1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL.RELEAS

  • multiple RPKI-related vulnerabilities in stable

    From SEEWEB - Marco d'Itri@21:1/5 to All on Mon Nov 29 00:10:02 2021
    https://rpki.exposed/ lists a long number of vulnerabilities affecting software in Debian stable: fort-validator, cfrpki, and rpki-client.
    (Not routinator, because it is an unpackagable mess of Rust.)

    (To make a long story short, RPKI is a way to digitally sign BGP routes
    and all network operators and IXPs are progressively deploying at least
    a couple of servers each to run the validators.)

    The RPKI ecosystem is very young, so this was hardly unexpected.
    While I did significant work trying to establish Debian as the go-to
    platform for deploying RPKI validators, at this point nobody will use
    the validators currently in Debian stable.

    It is not really practical to extract and backport all these patches, so
    I would like to know from the release managers if they would strongly
    consider an upload to stable of the current releases of these packages
    or if I should request instead that they are all removed from stable.

    Please Cc: me on replies.

    --
    ciao,
    Marco

    -----BEGIN PGP SIGNATURE-----

    iHUEABYIAB0WIQQnKUXNg20437dCfobLPsM64d7XgQUCYaQJRAAKCRDLPsM64d7X gZ7gAPsGk9AcHy7NVWONMC/XPObMzSC4xsYZes56/EOYk4q7BgD/aLG1YxnexCg4 DejOTjl2uH6RgrF38uDJnWi0vnCtdgM=
    =aO4N
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Moritz Muehlenhoff@21:1/5 to SEEWEB - Marco d'Itri on Tue Nov 30 09:40:02 2021
    Hi Marco,

    On Sun, Nov 28, 2021 at 11:57:09PM +0100, SEEWEB - Marco d'Itri wrote:
    https://rpki.exposed/ lists a long number of vulnerabilities affecting

    Ironically this website is unreachable since at least yesterday :-)

    It is not really practical to extract and backport all these patches, so

    Let's fix these via bullseye-security, version numbers would be:
    rpki-client 7.5-1~deb11u1
    fort-validator 1.5.3-1~deb11u1
    cfrpki 1.4.2-1~deb11u1

    Note that the dak installations on security.debian.org and ftp.debian.org
    don't share tarballs, so these need to be rebuild with -sa to include the
    orig tarballs in the changes file.

    Cheers,
    Moritz

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From SEEWEB - Marco d'Itri@21:1/5 to Moritz Muehlenhoff on Sun Dec 26 16:40:01 2021
    On Nov 30, Moritz Muehlenhoff <jmm@inutil.org> wrote:

    https://rpki.exposed/ lists a long number of vulnerabilities affecting
    Ironically this website is unreachable since at least yesterday :-)
    This was the linked page: https://docs.google.com/spreadsheets/d/1uuDlO6g1DLATV5OVCa20kU9OOiX9XWBFoZT2OkOezi8/edit#gid=0

    It is not really practical to extract and backport all these patches, so

    Let's fix these via bullseye-security, version numbers would be:
    rpki-client 7.5-1~deb11u1
    fort-validator 1.5.3-1~deb11u1
    cfrpki 1.4.2-1~deb11u1
    Thank you, I have uploaded fort-validator and cfrpki.
    I forgot that rpki-client now requires libretls, which is not in
    bullseye, so I will do a backport and discuss what to do with the
    upstream authors.

    --
    ciao,
    Marco

    -----BEGIN PGP SIGNATURE-----

    iHUEABYIAB0WIQQnKUXNg20437dCfobLPsM64d7XgQUCYciKlQAKCRDLPsM64d7X gSQaAP4x5FxHGEFjXNTyDMUXcOY+9Ab+2dPaX6x2ycWGAq0RSAD/dFFvY9Lhr8gv ViETtQvI/gvXqjHaUxwZQW3hH/h/iQk=
    =RPhx
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)