vokal - 5.2.1-11 +- report gigabit Ethernet speeds using Ethtool (#152480) + +* Tue Apr 19 2005 Radek Vokal - 5.2.1-10 +- fixed missing requires for devel package (#155221) + +* Wed Apr 06 2005 Radek Vokal - 5.2.1-9 +- switching to a different 64bit patch, hopefully 64bit problems are gone for a while + +* Mon Apr 04 2005 Radek Vokal - 5.2.1-8 +- net-snmp properly deals with large partitions (#153101) + +* Thu Mar 31 2005 Radek Vokal - 5.2.1-7 +- agentx double free error fix + +* Thu Mar 24 2005 Radek Vokal - 5.2.1-6 +- fixed unexpected length for type ASN_UNSIGNED (#151892) +- fixed uptime problems on ia64 + +* Wed Mar 09 2005 Radek Vokal - 5.2.1-5 +- 64bit needed some changes, was causing timeouts on 64bit archs!? +- affects bugs #125432 and #132058 + +* Tue Mar 1 2005 Tomas Mraz - 5.2.1-4 +- rebuild with openssl-0.9.7e + +* Wed Feb 23 2005 Radek Vokal - 5.1.2-3 +- patch from CVS - kill extra carriage return (#144917) +- removed patch for interface indexing - doesn't show virtual interfaces + +* Tue Feb 8 2005 Jeremy Katz - 5.2.1-2 +- rebuild for new librpm + +* Mon Jan 31 2005 Radek Vokal 5.2.1-1 +- new release, fixing several issues +- pointer needs to be inicialized (#146417) + +* Mon Dec 27 2004 Radek Vokal 5.2-2 +- patch adding ipv6 support to ip system stats + +* Tue Nov 30 2004 Radek Vokal 5.2-1 +- net-snmp-5.2, patch clean-up + +* Mon Nov 15 2004 Radek Vokal 5.1.2-12 +- snmpd crash with 'interfaces' directives in snmpd.conf fixed #139010 +- rather dirty patch fixing conf directory for net-snmp-config + +* Fri Oct 15 2004 Radek Vokal 5.1.2-11 +- Logrotate support added (#125004) + +* Thu Oct 14 2004 Phil Knirsch 5.1.2-10 +- Extended the libwrap and bsdcompat patches + +* Mon Oct 11 2004 Phil Knirsch 5.1.2-9 +- Droped obsolete lm-sensors patch and enabled lmSensors module +- Marked several patches to be removed for 5.1.3 + +* Wed Sep 29 2004 Warren Togami 5.1.2-8 +- remove README* that do not apply to Linux +- trim massive ChangeLog + +* Wed Sep 22 2004 Florian La Roche +- move ldconfig post/postun to libs subrpm + +* Wed Sep 15 2004 Phil Knirsch 5.1.2-6 +- Split out libs package for multilib compatibility + +* Wed Sep 08 2004 Radek Vokal 5.1.2-4 +- New prereq for net-snmp-devel +- lelf check removed from configure.in (#128748) +- fixed snmpd coredump when sent SIGHUP (#127314) + +* Tue Sep 07 2004 Radek Vokal 5.1.2-3 +- Agentx failed to send trap, fixed (#130752, #122338) + +* Mon Sep 06 2004 Radek Vokal 5.1.2-2 +- Patch fixing uninitalized stack variable in smux_trap_process (#130179) + +* Wed Aug 18 2004 Phil Knirsch 5.1.2-1 +- Update to 5.1.2 +- Removed net-snmp-5.0.1-initializer patch, included upstream + +* Tue Jun 15 2004 Phil Knirsch +- Fixed small bug in snmptrapd initscript (#126000). + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Thu May 06 2004 Phil Knirsch 5.1.1-3 +- Reworked the perl filelist stuff (Thanks to marius feraru). + +* Thu Apr 08 2004 Phil Knirsch 5.1.1-2 +- Added Kaj J. Niemi that fixes ipAdEntIfIndex problem (#119106) +- Added Kaj J. Niemi to shut up memshared message for 2.6 kernel (#119203) + +* Tue Mar 23 2004 Phil Knirsch 5.1.1-1 +- Update to latest upstream version 5.1.1 +- Included updated patches from Kaj J. Niemi (#118580). + +* Thu Mar 18 2004 Phil Knirsch 5.1-12 +- Hacked an ugly perl hack to get rid of perl RPATH problems. +- Fixed 64bit patch and applied it. ;-) + +* Tue Mar 02 2004 Elliot Lee +- rebuilt + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Wed Feb 04 2004 Phil Knirsch 5.1-10 +- Included 64bit fix from Mark Langsdorf (#114645). + +* Tue Feb 03 2004 Phil Knirsch 5.1-9 +- Reverted removal of _includir redefiniton due to php-snmp dependancy. +- Remove SO_BSDCOMPAT setsockopt() call, deprecated. + +* Thu Jan 29 2004 Phil Knirsch 5.1-8 +- Quite a bit of specfile cleanup from Marius FERARU. + +* Thu Jan 22 2004 Thomas Woerner 5.1-7 +- enabled pie (snmpd, snmptrapd) - postponed for ia64 +- added --with-pic to configure call + +* Thu Jan 15 2004 Phil Knirsch 5.1-6 +- Fixed 64bit build problems when 32bit popt lib is installed. + +* Tue Jan 13 2004 Phil Knirsch 5.1-5 +- rebuilt + +* Sun Jan 11 2004 Florian La Roche 5.1-4 +- rebuild for new rpm + +* Wed Dec 10 2003 Phil Knirsch 5.1-3 +- Removed snmpcheck again, needs perl(Tk) which we don't ship (#111194). +- Fixed getopt definition in include file (#111209). +- Included Kaj J. Niemi's patch for broken perl module (#111319). +- Included Kaj J. Niemi's patch for broken async getnext perl call (#111479). +- Included Kaj J. Niemi's patch for broken hr_storage (#111502). + +* Wed Nov 26 2003 Phil Knirsch 5.1-2 +- Included BuildPrereq on lm_sensors-devel on x86 archs (#110616). +- Fixed deprecated initscript options (#110618). + +* Wed Nov 19 2003 Phil Knirsch 5.1-1 +- Updated to latest net-snmp-5.1 upstream version. +- Tons of specfile and patch cleanup. +- Cleaned up perl stuff (mib2c etc, see #107707). +- Added lm_sensors support patch for x86 archs from Kaj J. Niemi (#107618). +- Added support for custom mib paths and mibs to snmptrapd initscript (#102762) + +* Mon Oct 13 2003 Phil Knirsch 5.0.9-2 +- Due to rpm-devel we need elfutils-devel, too (#103982). + +* Mon Sep 29 2003 Phil Knirsch 5.0.9-1 +- Updated to latest upstream version net-snmp-5.0.9 +- Added patch to fix net-snmp-perl problems (#105842). + +* Tue Sep 23 2003 Florian La Roche +- allow compiling without tcp_wrappers + +* Wed Sep 17 2003 Phil Knirsch 5.0.8-11.1 +- rebuilt + +* Wed Sep 17 2003 Phil Knirsch 5.0.8-11 +- Fixed permission for net-snmp-config in net-snmp-devel + +* Mon Sep 08 2003 Phil Knirsch 5.0.8-10.1 +- rebuilt + +* Mon Sep 08 2003 Phil Knirsch 5.0.8-10 +- Moved net-snmp-config into devel package (#103927) + +* Fri Aug 22 2003 Phil Knirsch 5.0.8-9.1 +- rebuilt + +* Thu Aug 21 2003 Phil Knirsch 5.0.8-9 +- Added sample config to make net-snmp RFC 1213 compliant. + +* Fri Aug 15 2003 Phil Knirsch 5.0.8-8 +- Fixed problem with perl option (#102420). +- Added patch for libwrap fix (#77926). + +* Tue Aug 12 2003 Phil Knirsch 5.0.8-7.1 +- rebuilt + +* Tue Aug 12 2003 Phil Knirsch 5.0.8-7 +- Fixed build problems on ppc64 +- Fixed double packaged manpages (#102075). + +* Thu Aug 07 2003 Phil Knirsch +- Fixed problem with new proc output (#98619, #89960). + +* Wed Aug 06 2003 Phil Knirsch +- Fixed ro/rw problem with v2 and v3 request (#89612) + +* Tue Aug 05 2003 Phil Knirsch +- Fixed permission problem for debuginfo (#101456) + +* Thu Jul 31 2003 Phil Knirsch 5.0.8-6.1 +- Fixed file list for latest build. + +* Thu Jul 31 2003 Phil Knirsch 5.0.8-6 +- Fixed build problems for net-snmp-perl. + +* Sun Jul 27 2003 Florian La Roche 5.0.8-5 +- actually apply ipv6 patch + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Tue Apr 29 2003 Phil Knirsch 5.0.8-3 +- bumped release and rebuilt. + +* Tue Apr 29 2003 Phil Knirsch 5.0.8-2 +- Hack to make it build on 64bit platforms with /usr/lib64 correctly. +- Fixed bug #85071 (leak of open descriptors for ipv6). + +* Fri Mar 28 2003 Phil Knirsch 5.0.8-1 +- Updated to latest upstream version 5.0.8 (bug #88580) + +* Thu Feb 13 2003 Phil Knirsch +- Included generation of perl stuff. Thanks to Harald Hoyer. + +* Wed Feb 12 2003 Phil Knirsch 5.0.7-1 +- Updated to net-snmp-5.0.7. Fixed especially the performance problem with + limited trees. + +* Tue Feb 11 2003 Phil Knirsch 5.0.6-17 +- Fixed ucd-snmp.redhat.conf (#78391). +- Fixed snmpwalk examples in config file. + +* Mon Feb 10 2003 Phil Knirsch 5.0.6-15 +- Fixed invalid SMUX packet (#83487). + +* Thu Feb 06 2003 Phil Knirsch 5.0.6-14 +- Fixed the libdir problem. + +* Wed Feb 05 2003 Phil Knirsch 5.0.6-13 +- Updated the old libtool rpath patch. + +* Wed Jan 22 2003 Tim Powers 5.0.6-12 +- rebuilt + +* Tue Jan 14 2003 Phil Knirsch 5.0.6-11 +- Updated nolibelf patch and activated it again. + +* Tue Jan 7 2003 Nalin Dahyabhai 5.0.6-10 +- Rebuild + +* Tue Dec 17 2002 Phil Knirsch 5.0.6-9 +- Added bzip2-devel to BuildPreReq (#76086, #70199). + +* Thu Nov 28 2002 Phil Knirsch 5.0.6-8 +- Added patch to increase SMUXMAXSTRLEN. + +* Thu Nov 7 2002 Tim Powers 5.0.6-6 +- rebuilt to fix broken deps +- remove files from the buildroot that we don't want to ship + +* Thu Nov 7 2002 Joe Orton 5.0.6-5 +- add fix for -DUCD_COMPATIBLE (#77405) + +* Thu Nov 07 2002 Phil Knirsch 5.0.6-4 +- Another bump required. Some more specfile changes. + +* Wed Nov 06 2002 Phil Knirsch 5.0.6-3 +- Bumped release and rebuilt. +- Removed all dbFOO cruft again. + +* Wed Oct 09 2002 Phil Knirsch 5.0.6-2 +- Updated to latest released version. + +* Sat Aug 31 2002 Florian La Roche +- do not link against -lelf + +* Thu Jun 27 2002 Phil Knirsch 5.0.1-5 +- Added --enable-ucd-snmp-compatibility for compatibility with older version + and fixed installation thereof. +- Got rid of the perl(Tk) dependancy by removing snmpcheck. +- Include /usr/include/ucd-snmp in the filelist. +- Fixed a problem with the ucd-snmp/version.h file. + +* Wed Jun 26 2002 Phil Knirsch 5.0.1-1 +- Updated to 5.0.1 +- Dropped --enable-reentrant as it's currently broken + +* Tue Apr 23 2002 Phil Knirsch 5.0-1 +- Switch to latest stable version, 5.0 +- Renamed the packate to net-snmp and obsoleted ucd-snmp. + +* Wed Apr 17 2002 Phil Knirsch 4.2.4-3 +- Fixed problem with reload in initscript (#63526). + +* Mon Apr 15 2002 Tim Powers 4.2.4-2 +- rebuilt in new environment + +* Mon Apr 15 2002 Tim Powers 4.2.4-1 +- update to 4.2.4 final + +* Sat Apr 13 2002 Phil Knirsch 4.2.4.pre3-5 +- Added some missing files to the %%files section. + +* Tue Apr 09 2002 Phil Knirsch 4.2.4.pre3-4 +- Hardcoded the ETC_MNTTAB to point to "/etc/mtab". + +* Mon Apr 08 2002 Phil Knirsch 4.2.4.pre3-3 +- Removed the check for dbFOO as we don't want to add another requirement. + +* Fri Apr 05 2002 Phil Knirsch 4.2.4.pre3-2 +- Added missing BuildPrereq to openssl-devel (#61525) + +* Thu Apr 04 2002 Phil Knirsch 4.2.4.pre3-1 +- Added ucd5820stat to the files section. +- Updated to latest version (4.2.4.pre3) + +* Mon Mar 18 2002 Phil Knirsch 4.2.4.pre2-1 +- Updated to latest version (4.2.4.pre2) + +* Tue Jan 29 2002 Phil Knirsch 4.2.3-4 +- Added the snmptrapd init script as per request (#49205) +- Fixed the again broken rpm query stuff (#57444) +- Removed all old and none-used db related stuff (libs and header checks/files) + +* Mon Jan 07 2002 Phil Knirsch 4.2.3-2 +- Included the Axioma Security Research fix for snmpnetstat from bugtraq. + +* Mon Dec 03 2001 Phil Knirsch 4.2.3-1 +- Update to 4.2.3 final. +- Fixed libtool/rpath buildroot pollution problem. +- Fixed library naming problem. + +* Fri Oct 5 2001 Philipp Knirsch +- Fixed a server segfault for snmpset operation (#53640). Thanks to Josh Giles + and Wes Hardaker for the patch. + +* Mon Sep 10 2001 Philipp Knirsch +- Fixed problem with RUNTESTS script. + +* Tue Sep 4 2001 Preston Brown +- fixed patch related to bug #35016 (Dell) + +* Fri Aug 24 2001 Philipp Knirsch 4.2.1-6 +- Fixed snmpd description (#52366) + +* Wed Aug 22 2001 Philipp Knirsch +- Final bcm5820 fix. Last one was broken. +- Fixed bugzilla bug (#51960) where the binaries contained rpath references. + +* Wed Aug 15 2001 Philipp Knirsch +- Fixed a couple of security issues: + o /tmp race and setgroups() privilege problem + o Various buffer overflow and format string issues. + o One signedness problem in ASN handling. +- Fixed an important RFE to support bcm5820 cards. (#51125) + +* Fri Jul 20 2001 Philipp Knirsch +- Removed tkmib from the package once again as we don't ship the Tk.pm CPAN + perl module required to run it (#49363) +- Added missing Provides for the .so.0 libraries as rpm doesn't seem to find + those during the build anymore (it used to) (#46388) + +* Thu Jul 19 2001 Philipp Knirsch +- Enabled IPv6 support (RFE #47764) +- Hopefully final fix of snmpwalk problem (#42153). Thanks to Douglas Warzecha + for the patch and Matt Domsch for reporting the problem. + +* Tue Jun 26 2001 Philipp Knirsch +- Fixed smux compilation problems (#41452) +- Fixed wrong paths displayed in manpages (#43053) + +* Mon Jun 25 2001 Philipp Knirsch +- Updated to 4.2.1. Removed 2 obsolete patches (fromcvs and #18153) +- Include /usr/share/snmp/snmpconf in %%files + +* Wed Jun 13 2001 Than Ngo +- fix to use libwrap in distro +- add buildprereq: tcp_wrappers + +* Fri Jun 1 2001 Bill Nottingham +- add a *new* patch for IP address return sizes + +* Fri Apr 20 2001 Bill Nottingham +- add patch so that only four bytes are returned for IP addresses on ia64 (#32244) + +* Wed Apr 11 2001 Bill Nottingham +- rebuild (missing alpha packages) + +* Fri Apr 6 2001 Matt Wilson +- added ucd-snmp-4.2-null.patch to correcly handle a NULL value (#35016) + +* Tue Apr 3 2001 Preston Brown +- clean up deinstallation (#34168) + +* Tue Mar 27 2001 Matt Wilson +- return a usable RETVAL when running "service snmpd status" (#33571) + +* Tue Mar 13 2001 Matt Wilson +- configure with --enable-reentrant and added "smux" and "agentx" to + --with-mib-modules= argument (#29626) + +* Fri Mar 2 2001 Nalin Dahyabhai +- rebuild in new environment + +* Mon Feb 26 2001 Tim Powers +- fixed initscript, for reload and restart it was start then stop, + fixed. (#28477) + +* Fri Feb 2 2001 Trond Eivind Glomsrod +- i18nize initscript + +* Sat Jan 6 2001 Jeff Johnson +- don't depend on /etc/init.d so that package will work with 6.2. +- perl path fiddles no longer needed. +- rely on brp-compress frpm rpm to compress man pages. +- patch from ucd-snmp CVS (Wes Hardaker). +- configure.in needs to check for rpm libraries correctly (#23033). +- add simple logrotate script (#21399). +- add options to create pidfile and log with syslog with addresses (#23476). + +* Sat Dec 30 2000 Jeff Johnson +- package for Red Hat 7.1. + +* Thu Dec 07 2000 Wes Hardaker +- update for 4.2 + +* Thu Oct 12 2000 Jeff Johnson +- add explicit format for syslog call (#18153). + +* Thu Jul 20 2000 Bill Nottingham +- move initscript back + +* Thu Jul 20 2000 Jeff Johnson +- rebuild per Trond's request. + +* Tue Jul 18 2000 Nalin Dahyabhai +- fix syntax error that crept in with condrestart + +* Wed Jul 12 2000 Prospector +- automatic rebuild + +* Mon Jul 10 2000 Preston Brown +- move initscript and add condrestart magic + +* Sat Jun 17 2000 Bill Nottingham +- fix %%attr on man pages + +* Mon Jun 12 2000 Jeff Johnson +- tkmib doco had #!/usr/bin/perl55 +- include snmpcheck and tkmib again (still needs some CPAN module, however). + +* Tue Jun 6 2000 Jeff Johnson +- update to 4.1.2. +- FHS packaging. +- patch for rpm 4.0. + +* Thu May 18 2000 Trond Eivind Glomsrod +- add version to buildroot +- rebuilt with new libraries + +* Sun Feb 27 2000 Jeff Johnson +- default config was broken (from Wes Hardaker) (#9752) + +* Sun Feb 13 2000 Jeff Johnson +- compressed man pages. + +* Fri Feb 11 2000 Wes Hardaker +- update to 4.1.1 + +* Sat Feb 5 2000 Florian La Roche +- change %%postun to %%preun + +* Thu Feb 3 2000 Elliot Lee +- Don't ship tkmib, since we don't ship the perl modules needed to run it. +(Bug #4881) + +* Tue Aug 31 1999 Jeff Johnson +- default config permits RO access to system group only (Wed Hardaker). + +* Sun Aug 29 1999 Jeff Johnson +- implement suggestions from Wes Hardaker. + +* Fri Aug 27 1999 Jeff Johnson +- stateless access to rpm database. + +* Wed Aug 25 1999 Jeff Johnson +- update to 4.0.1. + +* Mon Aug 16 1999 Bill Nottingham +- initscript munging + +* Sat Jun 12 1999 Jeff Johnson +- update to 3.6.2 (#3219,#3259). +- add missing man pages (#3057). + +* Thu Apr 8 1999 Wes Hardaker +- fix Source0 location. +- fix the snmpd.conf file to use real community names. + +* Sun Mar 21 1999 Cristian Gafton +- auto rebuild in the new build environment (release 3) + +* Fri Mar 19 1999 Preston Brown +- upgrade to 3.6.1, fix configuration file stuff. + +* Wed Feb 24 1999 Preston Brown +- Injected new description and group. + +* Tue Feb 2 1999 Jeff Johnson +- restore host resources mib +- simplified config file +- rebuild for 6.0. + +* Tue Dec 22 1998 Bill Nottingham +- remove backup file to fix perl dependencies + +* Tue Dec 8 1998 Jeff Johnson +- add all relevant rpm scalars to host resources mib. + +* Sun Dec 6 1998 Jeff Johnson +- enable libwrap (#253) +- enable host module (rpm queries over SNMP!). + +* Mon Oct 12 1998 Cristian Gafton +- strip binaries + +* Fri Oct 2 1998 Jeff Johnson +- update to 3.5.3. +- don't include snmpcheck until perl-SNMP is packaged. + +* Thu Aug 13 1998 Jeff Johnson +- ucd-snmpd.init: start daemon w/o -f. + +* Tue Aug 4 1998 Jeff Johnson +- don't start snmpd unless requested +- start snmpd after pcmcia. + +* Sun Jun 21 1998 Jeff Johnson +- all but config (especially SNMPv2p) ready for prime time + +* Sat Jun 20 1998 Jeff Johnson +- update to 3.5. + +* Tue Dec 30 1997 Otto Hammersmith +- created the package... possibly replace cmu-snmp with this. diff --git a/net-snmpd.sysconfig b/net-snmpd.sysconfig new file mode 100644 index 0000000..6949ec0 --- /dev/null +++ b/net-snmpd.sysconfig @@ -0,0 +1,3 @@ +# snmpd command line options +# '-f' is implicitly added by snmpd systemd unit file +# OPTIONS="-LS0-6d" diff --git a/net-snmptrapd.sysconfig b/net-snmptrapd.sysconfig new file mode 100644 index 0000000..85e3128 --- /dev/null +++ b/net-snmptrapd.sysconfig @@ -0,0 +1,3 @@ +# snmptrapd command line options +# '-f' is implicitly added by snmptrapd systemd unit file +# OPTIONS="-Lsd" diff --git a/snmpd.service b/snmpd.service new file mode 100644 index 0000000..8f6cb2e --- /dev/null +++ b/snmpd.service @@ -0,0 +1,13 @@ +[Unit] +Description=Simple Network Management Protocol (SNMP) Daemon. +After=syslog.target network-online.target + +[Service] +Type=notify +Environment=OPTIONS="-LS0-6d" +EnvironmentFile=-/etc/sysconfig/snmpd +ExecStart=/usr/sbin/snmpd $OPTIONS -f +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target diff --git a/snmptrapd.service b/snmptrapd.service new file mode 100644 index 0000000..ec71e75 --- /dev/null +++ b/snmptrapd.service @@ -0,0 +1,13 @@ +[Unit] +Description=Simple Network Management Protocol (SNMP) Trap Daemon. +After=syslog.target network-online.target + +[Service] +Type=notify +Environment=OPTIONS="-Lsd" +EnvironmentFile=-/etc/sysconfig/snmptrapd +ExecStart=/usr/sbin/snmptrapd $OPTIONS -f +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target diff --git a/sources b/sources new file mode 100644 index 0000000..926d4ee --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (net-snmp-5.8.tar.gz) = 95d13b6acdbc0892bbcb345795eb0500c30aaae0250ad1c17f9b2ae9000cf66f597c9051eadb32bcdc07504a2d7670d6f542e6928dd56fcf45bb1f1e7e021711