Created attachment 237120 [details] patch to update This is an important security release. All users of Routinator 0.9.0 up to 0.11.2 are encouraged to upgrade at their earliest convenience. Bug Fixes Fixes an issue in error handling in the RRDP collector that causes Routinator to exit if it encountered malformed base r64 in RRDP snapshot and delta files. (Found by Donika Mirdita and Haya Shulman. Assigned CVE-2022-3029.) (#781) (See https://nlnetlabs.nl/downloads/routinator/CVE-2022-3029.txt for details)
Hi, Could you provide a vuxml entry? Thanks
(In reply to Nuno Teixeira from comment #1) I can (and did) using security/vuxml but where do I send it to? I never have figured out how to do that
(In reply to Jaap Akkerhuis from comment #2) https://docs.freebsd.org/en/books/porters-handbook/book/#security-notify-vuxml-db An example: https://cgit.freebsd.org/ports/commit/?id=4c5b101930584d59822335a4a7cf82ae17096c5a Cheers
Created attachment 237141 [details] vuxml entry" CVE-2022-3029 -- potential DOS attack vuxml: CVE-2022-3029 -- potential DOS attack
(In reply to Jaap Akkerhuis from comment #4) Thanks for the vuxml entry. The port is queued for build testing. Thanks!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=1db6001e2a6f0733cea74b757c2a186b3fddae0a commit 1db6001e2a6f0733cea74b757c2a186b3fddae0a Author: Jaap Akkerhuis <jaap@NLnetLabs.nl> AuthorDate: 2022-10-07 15:45:00 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2022-10-07 15:45:00 +0000 net/routinator: Add net/routinator CVE Recent versions of Routinator contain a problem that causes Routinator to exit if it encounters invalid data in RRDP snapshot or delta files. Details: https://nlnetlabs.nl/downloads/routinator/CVE-2022-3029.txt PR: 266865 Reported by: jaap@NLnetLabs.nl security/vuxml/vuln-2022.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=3488bf3779725a73032aeff271926dee14e10e70 commit 3488bf3779725a73032aeff271926dee14e10e70 Author: Jaap Akkerhuis <jaap@NLnetLabs.nl> AuthorDate: 2022-10-07 06:07:35 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2022-10-09 11:49:22 +0000 net/routinator: Update to 0.11.3 ChangeLog: https://github.com/NLnetLabs/routinator/releases Fixes an issue in error handling in the RRDP collector that causes Routinator to exit if it encountered malformed base r64 in RRDP snapshot and delta files. (Found by Donika Mirdita and Haya Shulman. Assigned CVE-2022-3029.) PR: 266865 Reported by: jaap@NLnetLabs.nl (maintainer) MFH: 2022Q4 (security fix release) Security: CVE-2022-302 net/routinator/Makefile | 3 +-- net/routinator/distinfo | 6 +++--- net/routinator/files/routinator.in | 2 +- 3 files changed, 5 insertions(+), 6 deletions(-)
A commit in branch 2022Q4 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=f0faa07fdb18701f682e0ea36f0b0ea3c1060055 commit f0faa07fdb18701f682e0ea36f0b0ea3c1060055 Author: Jaap Akkerhuis <jaap@NLnetLabs.nl> AuthorDate: 2022-10-07 06:07:35 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2022-10-09 11:51:21 +0000 net/routinator: Update to 0.11.3 ChangeLog: https://github.com/NLnetLabs/routinator/releases Fixes an issue in error handling in the RRDP collector that causes Routinator to exit if it encountered malformed base r64 in RRDP snapshot and delta files. (Found by Donika Mirdita and Haya Shulman. Assigned CVE-2022-3029.) PR: 266865 Reported by: jaap@NLnetLabs.nl (maintainer) MFH: 2022Q4 (security fix release) Security: CVE-2022-302 (cherry picked from commit 3488bf3779725a73032aeff271926dee14e10e70) net/routinator/Makefile | 3 +-- net/routinator/distinfo | 6 +++--- net/routinator/files/routinator.in | 2 +- 3 files changed, 5 insertions(+), 6 deletions(-)
Committed and merged to 2022Q4. Thanks!