Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1907866

Summary: SNMPv3 failure: security service 3 error parsing ScopedPDU
Product: Red Hat Enterprise Linux 8 Reporter: Graham Leggett <minfrin>
Component: net-snmpAssignee: Josef Ridky <jridky>
Status: CLOSED NOTABUG QA Contact: CS System Management SST QE <rhel-cs-system-management-subsystem-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.6Flags: pm-rhel: mirror+
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-27 14:02:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Graham Leggett 2020-12-15 11:59:35 UTC
Description of problem:

After configuring net-snmp to accept an authenticated and encrypted request from the same host over SNMPv3, the connection fails with the message "security service 3 error parsing ScopedPDU".

Version-Release number of selected component (if applicable):

net-snmp-5.8-17.el8.x86_64

How reproducible:

Always

Steps to Reproduce:
1. Configure /etc/snmp/snmpd.conf as follows:

syslocation Somewhere
syscontact postmaster

dontLogTCPWrappersConnects yes
agentaddress udp:161,udp6:161

includeAllDisks 10%

engineID host.example.com
rouser -s usm user1
rouser -s usm user2

2. Create users in /var/lib/net-snmp/snmpd.conf

createUser "user1" "SHA256" "password" "AES256" "password"
createUser "user2" "SHA256" "password" "AES256" "password"

3. Create client side config in /etc/snmp/snmp.conf

defversion  3
defsecurityname  user1
defsecuritylevel  authPriv
defauthtype  SHA256
defauthpassphrase  password
defprivtype  AES256
defprivpassphrase  password

4. Run snmpwalk host.example.com

Actual results:

[root@host ~]# snmpwalk host.example.com
security service 3 error parsing ScopedPDU
security service 3 error parsing ScopedPDU
security service 3 error parsing ScopedPDU
security service 3 error parsing ScopedPDU
security service 3 error parsing ScopedPDU
security service 3 error parsing ScopedPDU
snmpwalk: Timeout (error parsing PDU

Expected results:

A successful connection.

Additional info:

Changing the encryption protocol from DES to AES to AES256 makes no difference, all options are broken.

Recompiling the net-snmp SRPM using the net-snmp 5.9 release along with these modifications to the spec file below make no effect.

It is possible that some changes to net-snmp depedencies like openssl have broken snmpv3, and this hasn't been picked up.

Changes to spec file to make v5.9 build:

[minfrin@localhost SPECS]$ diff -u net-snmp.spec net-snmp-5.9.spec 
--- net-snmp.spec	2020-08-11 10:33:04.000000000 +0100
+++ net-snmp-5.9.spec	2020-12-15 11:22:13.684807377 +0000
@@ -1,15 +1,15 @@
 # use nestnmp_check 0 to speed up packaging by disabling 'make test'
-%{!?netsnmp_check: %global netsnmp_check 1}
+%{!?netsnmp_check: %global netsnmp_check 0}
 
 # Arches on which we need to prevent arch conflicts on net-snmp-config.h
 %global multilib_arches %{ix86} ia64 ppc ppc64 s390 s390x x86_64 sparc sparcv9 sparc64 aarch64
 
 # actual soname version
-%global soname  35
+%global soname  40
 
 Summary:    A collection of SNMP protocol tools and libraries
 Name:       net-snmp
-Version:    5.8
+Version:    5.9
 Release:    17%{?dist}
 Epoch:      1
 
@@ -179,38 +179,38 @@
 rm -r python
 
 %ifnarch ia64
-%patch1 -p1 -b .pie
+#%patch1 -p1 -b .pie
 %endif
 
-%patch2 -p1 -b .dir-fix
+#%patch2 -p1 -b .dir-fix
 %patch3 -p1 -b .multilib
-%patch4 -p1
-%patch5 -p1 -b .autoreconf
-%patch6 -p1 -b .agentx-disconnect-crash
+#%patch4 -p1
+#%patch5 -p1 -b .autoreconf
+#%patch6 -p1 -b .agentx-disconnect-crash
 %patch7 -p1 -b .cert-path
-%patch8 -p1 -b .cflags
+#%patch8 -p1 -b .cflags
 %patch9 -p1 -b .u64-remove
-%patch10 -p1 -b .perlfix
+#%patch10 -p1 -b .perlfix
 %patch11 -p1 -b .iterator-fix
-%patch12 -p1 -b .autofs-skip
+#%patch12 -p1 -b .autofs-skip
 %patch13 -p1 -b .usage-fix
-%patch14 -p1 -b .coverity
-%patch15 -p1 -b .ipv6-clientaddr
-%patch16 -p1 -b .agent-of-death
-%patch17 -p1 -b .trapsink
-%patch18 -p1 -b .flood-messages
-%patch19 -p1 -b .v3-forward
-%patch20 -p1 -b .sec-counter
+#%patch14 -p1 -b .coverity
+#%patch15 -p1 -b .ipv6-clientaddr
+#%patch16 -p1 -b .agent-of-death
+#%patch17 -p1 -b .trapsink
+#%patch18 -p1 -b .flood-messages
+#%patch19 -p1 -b .v3-forward
+#%patch20 -p1 -b .sec-counter
 %patch21 -p1 -b .proxy-getnext
-%patch22 -p1 -b .dskTable-dynamic
+#%patch22 -p1 -b .dskTable-dynamic
 %patch23 -p1 -b .expand-SNMPCONFPATH
 %patch24 -p1 -b .duplicate-ipAddress
-%patch25 -p1 -b .memory-reporting
+#%patch25 -p1 -b .memory-reporting
 %patch26 -p1 -b .man-page
 %patch27 -p1 -b .ipAddress-faster-load
 %patch28 -p1 -b .rpm-memory-leak
-%patch29 -p1 -b .sec-memory-leak
-%patch30 -p1 -b .aes-config
+#%patch29 -p1 -b .sec-memory-leak
+#%patch30 -p1 -b .aes-config
 
 %patch101 -p1 -b .modern-rpm-api
 
@@ -419,6 +419,8 @@
 
 %files devel
 %{_libdir}/lib*.so
+%{_libdir}/pkgconfig/netsnmp-agent.pc
+%{_libdir}/pkgconfig/netsnmp.pc
 /usr/include/*
 %attr(0644,root,root) %{_mandir}/man3/*.3.*
 %attr(0755,root,root) %{_bindir}/net-snmp-config*

Comment 1 Josef Ridky 2021-07-27 14:02:10 UTC
Tested on RHEL-8 with net-snmp-5.8-22 and on RHEL-9 and this issue is not present. Closing as NOTABUG.