Bug 269050 - net/krill: Update to 0.12.1
Summary: net/krill: Update to 0.12.1
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Fernando Apesteguía
URL: https://www.nlnetlabs.nl/news/2023/Ja...
Keywords: security
Depends on:
Blocks:
 
Reported: 2023-01-19 12:08 UTC by Jaap Akkerhuis
Modified: 2023-01-23 13:25 UTC (History)
2 users (show)

See Also:
fernape: merge-quarterly+

Attachments
patch to upgrade (14.54 KB, patch)
2023-01-19 12:08 UTC, Jaap Akkerhuis 		jaap: maintainer-approval+
Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jaap Akkerhuis 2023-01-19 12:08:38 UTC 
Created attachment 239589 [details]
patch to upgrade

Krill 0.12.1 'Safety Belts'.

This release introduces two fixes for the Krill Publication Server.
If you only use Krill as an RPKI Certificate Authority and publish
elsewhere, e.g. in an RPKI Publication Server provided by your RIR
or NIR, then there is no need to update to this release.

Firstly, this release fixes
[CVE-2023-0158](https://nlnetlabs.nl/downloads/routinator/CVE-2023-0158.txt)

This CVE describes an exposure where remote attackers could cause
Krill to crash if it is used as an RPKI Publication Server and if
its "/rrdp" endpoint is accessible over the public internet. Note
that servers are not affected if the advice in [our
documentation](https://krill.docs.nlnetlabs.nl/en/stable/publication-server.html#synchronise-repository-data)
was followed and a separate web server is used to serve the RRDP
data.

Secondly, locking was added in this release to ensure that updates
to the repository content are always applied sequentially. This
fixes a concurrency issue introduced in Krill 0.12.0 that could
result in rejecting an update from a publishing CA. In such cases
the affected update would not be visible for RPKI validators, until
a later publication attempt would be successful.

We advise that users upgrade to this version of Krill if they use
it as their RPKI Publication Server. We also continue to recommend
that a separate web server is used for serving the RRDP data.
Comment 1 Fernando Apesteguía freebsd_committer freebsd_triage 2023-01-21 17:13:33 UTC 
Note to self: VuXML entry
Comment 2 commit-hook freebsd_committer freebsd_triage 2023-01-23 13:22:39 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=bb104a8ee1912bb409408601e479658e5c9f0f60

commit bb104a8ee1912bb409408601e479658e5c9f0f60
Author:     Jaap Akkerhuis <jaap@NLnetLabs.nl>
AuthorDate: 2023-01-21 17:10:44 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-01-23 13:17:33 +0000

    net/krill: Update to 0.12.1

    ChangeLog: https://www.nlnetlabs.nl/news/2023/Jan/17/krill.0.12.1-released/

    Firstly, this release fixes
    [CVE-2023-0158](https://nlnetlabs.nl/downloads/routinator/CVE-2023-0158.txt)

    Secondly, locking was added in this release to ensure that updates
    to the repository content are always applied sequentially. This
    fixes a concurrency issue introduced in Krill 0.12.0 that could
    result in rejecting an update from a publishing CA.

    PR:             269050
    Reported by:    jaap@NLnetLabs.nl (maintainer)
    MFH:            2023Q1 (security fix)
    Security:       CVE-2023-0158

 net/krill/Makefile              | 275 +---------------------------------------
 net/krill/Makefile.crates (new) | 272 +++++++++++++++++++++++++++++++++++++++
 net/krill/distinfo              |   8 +-
 3 files changed, 278 insertions(+), 277 deletions(-)
Comment 3 commit-hook freebsd_committer freebsd_triage 2023-01-23 13:23:41 UTC 
A commit in branch 2023Q1 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=53a33b88798e029ce9134f58e2c176e2f6d469ab

commit 53a33b88798e029ce9134f58e2c176e2f6d469ab
Author:     Jaap Akkerhuis <jaap@NLnetLabs.nl>
AuthorDate: 2023-01-21 17:10:44 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-01-23 13:19:09 +0000

    net/krill: Update to 0.12.1

    ChangeLog: https://www.nlnetlabs.nl/news/2023/Jan/17/krill.0.12.1-released/

    Firstly, this release fixes
    [CVE-2023-0158](https://nlnetlabs.nl/downloads/routinator/CVE-2023-0158.txt)

    Secondly, locking was added in this release to ensure that updates
    to the repository content are always applied sequentially. This
    fixes a concurrency issue introduced in Krill 0.12.0 that could
    result in rejecting an update from a publishing CA.

    PR:             269050
    Reported by:    jaap@NLnetLabs.nl (maintainer)
    MFH:            2023Q1 (security fix)
    Security:       CVE-2023-0158

    (cherry picked from commit bb104a8ee1912bb409408601e479658e5c9f0f60)

 net/krill/Makefile              | 275 +---------------------------------------
 net/krill/Makefile.crates (new) | 272 +++++++++++++++++++++++++++++++++++++++
 net/krill/distinfo              |   8 +-
 3 files changed, 278 insertions(+), 277 deletions(-)
Comment 4 commit-hook freebsd_committer freebsd_triage 2023-01-23 13:24:42 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=6451492b53545e19bc2761229143294c6503de8f

commit 6451492b53545e19bc2761229143294c6503de8f
Author:     Fernando Apesteguía <fernape@FreeBSD.org>
AuthorDate: 2023-01-23 13:16:35 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-01-23 13:20:06 +0000

    security/vuxml: register net/krill DoS vulnerability

    CVE-2023-0158

    PR:     269050

 security/vuxml/vuln/2023.xml | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
Comment 5 Fernando Apesteguía freebsd_committer freebsd_triage 2023-01-23 13:25:26 UTC 
Committed and merged to 2023Q1,

Thanks!