Date: Fri, 7 Oct 2022 15:51:11 GMT From: =?utf-8?Q?Fernando=20Apestegu=C3=ADa?= <fernape@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 1db6001e2a6f - main - net/routinator: Add net/routinator CVE Message-ID: <202210071551.297FpBqk083738@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by fernape: URL: https://cgit.FreeBSD.org/ports/commit/?id=1db6001e2a6f0733cea74b757c2a186b3fddae0a commit 1db6001e2a6f0733cea74b757c2a186b3fddae0a Author: Jaap Akkerhuis <jaap@NLnetLabs.nl> AuthorDate: 2022-10-07 15:45:00 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2022-10-07 15:45:00 +0000 net/routinator: Add net/routinator CVE Recent versions of Routinator contain a problem that causes Routinator to exit if it encounters invalid data in RRDP snapshot or delta files. Details: https://nlnetlabs.nl/downloads/routinator/CVE-2022-3029.txt PR: 266865 Reported by: jaap@NLnetLabs.nl --- security/vuxml/vuln-2022.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml index 691024abe7b2..831c3685b898 100644 --- a/security/vuxml/vuln-2022.xml +++ b/security/vuxml/vuln-2022.xml @@ -1,3 +1,45 @@ + <vuln vid="e4133d8b-ab33-451a-bc68-3719de73d54a"> + <topic>routinator -- potential DOS attack</topic> + <affects> + <package> + <name>routinator</name> + <range><ge>0.9.0</ge><lt>0.11.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p> + Due to a mistake in error handling, data in RRDP snapshot and delta files + that isn’t correctly base 64 encoded is treated as a fatal error and causes + Routinator to exit. + + Worst case impact of this vulnerability is denial of service for the RPKI + data that Routinator provides to routers. This may stop your network from + validating route origins based on RPKI data. This vulnerability does not + allow an attacker to manipulate RPKI data. We are not aware of exploitation + of this vulnerability at this point in time. + + Starting with release 0.11.3, Routinator handles encoding errors by rejecting + the snapshot or delta file and continuing with validation. In case of an + invalid delta file, it will try using the snapshot instead. If a snapshot file + is invalid, the update of the repository will fail and an update through rsync + is attempted. + </p> + <blockquote cite="https://www.cvedetails.com/cve/CVE-2022-3029/">; + <p>.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2022-3029</cvename> + <url>https://nlnetlabs.nl/downloads/routinator/CVE-2022-3029.txt</url>; + </references> + <dates> + <discovery>2022-10-06</discovery> + <entry>2022-10-07</entry> + </dates> + </vuln> + <vuln vid="f4f15051-4574-11ed-81a1-080027881239"> <topic>Django -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202210071551.297FpBqk083738>