Patch-ID# 106872-18 Keywords: security acl DMI SNMP snmpdx mibiisa mib trap mibcodegen ifSpeed vge FDDI varbinds dmispd snmpXdmid Synopsis: Solstice Enterprise Agent 1.0.3: SNMP. Date: May/31/2002 Install Requirements: NA Solaris Release: 2.6_x86 SunOS Release: 5.6_x86 Unbundled Product: Solstice Enterprise Agent Unbundled Release: 1.0.3 Xref: See patch 106956-xx for SEA SDK Topic: Relevant Architectures: i386 BugId's fixed with this patch: 4144431 4166235 4171108 4172607 4176076 4178419 4189025 4208419 4211850 4218931 4219323 4224859 4233051 4237139 4256473 4268600 4270182 4283090 4320436 4323926 4330039 4333417 4345574 4359519 4368330 4377219 4382247 4390382 4391717 4402954 4412996 4414237 4451002 4452076 4563124 4639285 4639509 4639515 4639581 4640211 4640230 Changes incorporated in this version: 4639285 4639509 4639581 4640230 4639515 4640211 Patches accumulated and obsoleted by this patch: 106874-02 Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /usr/lib/dmi/dmispd /usr/lib/dmi/snmpXdmid /usr/lib/libdmi.so.1 /usr/lib/libdmici.so.1 /usr/lib/libdmimi.so.1 /usr/lib/libssagent.so.1 /usr/lib/libssagent.so.1 /usr/lib/libssasnmp.so.1 /usr/lib/libssasnmp.so.1 /usr/lib/snmp/mibiisa /usr/lib/snmp/snmpdx /usr/sbin/dmi_cmd /usr/sbin/dmiget /usr/sbin/snmp_trapsend /var/snmp/mib/sun.mib Problem Description: 4640230 SNMP relay agent has format/buffer overflow bugs 4640211 SNMP relay agent may spin pegging CPU 4639581 SNMP relay agent corrupts memory 4639285 mibiisa has a buffer overflow 4639509 mibiisa suffers a memory leak 4639515 snmp relay agent stops forwarding if mibiisa drops requests (from 106872-17) 4563124 buffer overflow in snmpdx allows remote root compromise 4452076 ifOperStatus from SEA always gives 2 (ie. down) for virtual interfaces (from 106872-15) 4451002 snmpXdmid still core dumps after fix for 4412996 4382247 sun.mib does not comply, this line sun-snmp DEFINITIONS ::= BEGIN needs SUN-SNMP 4412996 Buffer overflow in snmpXdmi allows remote root compromise 4414237 hardcoded security strings are clearly visible 4402954 ifspeed of logical I/F is mistaken. 4391717 snmp_trapsend command returns ambiguous status when exit() is done 4390382 snmp request from an unauthorized manager echos "End of MIB view" 4377219 fully qualified names choke when specified in acl lists 4368330 How to avoid the access of managers to agents? 4359519 Authentication trap occur only 6 counts 4330039 snmp_trapsend: -c option does not work 4283090 Subagent needs to start with a specific group id 4333417 varbinds with type TimeTicks are skipped 4323926 New fix for bug 4237139 get-next problem 4320436 Support ifOperstatus as a link status so state will change when cable is disconnected. 4270182 Send auth. trap from SEA agent queried with incorrect comm. string or from invalid manager. 4256473 Send only one trap. 4268600 Make mibii accessible by localhost only. 4237139 Allows get-next for tabular values to work correctly for snmpdx mib 4189025 Allows SEA SDK agents to have string table indices. 4218931 Allows SEA SDK agents to have trap variables that are tabular values. 4219323 Allows SEA SDK agents to report correct tag values in trap PDU. 4208419 Legacy agents like mibissa can have dots in community string names. 4233051 Mibiisa traps now contain correct source address in PDU. 4211850 Mibiisa correctly reports IfSpeed on vge (gigabyte) device. 4224859 Mibiisa correctly reports the MAC addr for FDDI devices. 4171108 Unable to use more than 3 indexes in a table. 4178419 mibiisa consumes available swap space. 4176076 snmpdx echos unnecessary messages to console Also: When manager read a non-existent variable, the error message will only be logged if snmpdx is started with the "-d" option. 4172607 agent deleted from agent table when queried with incorrect read string 4144431 mibissa consuming 50% plus of cpu. (from 106874-02) 4166235 Files /var/dmi/db/1l.comp, /var/dmi/db/1l.tbl and /var/snmp/snmpdx.st are created 666 after install. 4176076 snmpdx echos unnecessary messages to console Also: When manager read a non-existent variable, the error message will only be logged if snmpdx is started with the "-d" option. 4345574 sea 1.0.3 w/patches gets 100% cpu when setting rlim_fd_cur=2048 rlim_fd_max=4096 Patch Installation Instructions: -------------------------------- Refer to the Install.info file for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. Any other special or non-generic installation instructions should be described below as special instructions. Special Install Instructions: ----------------------------- IMPORTANT: This patch is not compatible with SDK agents built prior to patch 106956-03. These agents must be recompiled using mibcodegen from patch 106956-03 or greater. This patch is for SEA version 1.0.3 See SEA web page, if you need to add toolkit sdk (SUNWsasdk package) http://www.sun.com/solstice/products/ent.agents This patch modifies /etc/snmp/conf/snmpd.conf to include localhost as a manager. This forces all queries to mib-2 to pass through snmpdx. To specify a manager list for mibiisa you must create an mibiisa.acl and specify the hostname. Mibiisa.rsrc must be modified to include the location of the .acl file. If managers are specified, snmpdx.acl must include the hostname of the machine running snmpdx and subagents built using micodegen must include localhost in the manager list of their .acl. eg: mibiisa.acl: acl = { { communities = public, private access = read-write managers = } } eg: mibiisa.rsrc: resource = { { security = "/etc/snmp/conf/mibiisa.acl" registration_file = "/etc/snmp/conf/mibiisa.reg" policy = "spawn" type = "legacy" command = "/usr/lib/snmp/mibiisa -p $PORT" } } To enable the authentication traps, create a trap slot for trapnumber 0 in snmpdx.acl and specify the hosts where traps should be sent: eg: snmpdx.acl : trap = { { trap-community = SNMP-trap hosts = { enterprise = "sun" trap-num = 0 } } README -- Last modified date: Friday, May 31, 2002