[Bug 260908] net/routinator: Update to 0.10.2
Date: Mon, 03 Jan 2022 14:06:41 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260908 Bug ID: 260908 Summary: net/routinator: Update to 0.10.2 Product: Ports & Packages Version: Latest Hardware: Any URL: https://www.nlnetlabs.nl/news/2021/Nov/09/routinator-0 .10.2-released/ OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: ports-bugs@FreeBSD.org Reporter: jaap@NLnetLabs.nl Attachment #230668 maintainer-approval+ Flags: Created attachment 230668 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=230668&action=edit patch to upgrade Routinator 0.10.1 ‘That's No Moon’ released Other Changes * Extended UI with BGP and allocation data lookups. (#635, #648, #651) * The UI now lives in its own crate routinator-ui. (#635) 0.10.2 ‘Skuffet, men ikke overrasket’ This release is part of a Coordinated Vulnerability Disclosure for vulnerabilities in RPKI relying party implementations conducted by the University of Twente and the National Cyber Security Centre of the Netherlands (NCSC-NL). It provides fixes for three issues, CVE-2021-43172, CVE-2021-43173 and CVE-2021-43174, that allow malicious RRDP repositories to either stall validation or cause Routinator to run out of memory. For more information on the issues, see the RPKI security advisories at https://nlnetlabs.nl/projects/rpki/security-advisories The full list of changes in this release is available in the release notes at https://github.com/NLnetLabs/routinator/releases/tag/v0.10.2 None of these fixes change Routinator's behaviour. All users are encouraged to update to this version. Information about updating can be found in the Routinator docs at https://routinator.docs.nlnetlabs.nl/en/stable/installation.html#updating Bug Fixes The rrdp-timeout configuration setting now correctly limits the maximum length an RRDP request can take. This prevents a possible issue where a RRDP repository maliciously or erroneously delays a request and subsequently a validation run. (#666, CVE-2021-43173) New The new configuration setting max-ca-depth limits the length a chain of CAs from a trust anchor. By default it is set to 32. This fixes a possible vulnerability where a CA creates an infinite chain of CAs. (#665, CVE-2021-43172) Other Changes Support for the gzip transfer encoding for RRDP has been removed because gzip n combination with XML provides multiple ways to delay validation. The configuration setting rrdp-disable-gzip is now deprecated and will be emoved in the next breaking release. (#667, CVE-2021-43174) -- You are receiving this mail because: You are the assignee for the bug.