[Bug 273826] net/routinator: Update to 0.12.2

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 273826] net/routinator: Update to 0.12.2"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 15 Sep 2023 12:21:08 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273826

            Bug ID: 273826
           Summary: net/routinator: Update to 0.12.2
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
               URL: https://nlnetlabs.nl/news/2023/Sep/13/routinator-0.12.
                    2-released/
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs@FreeBSD.org
          Reporter: jaap@NLnetLabs.nl
 Attachment #244885 maintainer-approval+
             Flags:

Created attachment 244885
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=244885&action=edit
Patch to upgrade

Routinator 0.12.2 ‘Brutti, sporchi e cattivi’ 

This release fixes two issues in Routinator that can be exploited remotely by
rogue RPKI CAs and repositories. We therefore advise all users of Routinator to
upgrade to this release at their earliest convenience.

The first issue, CVE-2022-39915, can lead to Routinator crashing when trying to
decode certain illegal RPKI objects.

The second issue, CVE-2022-39916, only affects users that have the
rrdp-keep-responses option enabled which allows storing all received RRDP
responses on disk. Because the file name for these responses is derived from
the URI and the path wasn’t checked properly, a RRDP URI could be constructed
that results in the response stored outside the directory, possibly overwriting
existing files.

We would like to thank Haya Shulman, Donika Mirdita and Niklas Vogel for
discovering and reporting these issues.

-- 
You are receiving this mail because:
You are the assignee for the bug.