From nobody Sun Sep 17 15:30:02 2023 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RpX1648l3z4t4rF; Sun, 17 Sep 2023 15:30:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RpX163dn9z4QHB; Sun, 17 Sep 2023 15:30:02 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1694964602; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=cROgrH0jWGXZX5+asp9KbExxuG7OrC9J9heoqt8UwS0=; b=L1LqeUvrrLdujxzN0cRoTZY28qprxNwCHsB179/b6wqVQ0OQ8R5v92zNdcFAS4BR+9boYF 0qcKwmwf9tQzA1kZhiPyNKTlIlLoJajMfcl24sNHnXoJiKJgi+ccnw1pHcrtTSa3nwLJ2x Y6YkSrhZmdIhntLTyIwMLCVvGhvq2m/YNWL8bKIU0vjVKtP6l9tcLiezq1fyNa2hY7sMAH GaZDYwSs3WYf1D4rWt2cHfaWN3bbiHZwo6kHZEnya5/aILcUAoe3k3eFRLppm/B8aUtJK3 jyWkmUOpfCVqdxOuoxIItDdiCe5I7qRGrHcjtBbz2QoI6IzStpqQqbtAr91MuA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1694964602; a=rsa-sha256; cv=none; b=U6LKU3R4fD68tm8LBmW/hLzD/M/2wBFIDb1eZ8rD8i3r76bDGeFHpxxJ5i6M/Rzmhaj4o/ 18DXWjg6VmQqcX59SDomOYxrJr22oynOQSxWZvR+Flt/16bbIoSSx8Jrdlr7gzy4zTwUlU NIndAuTIw+eYWwBK+xRpV+8okjFtZleyIllB+i6RpJtUZPKja+7ECcX4pFJG8hCZl6iumu K3NQVlpAqR6ps4N8N+P08majizw6Vb9vFZi72YtypgdGDeQVXLem5G2sEUqOWaLTjewxDo LAtiI5Nu4DRtpV3MowhiTzgfuRnFQaHd4NYuSJrUEvyiKF6HS63Vkc6MH6AGCA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1694964602; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=cROgrH0jWGXZX5+asp9KbExxuG7OrC9J9heoqt8UwS0=; b=ss2mQeze7hUkUUCazvWbmzXnv8PFVHKGQAT6FQDpxZ4bboo03xAf5k7n1ZbNUk/KjbhLpM ZyDFkmYdeZsKVQbq8/MWiX5CMKr9PAmyrK/1RqL1J9ybRNIQTTnnuuKO2FkY9Q9Vqg7F1U wakvgpyTBd910nxpmj6p/EKHZMGVgCMIcOBziCUMdttu2EGwKSVAE+cjelwgOeQ2YfrZar ZuQLs48sCbfvPaHwa9OxWdXdTVVLvSzmBxNnsiEwQZTymtDU7/AQo9TfaWgl31z1iyIL+9 HIYLZSvgtJnAb1MW7ZRTLv7tXQxuNW2Oxz6MrJ37FbDZLw+5HgF496zHqWN9dg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RpX162Z95ztd8; Sun, 17 Sep 2023 15:30:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 38HFU2q3009094; Sun, 17 Sep 2023 15:30:02 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 38HFU2O2009088; Sun, 17 Sep 2023 15:30:02 GMT (envelope-from git) Date: Sun, 17 Sep 2023 15:30:02 GMT Message-Id: <202309171530.38HFU2O2009088@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Robert Clausecker Subject: git: 6db214401ef3 - main - security/vuxml: document routinator vulnerabilities List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: fuz X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 6db214401ef3ad0f69259559e8a8fa7e1aa37c8a Auto-Submitted: auto-generated The branch main has been updated by fuz: URL: https://cgit.FreeBSD.org/ports/commit/?id=6db214401ef3ad0f69259559e8a8fa7e1aa37c8a commit 6db214401ef3ad0f69259559e8a8fa7e1aa37c8a Author: Robert Clausecker AuthorDate: 2023-09-16 04:52:45 +0000 Commit: Robert Clausecker CommitDate: 2023-09-17 15:26:40 +0000 security/vuxml: document routinator vulnerabilities Obtained from: https://nlnetlabs.nl/news/2023/Sep/13/routinator-0.12.2-released/ --- security/vuxml/vuln/2023.xml | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index 25773c90c5a5..384565e9afc7 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,42 @@ + + routinator -- multiple vulnerabilities + + + routinator + 0.12.2 + + + + +

NLnet Labs report:

+
+

This release fixes two issues in Routinator that can be exploited + remotely by rogue RPKI CAs and repositories. We therefore advise all + users of Routinator to upgrade to this release at their earliest + convenience.

+

The first issue, CVE-2022-39915, can lead to Routinator crashing + when trying to decode certain illegal RPKI objects.

+

The second issue, CVE-2022-39916, only affects users that have the + rrdp-keep-responses option enabled which allows storing all received + RRDP responses on disk. Because the file name for these responses is + derived from the URI and the path wasn't checked properly, a RRDP URI + could be constructed that results in the response stored outside the + directory, possibly overwriting existing files.

+
+ +
+ + CVE-2022-39915 + https://nlnetlabs.nl/downloads/routinator/CVE-2023-39915.txt + CVE-2022-39916 + https://nlnetlabs.nl/downloads/routinator/CVE-2023-39916.txt + + + 2022-12-08 + 2023-09-16 + +
+ curl -- HTTP headers eat all memory