Created attachment 245251 [details] Patch to upgrade 0.13.0 Should Have Started This in a Screen New * Added support for ASPA. Processing needs to be enabled via the new option enable-aspa which is only available if the aspa feature is explicitly selected during compilation. This is due to the specification still changing. The implementation currently conforms with draft-ietf-sidrops-aspa-profile-15. (#847, #873, #874, #878) * Added support for version 2 of the RTR protocol. This primarly means support for the ASPA payload type. (#847) * Sending SIGUSR2 to Routinator will re-open a log file if logging to a file is enabled. (#859) * The HTTP server provides a new endpoint /json-delta/notify that can be used to wait for updated data similar to the RTR Notify PDU. (#863) * Added support for filtering and adding router keys via local exception files. (#865) * The vrps command and the HTTP payload output endpoints now allow excluding specific payload types for output. (#866) * Added a new member payload to the output of the /api/v1/status endpoint that gives an overall summary of the produced payload. (#867) * Added new members generated and generatedTime to the JSON object produced by the /json-delta endpoint. (#868) Breaking Changes * A new field aspa was added to the jsonext format. See the manual page for more information. (#847) * A number of ASPA-related fields have been added to all metrics and status formats. (#847) * Renamed functions and attributes that refer to standalone end entity certificates to refer to router certificates so they don get confused with the end entity certificates included with signed objects. (#854) * Renamed the JSON member in the HTTP status API from validEECerts to validRouterCerts. The old name is still available but may be removed in the future. (#854) * The regular json output format now includes router key and ASPA output. Since both are disabled by default, the format will still be compatible by default. (#866) * The minimal required Rust version has been increased to 1.70. (#847, #853, #869, #879) Bug Fixes * Fixed a bug in the RTR server where it would include router key PDUs even if the negotiated protocol version was 0. (via rpki-rs #250) * Restored the ability to parse ASNs in JSON input to the validity command as string or number. (#861) * Update bcder to at least 0.7.3 to fix various decoding issues that could lead to a panic when processing invalid RPKI objects. * Check the request URI when generating a path for storing a copy of a RRDP response with the rrdp-keep-responses option to avoid path traversal. (#894. Found by Haya Shulman, Donika Mirdita and Niklas Vogel. Assigned CVE-2023-39916.) Other Changes * The log message for missing manifest now include the URI of the CA certificate for which the manifest is missing. (#864) * Binary packages are now also built for Debian bookworm. (#881)
CVE-2023-39916
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=633698c493c70350263613dea0db2d7e00f9adbe commit 633698c493c70350263613dea0db2d7e00f9adbe Author: Fernando Apesteguía <fernape@FreeBSD.org> AuthorDate: 2023-09-27 11:02:36 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-09-27 11:02:36 +0000 security/vuxml: Record net/routinator vulnerability CVE-2023-39916 Base Score: 6.5 MEDIUM Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N PR: 274105 security/vuxml/vuln/2023.xml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+)
Committed, Thanks!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=9b65e5946fd09b02d7974755bb8af1d30a498adb commit 9b65e5946fd09b02d7974755bb8af1d30a498adb Author: Jaap Akkerhuis <jaap@NLnetLabs.nl> AuthorDate: 2023-09-27 06:28:05 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-09-28 08:42:23 +0000 net/routinator: Update to 0.13.0 ChangeLog: https://nlnetlabs.nl/news/2023/Sep/21/routinator-0.13.0-released/ New * Added support for ASPA. Processing needs to be enabled via the new option enable-aspa which is only available if the aspa feature is explicitly selected during compilation. This is due to the specification still changing. The implementation currently conforms with draft-ietf-sidrops-aspa-profile-15. * Added support for version 2 of the RTR protocol. This primarly means support for the ASPA payload type. * Sending SIGUSR2 to Routinator will re-open a log file if logging to a file is enabled. * The HTTP server provides a new endpoint /json-delta/notify that can be used to wait for updated data similar to the RTR Notify PDU. * Added support for filtering and adding router keys via local exception files. * The vrps command and the HTTP payload output endpoints now allow excluding specific payload types for output. * Added a new member payload to the output of the /api/v1/status endpoint that gives an overall summary of the produced payload. * Added new members generated and generatedTime to the JSON object produced by the /json-delta endpoint. Breaking Changes * A new field aspa was added to the jsonext format. See the manual page for more information. * A number of ASPA-related fields have been added to all metrics and status formats. * Renamed functions and attributes that refer to standalone end entity certificates to refer to router certificates so they don’t get confused with the end entity certificates included with signed objects. * Renamed the JSON member in the HTTP status API from validEECerts to validRouterCerts. The old name is still available but may be removed in the future. * The regular json output format now includes router key and ASPA output. Since both are disabled by default, the format will still be compatible by default. * The minimal required Rust version has been increased to 1.70. Bug Fixes * Fixed a bug in the RTR server where it would include router key PDUs even if the negotiated protocol version was 0. * Restored the ability to parse ASNs in JSON input to the validity command as string or number. * Update bcder to at least 0.7.3 to fix various decoding issues that could lead to a panic when processing invalid RPKI objects. * Check the request URI when generating a path for storing a copy of a RRDP response with the rrdp-keep-responses option to avoid path traversal. Found by Haya Shulman, Donika Mirdita and Niklas Vogel. Assigned CVE-2023-39916 Other Changes * The log message for missing manifest now include the URI of the CA certificate for which the manifest is missing. (#864) * Binary packages are now also built for Debian bookworm. (#881) PR: 274105 Reported by: jaap@NLnetLabs.nl (maintainer) Security: CVE-2023-39916 net/routinator/Makefile | 8 +- net/routinator/Makefile.crates | 314 ++++++++++---------- net/routinator/distinfo | 630 ++++++++++++++++++++--------------------- 3 files changed, 479 insertions(+), 473 deletions(-)