Add (D)TLS support by default to snmpd

Ah..sorry, the default version might not have openssl enabled, I was looking at my changed version, and I had to patch net-snmp to support OpenSSL 1.1.0.

Thank you for taking the time to report this bug and helping to make Ubuntu better.

I think it's unlikely that we would make this change in Ubuntu without the support of Debian or upstream. Given that you had to patch net-snmp to support OpenSSL 1.1.0, any chance you could get that patch upstreamed (if it isn't already) so that Debian might be able to make this change, and then Ubuntu could pick it up in the future?

(there's also the question of licensing - are net-snmp and its reverse dependencies definitely compatible with OpenSSL's license such that distributions are permitted to redistribute it linked against OpenSSL?)

Thanks. I have lifted the openssl patch from https://src.fedoraproject.org/rpms/net-snmp/blob/e4d5ceb957a64d6994629f84901d9f76d2ffed9b/f/net-snmp-5.7.3-openssl.patch, so, not my place to upstream it.

And as per https://www.openssl.org/source/license.html it seems like a free license at least for 1.X.Y versions.

And the patch for 5.7.3 version, but if you switch to latest version it supports openssl OOB, just need to pass DTLS/TLS and TSM options to configure, no need of any extra patches.

And to confirm net-snmp already links with openssl, see https://git.launchpad.net/ubuntu/+source/net-snmp/tree/debian/rules?h=ubuntu/bionic-devel#n48

Hi Chaitanya,

Ubuntu Focal and Groovy (the current devel version) have net-snmp 5.8, so if I'm not mistaken enabling DTLS can be done by passing a couple of options to the configure script, without patching. In this case I think there are two fronts we can work at:

1. For the next Ubuntu releases (>= Groovy) support for DTLS should ideally be enabled in Debian, and later picked up by Ubuntu when syncing the package. This will streamline the package maintenance on the Ubuntu side and benefit Debian too. I can't find a Debian bug about the lack of DTLS support in the Debian bug tracker [1]. @Chaitanya: do you think you can report a bug against the Debian package and link it here?

2. For Focal: technically we could enable the configure flags and update the package following the SRU procedure [2], but even if it would be a no-patch SRU the implications of it have to be carefully considered, weighting the regression potential. Some more discussion is needed.

[1] https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=net-snmp
[2] https://wiki.ubuntu.com/StableReleaseUpdates

@Chaitanya I briefly discussed the issue with the team. Enabling new features is normally out of the scope of SRU upgrades, which have a well defined policy [1], so it is unlikely that we're going to enable DTLS in Focal, as there isn't very compelling reason to do so. As I deem the SRU unlikely I marked the Focal task as "Won't Fix".

The Groovy task remains open, but we believe that the right way forward here is to enable the feature in Debian.

[1] https://wiki.ubuntu.com/StableReleaseUpdates

Thanks Paride, I understand the this isn't urgent enough to make it to SRU.

I don't have acess to a debian system, so, just sent submittted a bug report (wishlist) viz e-mail, don't see that reflected in the link you have shared, but should be with the debian guys now, will paste a link once I have access to it.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964054 (Done, a bug is added)

Fixed in Debian version 5.8+dfsg-3 (see above bug for details)

Thank you, this needs a merge now - Adding server-next tag

I'm taking care of the net-snmp merge.

This bug was fixed in the package net-snmp - 5.8+dfsg-5ubuntu1

---------------
net-snmp (5.8+dfsg-5ubuntu1) groovy; urgency=medium

  * Merge with Debian unstable (LP: #1880724). Remaining changes:
    - Add apport hook:
      + d/control: add dh-apport to Build-Depends
      + d/rules: install the apport hook via debhelper
      + d/source.apport: apport hook
    - d/p/Link-libnetsnmptrapd-against-MYSQL_LIBS.patch:
      Link libnetsnmptrapd against MYSQL_LIBS. Thanks to Adam
      Williamson <email address hidden>.
      (Closes #886221, LP #1814254)
    - Fix build with mysql-8 (LP #1814270):
      + d/p/mysql8-replace-bool.patch: newer mysql dropped my_bool, use
        char instead.
    - Skip autofs entries when calling statfs to prevent autofs
      being mounted on snmpd startup (LP #1835818):
      + d/p/autofs-fix-a-recently-introduced-bug.patch
      + d/p/autofs-skip-autofs-entries.patch
    - d/p/fix-check-hr-filesys-autofs.patch:
      + On Linux getmntent() is available but getfsstat() not.
        Hence remove #if HAVE_GETFSSTAT from around the HRFS_type
        check.
  * Dropped changes, incorporated by Debian:
    - d/p/lp1871307-log-once-proc-net-if_inet6-failure.patch (LP #1871307):
      + MIB-II: Only log once that opening /proc/net/if_inet6 failed
    - SECURITY UPDATE: Fix segmentation fault that happens when using the
      snmpv3 protocol with snmpbulkget. (LP #1877027)
      + d/p/move-securityStateRef-into-free_securityStateRef.patch:
        Consolidate the check of the securityStateRef pointer into the
        free_securityStateRef function.
      + d/p/prevent-snmpv3-bulkget-errors-double-free.patch:
        Prevent snmpv3 bulkget errors from becoming resulting in a
        double free.
      + d/p/fix-usmStateReference-free.patch:
        Fix typo on usm_free_usmStateReference from last patch.
      + d/p/unexport-struct-usmStateReference.patch:
        Unexport struct usmStateReference and to prevent ABI breakages,
        since it will be necessary to add a reference count to it.
      + d/p/introduce-refcount-usmStateReference.patch:
        Introduce refcount in the struct usmStateReference, and adjust
        code to properly use the field.
      + CVE-2019-20892

 -- Sergio Durigan Junior <email address hidden> Thu, 06 Aug 2020 11:42:13 -0400