diff options
| author | Jaap Akkerhuis <jaap@NLnetLabs.nl> | 2022-10-07 15:45:00 +0000 |
|---|---|---|
| committer | Fernando Apesteguía <fernape@FreeBSD.org> | 2022-10-07 15:45:00 +0000 |
| commit | 1db6001e2a6f0733cea74b757c2a186b3fddae0a (patch) | |
| tree | d44d81f0e58345d6ea46863bddc93b4df266fa29 | |
| parent | f318a4162a3bfb8ed515a4fd8ca7f453a0017505 (diff) | |
| download | ports-1db6001e2a6f0733cea74b757c2a186b3fddae0a.tar.gz ports-1db6001e2a6f0733cea74b757c2a186b3fddae0a.zip | |
net/routinator: Add net/routinator CVE
Recent versions of Routinator contain a problem that causes Routinator to
exit if it encounters invalid data in RRDP snapshot or delta files.
Details: https://nlnetlabs.nl/downloads/routinator/CVE-2022-3029.txt
PR: 266865
Reported by: jaap@NLnetLabs.nl
| -rw-r--r-- | security/vuxml/vuln-2022.xml | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml index 691024abe7b2..831c3685b898 100644 --- a/security/vuxml/vuln-2022.xml +++ b/security/vuxml/vuln-2022.xml @@ -1,3 +1,45 @@ + <vuln vid="e4133d8b-ab33-451a-bc68-3719de73d54a"> + <topic>routinator -- potential DOS attack</topic> + <affects> + <package> + <name>routinator</name> + <range><ge>0.9.0</ge><lt>0.11.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p> + Due to a mistake in error handling, data in RRDP snapshot and delta files + that isn’t correctly base 64 encoded is treated as a fatal error and causes + Routinator to exit. + + Worst case impact of this vulnerability is denial of service for the RPKI + data that Routinator provides to routers. This may stop your network from + validating route origins based on RPKI data. This vulnerability does not + allow an attacker to manipulate RPKI data. We are not aware of exploitation + of this vulnerability at this point in time. + + Starting with release 0.11.3, Routinator handles encoding errors by rejecting + the snapshot or delta file and continuing with validation. In case of an + invalid delta file, it will try using the snapshot instead. If a snapshot file + is invalid, the update of the repository will fail and an update through rsync + is attempted. + </p> + <blockquote cite="https://www.cvedetails.com/cve/CVE-2022-3029/"> + <p>.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2022-3029</cvename> + <url>https://nlnetlabs.nl/downloads/routinator/CVE-2022-3029.txt</url> + </references> + <dates> + <discovery>2022-10-06</discovery> + <entry>2022-10-07</entry> + </dates> + </vuln> + <vuln vid="f4f15051-4574-11ed-81a1-080027881239"> <topic>Django -- multiple vulnerabilities</topic> <affects> |