[Pkg-net-snmp-devel] Bug#965166: Bug#965166: snmpd privilege escalation
Craig Small
csmall at debian.org
Mon Jul 20 04:25:09 BST 2020
On Sat, 18 Jul 2020 at 12:04, Bart Van Assche <bvanassche at acm.org> wrote:
> Net-SNMP version 5.7.3, the version included in Debian, is no longer
> maintained upstream.
>
I just tested it on snmpd v5.8 released around July 2018 and it has this
issue too.
A patch has been applied to the Net-SNMP v5.8 and master branches that
> removes the EXTEND MIB from the list with default MIBs. See also commit
> c2b96ee74439 ("snmpd: Disable NET-SNMP-EXTEND-MIB support by default").
>
Is the single line removal in that commit all it needs? From what I can see
the patch for v5.8 and master branches is just importing c2b96ee74439
That will make things very easy to fix.
Since Net-SNMP already
> supports other mechanisms for extending snmpd, e.g. the extend and
> extendfix directives in snmpd.conf, I propose to disable the EXTEND MIB.
>
I'm happy to see it go, for the reasons you point out.
Oddly enough, if you set the user in the configuration file and set it on
the command line with the -u flag, the configuration file parameter wins.
root 41574 0.0 0.0 23592 13768 ? Ss 13:12 0:00
/usr/sbin/snmpd -LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrigger
mteTriggerConf -f -p /run/snmpd.pid
- Craig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-net-snmp-devel/attachments/20200720/6a4ad590/attachment.html>
More information about the Pkg-net-snmp-devel
mailing list