[oe-commits] [meta-openembedded] 06/06: net-snmp: update default community string

git at git.openembedded.org git at git.openembedded.org
Wed Dec 18 02:49:41 UTC 2019 

This is an automated email from the git hooks/post-receive script.

khem pushed a commit to branch master-next
in repository meta-openembedded.

commit 4d676768f055d657b7d7d9b65032b148cc9de44e
Author: Trevor Gamblin <trevor.gamblin at windriver.com>
AuthorDate: Tue Dec 17 20:11:13 2019 -0500

    net-snmp: update default community string
    
    snmpd.conf, by default, lists the string "public" as the community string. As
    a consequence, any build incorporating net-snmp implicitly enables a
    vulnerability (CVE-1999-0517) where an attacker could obtain information about
    (and potential control of) the device and its network. This issue is picked up
    by common security scan tools, and given the age of the vulnerability, some
    minimum mitigation steps should be taken. While the conf file itself
    recommends setting the community string to a value known only within the
    user's organization, changing this string's default value for Yocto builds is
    a minimum step to help mitigate this issue. Superior solutions that can be
    implemented by the end developer/user include replacing the default community
    string with a complex string unique to the network and/or filtering
    UDP packets on the appropriate ports.
    
    There's no formal fix for the above CVE, so I've avoided labeling this as if
    it were a CVE fix. Also note that if you want to test this to check the change,
    net-snmp-server needs to be included in the build (not just net-snmp).
    
    More info can be found at https://www.tenable.com/plugins/nessus/41028.
    
    Signed-off-by: Trevor Gamblin <trevor.gamblin at windriver.com>
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
---
 meta-networking/recipes-protocols/net-snmp/files/snmpd.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-networking/recipes-protocols/net-snmp/files/snmpd.conf b/meta-networking/recipes-protocols/net-snmp/files/snmpd.conf
index 728171c..5a5c40b 100644
--- a/meta-networking/recipes-protocols/net-snmp/files/snmpd.conf
+++ b/meta-networking/recipes-protocols/net-snmp/files/snmpd.conf
@@ -58,7 +58,7 @@
 # from):
 
 #       sec.name  source          community
-com2sec paranoid  default         public
+com2sec paranoid  default         yocto-snmp-community
 #com2sec readonly  default         public
 #com2sec readwrite default         private
 

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Openembedded-commits mailing list