Upstream changes:
* 5.{5,6,7}.2.1 *
snmpd:
- SECURITY: a denial of service attack vector was discovered on
the linux implementation of the ICMP-MIB. This release fixes
this bug and all users are encouraged to update their SNMP
agent if they make use of the ICMP-MIB table objects.
Fixes CVE-2014-2284.
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
This is a major update in terms of pkgsrc patches, of which there are
far far too many. Analysis of patches was done by Karen Sirois of
BBN, and I have remvoed patches that have been applied upstream.
This builds fine and passes tests on NetBSD 6 i386. If you look after
some other platform (Dragonfly, Darwin, FreeBSD, etc.), please make
sure any problems are filed as upstream tickets; pkgsrc is not
appropriate to carry patches long-term that should be fixed upstream,
and this package has gotten out of hand.
(OK by adam@ to do the update, but he has not reviewed the changes, so
errors are my fault. It's quite likely there are issues on other
platforms.)
Upstream NEWS:
*5.7.2*
snmp:
- BUG: 3526549: CVE-2012-2141 Array index error leading to crash
snmpd:
- BUG: 3532090: Fix high ifIndex values crashing hrDeviceDescr
building:
- PATCH: 2091156: correctly declare dependencies in Makefile. 'make
-j <N>' should work now. Backport this to V5-4 as it is needed for
correct operation in the single threaded case of make miblib as
well.
Many other miscellaneous minor bug fixes
*5.7.1*
libnetsnmp:
- Fixed the mib-parsing-bug introduced shortly before 5.7
agent:
- fixed rounding errors for disk percentage calculations
openbsd:
- better support for recent openbsd releases
features:
- bug fixes with minimalist support after additional user feedback
Many other miscellaneous minor bug fixes
*5.7*
snmpd:
- Delivery of data via regularily scheduled notifications.
(see "Data Delivery via Notfications" in snmpd.conf)
- Many time-based config options can take (m)ins, (h)ours, ... arguments
(see the snmpd.conf manual page)
- The PING and TRACEROUTE MIBs now compile and work-ish on linux
http://www.net-snmp.org/wiki/index.php/DISMAN
- Mib handlers can now implement a data_clone function for
cloning the myvoid structure variable to avoid dangling pointers
- Fixed persistent storage of VACM MIB configuration
- Multi-homed agents send UDP responses from the proper IP address
- The hrStorageTable implementation now supports large filesystems better
- optimizations for large route tables
- Added a deliveryByNotify config token for regular data delivery
(see the snmpd.conf manual page and the NET-SNMP-PERIODIC-NOTIFY-MIB)
- [PATCH 3141462]: fix agentx subagent issues with multiple-object requests
- [PATCH 3057093]: linux uses libpci for creating useful ifDescr strings
- [PATCH 3131397]: huge speedups of the TCP/UDP Tables
libnetsnmp:
- Removed the older CMU compatibility support
- The SSH transport is now configurable
TLS/DTLS support:
- The SNMP over DTLS transport now properly supports IPv6
- Introduced new configuration tokens: localCert/peerCert
(deprecating serverCert, clientCert, defX509ServerPub, defX509ClientPub)
- Various fixes for the TLS/DTLS transports
apps:
- Added a per-variable timed output support to snmpwalk using -CT
- snmpinform now correctly uses the local engineID for informs
- A number of mib2c bug fixes
- New snmp.conf tokens for timeouts and retries
building:
- New flags to reduce the amount of compiled code to bare minimums.
This is provided by a new generic feature marking/selection mechanism.
http://www.net-snmp.org/wiki/index.php/Feature_Marking_and_Selection
- It's now possible to build without SNMPv3/USM
(e.g., if you only want TLS/DTLS with SNMPv3/TSM)
- It's possible to build the suite with no SET support
configure using --enable-read-only
- It's possible to build the agent as a notify-only agent
configure using --enable-notify-only
- Added a script to test memory usage with various config options
(see the local/minimalist/sizetests script)
- Net-SNMP can now be built to perform local DNSSEC validation
(install DNSSEC-Tools' libval and use --with-local-dnssec-validation)
testing:
- a number of new API unit-tests have been added to the suite
(to run the tests: cd testing && ./RUNFULLTESTS -g unit-tests)
- The unit tests can be more easily run under valgrind
(See http://bit.ly/jsgRnv for details)
openbsd:
- Support for updating the routing table via SNMP
win32:
- The testing suite works better under win32 environments
- Many building fixes for the win32 environment(s)
solaris:
- Net-SNMP now supports the SCTP-MIB
DragonFlyBSD, FreeBSD8:
- Net-SNMP should now work on DragonFlyBSD and FreeBSD8
And of course:
- Many other bug fixes. See the CHANGES and ChangeLog for details.
* OID Typedef Bug Fix: The oid typedef was changed in 5.6.1 to an u_int32 from
a u_long. This broke binary compatibility and likely 3rd-party code. 5.6.1.1
reverts this change and fixes an underlying OID printing problem in two agent
modules that caused someone to change the typedef in the first place.
Changes 5.6.1:
* General:
- The DTLS and TLS transports and the TSM security model are no
longer "beta" (they've undergone rigorous interoperability testing).
- Many Bug Fixes (see the CHANGES and ChangeLog files for full details)
* snmpd:
- 0 Patch 3141462: from fenner: fix agentx subagent issues with
multiple-object requests
- Patch from Niels to fix VACM persistant storage.
Changes 5.6:
* all:
- Implemented the SNMP over TLS and SNMP over DTLS protocols [RFC-to-be]
- Implemented the "Transport Security Model" [RFC5591]
- Generic host-specific configuration .conf files are now read.
- Include statements can now be used in .conf files.
* snmpd:
- Fix handling of multiple matching VACM entries. (Use the "best"
match, rather than the first one). Reported by Adam Lewis. Note
that this could potentially affect the behaviour of existing access
control configurations.
- Agent will no longer call table handlers if a set request for the
handler has invalid indexes
- table_data/tdata next handler will not be called during get
processing if no valid rows are found for the handler
- [PATCH 2952708]: Added Perl implementation of BRIDGE-MIB
- moved all functions defined in libnetsnmphelpers to
libnetsnmpagent. libnetsnmphelpers is now an empty library.
- Implemented the TSM-MIB and the TLSTM-MIB
- new API for indicating that persistent store needs to be saved
after the current request finishes processing
- [PATCH 2931446]: make the load averages writable.
* apps:
- A new tool 'net-snmp-cert' that easily creates and manages
X.509 certificates for use with the SNMP over (D)TLS protocols.
- Added an 'agentxtrap' command to send notifications via AgentX
- -T command line flag can be used to pass configuration
directly to transports that can accept configuration tokens
- A new 'snmptls' command for manipulating the agent's TLS configuration
* snmplib:
- A more modular transport subsystem that allows third party
extensions and dependencies for code reuse.
- New transport functions: f_config, f_open, f_copy and f_setup_session
- Transports can now specify session defaults
- [PATCH 2942940]: Add a new function, netsnmp_parse_args, that is
like snmp_parse_args but takes an additional bitmask, flags, to
affect the behaviour. Also remove the magic handling of some
application names.
- A new X.509 certificate API for indexing and reading certificates
- new experimental row creation API which uses a state machine
to try really hard to create a row from a given varbind list
- netsnmp_container enhancements:
- added a free_item function
- added a CONTAINER_FREE_ALL macro/function
- added an interface for duplicating a container (CONTAINER_DUP)
- added a remove function to container_iterators
- added an ability to set options on binary_array containers
- new snmp token logOption allows specifying log destinations
via configuration conf files
- A very significant reduction in compiler warning output
- new experimental simple state machine handling API
Previous patch for NetBSD wasn't really for netbsd4 but 4.99.58 and later.
So, I changed "#ifdef netbsd4" to "#ifdef NETBSD_STATS_VIA_SYSCTL" and
clean up patches. Should be fix PR pkg/43288.
It is fix of build problem only, so no PKG_REVISION bump.
to trigger/signal a rebuild for the transition 5.10.1 -> 5.12.1.
The list of packages is computed by finding all packages which end
up having either of PERL5_USE_PACKLIST, BUILDLINK_API_DEPENDS.perl,
or PERL5_PACKLIST defined in their make setup (tested via
"make show-vars VARNAMES=..."), minus the packages updated after
the perl package update.
sno@ was right after all, obache@ kindly asked and he@ led the
way. Thanks!
snmpd:
- Change default AgentX target from 0.0.0.0:705 to localhost:705
- Fix CVE-2008-4309 (GETBULK issue reported by Oscar Mira-Sanchez)
- Fix handling of multiple matching VACM entries
(Use the "best" match, rather than the first one).
Note that this could potentially affect the behaviour of
existing access control configurations.
- Latch large-disk statistics at 2Tb (rather than wrapping)
Linux:
- Fix build on modern distributions (using rpm-4.6)
Windows:
- Fix various builds (recent MSVC, MinGW, IPv6, winExtDLL)
This changes the buildlink3.mk files to use an include guard for the
recursive include. The use of BUILDLINK_DEPTH, BUILDLINK_DEPENDS,
BUILDLINK_PACKAGES and BUILDLINK_ORDER is handled by a single new
variable BUILDLINK_TREE. Each buildlink3.mk file adds a pair of
enter/exit marker, which can be used to reconstruct the tree and
to determine first level includes. Avoiding := for large variables
(BUILDLINK_ORDER) speeds up parse time as += has linear complexity.
The include guard reduces system time by avoiding reading files over and
over again. For complex packages this reduces both %user and %sys time to
half of the former time.
a tv_nsec field measured in nanoseconds), while other systems
define it as struct timeval (with a tv_usec field measured in
microseconds). Add a configure test and conditional code in
agent/mibgroup/mibII/interfaces.c.orig. This should fix PR 40990.
Bump PKGREVISION to 2.
to trigger/signal a rebuild for the transition 5.8.8 -> 5.10.0.
The list of packages is computed by finding all packages which end
up having either of PERL5_USE_PACKLIST, BUILDLINK_API_DEPENDS.perl,
or PERL5_PACKLIST defined in their make setup (tested via
"make show-vars VARNAMES=...").
* An increment only in the version number that was failing to be
reported properly by the tools.
Changes 5.4.1.1:
* SECURITY BUG: A portion of SNMPv3 code had significantly weakened
authentication cryptography and unauthenticated access to a system
is a possibility.
* It is critical that all users update their installations bases
IMMEDIATELY.
* If you were only using SNMPv1 or SNMPv2c you were already insecure
beyond a level that this vulnerability affects.
fix (and error checking) on
agent/mibgroup/hardware/memory/memory_netbsd.c:netsnmp_mem_arch_load()
via new patch file patch-ah as the one applied on
agent/mibgroup/ucd-snmp/memory_netbsd1.c:var_extensible_mem() by
patch file patch-es. Sorry I missed this in november 2006...
Bump PKGREVISION to 1.
snmplib:
- [BUG 1619827]: link libraries against needed external libraries
- [PATCH 1616912]: fix memory leak in UDP transport code
- [PATCH 1592706]: fix memory leak when cloning varbinds
- Change snmp_sess_add_ex to consistently close and delete the
transport argument on failure, earlier the liveness of the
transport argument was undecided.
snmpd:
- [BUG 1558823]: fix ipAddressTable memory leak
- [BUG 1596638]: fix memory leak in ipCidrRouteTable, inetCidrRouteTable
- [BUG 1611524]: fix tcp connection table file descriptor leak
- handle row deletion issues in dataset tables
- [BUG 1712988]: default and configurable maximum number of
varbinds returnable to a GETBULK request.
- [PATCH 1666737]: include ipv6 counts in
udpInDatagrams, udpNoPorts, udpInErrors, udpOutDatagrams
- [PATCH 1700157]: fixes ordering of exec tokens in the resulting mib tree
- [PATCH 1719253]: fix skipNFSInHostResources so it does not break on the
second walk of the table.
perl:
- link Perl modules against the exact set of libraries needed
- [BUG 1619827]: properly link against libperl when configured with --enable-as-needed
- [PATCH 1725049]: fix bulkwalk in cases of non-repeater
python:
- [PATCH 1716114]: Let python build in the Net-SNMP source tree
MacOSX:
- [PATCH 1600522]: CPU Hardware Abstraction Layer (HAL)
implementation for mach/darwin
- IF-MIB rewrite now enabled by default
Win32:
- fix AES support
- [PATCH 1706344]: fix compilation with cygwin
IRIX:
- [PATCH 1709748]: Optimized IRIX cpu stats
AIX:
- Fix default shared library building instead of forcing static use
FreeBSD:
- [BUG 1633483]: Support CPU HAL on FreeBSD4.x
net/route.h needs to be included before netinet6/in6_pcb.h.h and
net/if.h needs to be included before netinet6/in6_var.h.
While here add a patch file on the source of the configure script
which IMHO should have been added earlier.
Bump PKGREVISION to 1.
Note: I supposed the libdes related hunk in patches/patch-af had
been generated by an older than 2.59 autoconf script and carried
over from one net-snmp version update to the next. This would
explain the slight differences about this hunk between the revision
I'm committing and the previous one.
- The default configuration now enables embedded Perl and the Perl
modules by default when possible unless explicitly disabled. You
may use the --disable-embedded-perl and --without-perl-modules
configure options, respectively, to revert to the former default
configuration.
While here check for sysctl() return value.
Now snmpd on NetBSD/sparc64 should report more meaningful values
for OIDs like UCD-SNMP-MIB::memAvailReal.0.
Bump PKGREVISION.
and add a new helper target and script, "show-buildlink3", that outputs
a listing of the buildlink3.mk files included as well as the depth at
which they are included.
For example, "make show-buildlink3" in fonts/Xft2 displays:
zlib
fontconfig
iconv
zlib
freetype2
expat
freetype2
Xrender
renderproto
