diff options
| author | Robert Clausecker <fuz@FreeBSD.org> | 2023-09-16 04:52:45 +0000 |
|---|---|---|
| committer | Robert Clausecker <fuz@FreeBSD.org> | 2023-09-17 15:26:40 +0000 |
| commit | 6db214401ef3ad0f69259559e8a8fa7e1aa37c8a (patch) | |
| tree | 9dddcc0de5dbe9e5e0b1b01eda905b5c9f3f4d9e | |
| parent | 9e3ed402d025438539f648e7e46a1ad1131e374f (diff) | |
| download | ports-6db214401ef3ad0f69259559e8a8fa7e1aa37c8a.tar.gz ports-6db214401ef3ad0f69259559e8a8fa7e1aa37c8a.zip | |
security/vuxml: document routinator vulnerabilities
| -rw-r--r-- | security/vuxml/vuln/2023.xml | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index 25773c90c5a5..384565e9afc7 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,42 @@ + <vuln vid="11982747-544c-11ee-ac3e-a04a5edf46d9"> + <topic>routinator -- multiple vulnerabilities</topic> + <affects> + <package> + <name>routinator</name> + <range><lt>0.12.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>NLnet Labs report:</p> + <blockquote cite="https://nlnetlabs.nl/news/2023/Sep/13/routinator-0.12.2-released/"> + <p>This release fixes two issues in Routinator that can be exploited + remotely by rogue RPKI CAs and repositories. We therefore advise all + users of Routinator to upgrade to this release at their earliest + convenience.</p> + <p>The first issue, CVE-2022-39915, can lead to Routinator crashing + when trying to decode certain illegal RPKI objects.</p> + <p>The second issue, CVE-2022-39916, only affects users that have the + rrdp-keep-responses option enabled which allows storing all received + RRDP responses on disk. Because the file name for these responses is + derived from the URI and the path wasn't checked properly, a RRDP URI + could be constructed that results in the response stored outside the + directory, possibly overwriting existing files.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2022-39915</cvename> + <url>https://nlnetlabs.nl/downloads/routinator/CVE-2023-39915.txt</url> + <cvename>CVE-2022-39916</cvename> + <url>https://nlnetlabs.nl/downloads/routinator/CVE-2023-39916.txt</url> + </references> + <dates> + <discovery>2022-12-08</discovery> + <entry>2023-09-16</entry> + </dates> + </vuln> + <vuln vid="833b469b-5247-11ee-9667-080027f5fec9"> <topic>curl -- HTTP headers eat all memory</topic> <affects> |