[oe-commits] [meta-openembedded] 06/06: net-snmp: update default community string
git at git.openembedded.org
git at git.openembedded.org
Wed Dec 18 02:49:41 UTC 2019
This is an automated email from the git hooks/post-receive script.
khem pushed a commit to branch master-next
in repository meta-openembedded.
commit 4d676768f055d657b7d7d9b65032b148cc9de44e
Author: Trevor Gamblin <trevor.gamblin at windriver.com>
AuthorDate: Tue Dec 17 20:11:13 2019 -0500
net-snmp: update default community string
snmpd.conf, by default, lists the string "public" as the community string. As
a consequence, any build incorporating net-snmp implicitly enables a
vulnerability (CVE-1999-0517) where an attacker could obtain information about
(and potential control of) the device and its network. This issue is picked up
by common security scan tools, and given the age of the vulnerability, some
minimum mitigation steps should be taken. While the conf file itself
recommends setting the community string to a value known only within the
user's organization, changing this string's default value for Yocto builds is
a minimum step to help mitigate this issue. Superior solutions that can be
implemented by the end developer/user include replacing the default community
string with a complex string unique to the network and/or filtering
UDP packets on the appropriate ports.
There's no formal fix for the above CVE, so I've avoided labeling this as if
it were a CVE fix. Also note that if you want to test this to check the change,
net-snmp-server needs to be included in the build (not just net-snmp).
More info can be found at https://www.tenable.com/plugins/nessus/41028.
Signed-off-by: Trevor Gamblin <trevor.gamblin at windriver.com>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
---
meta-networking/recipes-protocols/net-snmp/files/snmpd.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta-networking/recipes-protocols/net-snmp/files/snmpd.conf b/meta-networking/recipes-protocols/net-snmp/files/snmpd.conf
index 728171c..5a5c40b 100644
--- a/meta-networking/recipes-protocols/net-snmp/files/snmpd.conf
+++ b/meta-networking/recipes-protocols/net-snmp/files/snmpd.conf
@@ -58,7 +58,7 @@
# from):
# sec.name source community
-com2sec paranoid default public
+com2sec paranoid default yocto-snmp-community
#com2sec readonly default public
#com2sec readwrite default private
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list