Attachment #237141 for bug #266865

View | Details | Raw Unified | Return to bug 266865 | Differences between
Collapse All | Expand All




  <vuln vid="e4133d8b-ab33-451a-bc68-3719de73d54a">
    <topic>routinator -- potential DOS attack</topic>
    <affects>
      <package>
	<name>routinator</name>
	<range><ge>0.9.0</ge><lt>0.11.3</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>
	 Due to a mistake in error handling, data in RRDP snapshot and delta files
	 that isn’t correctly base 64 encoded is treated as a fatal error and causes
	 Routinator to exit.

	 Worst case impact of this vulnerability is denial of service for the RPKI
	 data that Routinator provides to routers. This may stop your network from
	 validating route origins based on RPKI data. This vulnerability does not
	 allow an attacker to manipulate RPKI data. We are not aware of exploitation
	 of this vulnerability at this point in time.

	 Starting with release 0.11.3, Routinator handles encoding errors by rejecting
	 the snapshot or delta file and continuing with validation. In case of an
	 invalid delta file, it will try using the snapshot instead. If a snapshot file
	 is invalid, the update of the repository will fail and an update through rsync
	 is attempted.
	 </p>
	<blockquote cite="https://www.cvedetails.com/cve/CVE-2022-3029/">
	  <p>.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2022-3029</cvename>
      <url>https://nlnetlabs.nl/downloads/routinator/CVE-2022-3029.txt</url>
    </references>
    <dates>
      <discovery>2022-10-06</discovery>
      <entry>2022-10-07</entry>
    </dates>
  </vuln>

  <vuln vid="f4f15051-4574-11ed-81a1-080027881239">
    <topic>Django -- multiple vulnerabilities</topic>
    <affects>

Return to bug 266865

Lines 1-3 Link Here

(-)b/security/vuxml/vuln-2022.xml (+42 lines)
		1	<vuln vid="e4133d8b-ab33-451a-bc68-3719de73d54a">
		2	<topic>routinator -- potential DOS attack</topic>
		3	<affects>
		4	<package>
		5	<name>routinator</name>
		6	<range><ge>0.9.0</ge><lt>0.11.3</lt></range>
		7	</package>
		8	</affects>
		9	<description>
		10	<body xmlns="http://www.w3.org/1999/xhtml">
		11	<p>
		12	Due to a mistake in error handling, data in RRDP snapshot and delta files
		13	that isn’t correctly base 64 encoded is treated as a fatal error and causes
		14	Routinator to exit.
		15
		16	Worst case impact of this vulnerability is denial of service for the RPKI
		17	data that Routinator provides to routers. This may stop your network from
		18	validating route origins based on RPKI data. This vulnerability does not
		19	allow an attacker to manipulate RPKI data. We are not aware of exploitation
		20	of this vulnerability at this point in time.
		21
		22	Starting with release 0.11.3, Routinator handles encoding errors by rejecting
		23	the snapshot or delta file and continuing with validation. In case of an
		24	invalid delta file, it will try using the snapshot instead. If a snapshot file
		25	is invalid, the update of the repository will fail and an update through rsync
		26	is attempted.
		27	</p>
		28	<blockquote cite="https://www.cvedetails.com/cve/CVE-2022-3029/">
		29	<p>.</p>
		30	</blockquote>
		31	</body>
		32	</description>
		33	<references>
		34	<cvename>CVE-2022-3029</cvename>
		35	<url>https://nlnetlabs.nl/downloads/routinator/CVE-2022-3029.txt</url>
		36	</references>
		37	<dates>
		38	<discovery>2022-10-06</discovery>
		39	<entry>2022-10-07</entry>
		40	</dates>
		41	</vuln>
		42
1	<vuln vid="f4f15051-4574-11ed-81a1-080027881239">	43	<vuln vid="f4f15051-4574-11ed-81a1-080027881239">
2	<topic>Django -- multiple vulnerabilities</topic>	44	<topic>Django -- multiple vulnerabilities</topic>
3	<affects>	45	<affects>