[Bug 260908] net/routinator: Update to 0.10.2

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 260908] net/routinator: Update to 0.10.2"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 03 Jan 2022 14:06:41 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260908

            Bug ID: 260908
           Summary: net/routinator: Update to 0.10.2
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
               URL: https://www.nlnetlabs.nl/news/2021/Nov/09/routinator-0
                    .10.2-released/
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs@FreeBSD.org
          Reporter: jaap@NLnetLabs.nl
 Attachment #230668 maintainer-approval+
             Flags:

Created attachment 230668
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=230668&action=edit
patch to upgrade

Routinator 0.10.1 ‘That's No Moon’ released

Other Changes
 * Extended UI with BGP and allocation data lookups. (#635, #648, #651)
 * The UI now lives in its own crate routinator-ui. (#635)


0.10.2 ‘Skuffet, men ikke overrasket’

This release is part of a Coordinated Vulnerability Disclosure for
vulnerabilities in RPKI relying party implementations conducted by
the University of Twente and the National Cyber Security Centre of
the Netherlands (NCSC-NL). It provides fixes for three issues,
CVE-2021-43172, CVE-2021-43173 and CVE-2021-43174, that allow
malicious RRDP repositories to either stall validation or cause
Routinator to run out of memory.

For more information on the issues, see the RPKI security advisories
at https://nlnetlabs.nl/projects/rpki/security-advisories The full
list of changes in this release is available in the release notes
at https://github.com/NLnetLabs/routinator/releases/tag/v0.10.2

None of these fixes change Routinator's behaviour. All users are
encouraged to update to this version. Information about updating
can be found in the Routinator docs at
https://routinator.docs.nlnetlabs.nl/en/stable/installation.html#updating

Bug Fixes

The rrdp-timeout configuration setting now correctly limits the
maximum length an RRDP request can take. This prevents a possible
issue where a RRDP repository maliciously or erroneously delays a
request and subsequently a validation run. (#666, CVE-2021-43173)

New

The new configuration setting max-ca-depth limits the length a chain
of CAs from a trust anchor. By default it is set to 32. This fixes
a possible vulnerability where a CA creates an infinite chain of
CAs. (#665, CVE-2021-43172)

Other Changes

Support for the gzip transfer encoding for RRDP has been removed
because gzip n combination with XML provides multiple ways to delay
validation.  The configuration setting rrdp-disable-gzip is now
deprecated and will be emoved in the next breaking release. (#667,
CVE-2021-43174)

-- 
You are receiving this mail because:
You are the assignee for the bug.