[Bug 269050] net/krill: Update to version 0.12.1

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 269050] net/krill: Update to 0.12.1"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 19 Jan 2023 12:08:38 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=269050

            Bug ID: 269050
           Summary: net/krill: Update to version 0.12.1
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
               URL: https://www.nlnetlabs.nl/news/2023/Jan/17/krill.0.12.1
                    -released/
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs@FreeBSD.org
          Reporter: jaap@NLnetLabs.nl
 Attachment #239589 maintainer-approval+
             Flags:

Created attachment 239589
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=239589&action=edit
patch to upgrade

Krill 0.12.1 'Safety Belts'.

This release introduces two fixes for the Krill Publication Server.
If you only use Krill as an RPKI Certificate Authority and publish
elsewhere, e.g. in an RPKI Publication Server provided by your RIR
or NIR, then there is no need to update to this release.

Firstly, this release fixes
[CVE-2023-0158](https://nlnetlabs.nl/downloads/routinator/CVE-2023-0158.txt)

This CVE describes an exposure where remote attackers could cause
Krill to crash if it is used as an RPKI Publication Server and if
its "/rrdp" endpoint is accessible over the public internet. Note
that servers are not affected if the advice in [our
documentation](https://krill.docs.nlnetlabs.nl/en/stable/publication-server.html#synchronise-repository-data)
was followed and a separate web server is used to serve the RRDP
data.

Secondly, locking was added in this release to ensure that updates
to the repository content are always applied sequentially. This
fixes a concurrency issue introduced in Krill 0.12.0 that could
result in rejecting an update from a publishing CA. In such cases
the affected update would not be visible for RPKI validators, until
a later publication attempt would be successful.

We advise that users upgrade to this version of Krill if they use
it as their RPKI Publication Server. We also continue to recommend
that a separate web server is used for serving the RRDP data.

-- 
You are receiving this mail because:
You are the assignee for the bug.