Release 0.12.2 ‘Brutti, sporchi e cattivi.’ (#893)

Bug Fixes * Fixed various decoding issues that could lead to a panic when processing invalid RPKI objects. ([#891], via bcder release 0.7.3. Found by Haya Shulman, Donika Mirdita and Niklas Vogel. Assigned CVE-2023-39915) * Check the request URI when generating a path for storing a copy of a RRDP response with the `rrdp-keep-responses` option to avoid path traversal. ([#892]. Found by Haya Shulman, Donika Mirdita and Niklas Vogel. Assigned CVE-2023-39916.)
NLnetLabs · Sep 13, 2023 · 4b41c41 · 4b41c41
1 parent 0ff795d
commit 4b41c41
Show file tree

Hide file tree

Showing 7 changed files with 64 additions and 10 deletions.
diff --git a/.github/workflows/pkg.yml b/.github/workflows/pkg.yml
@@ -14,7 +14,7 @@ on:
 
 jobs:
   package:
-    uses: NLnetLabs/ploutos/.github/workflows/pkg-rust.yml@v5
+    uses: NLnetLabs/ploutos/.github/workflows/pkg-rust.yml@v7
     secrets:
       DOCKER_HUB_ID: ${{ secrets.DOCKER_HUB_ID }}
       DOCKER_HUB_TOKEN: ${{ secrets.DOCKER_HUB_TOKEN }}

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
 # Note: some of these values are also used when building Debian packages below.
 name = "routinator"
-version = "0.12.1"
+version = "0.12.2"
 edition = "2021"
 rust-version = "1.62"
 authors = ["The NLnet Labs RPKI Team <rpki@nlnetlabs.nl>"]

diff --git a/Changelog.md b/Changelog.md
@@ -1,5 +1,23 @@
 # Change Log
 
+## 0.12.2 ‘Brutti, sporchi e cattivi’
+
+Release 2023-09-13.
+
+Bug Fixes
+
+* Fixed various decoding issues that could lead to a panic when processing
+  invalid RPKI objects. ([#891], via bcder release 0.7.3. Found by
+  Haya Shulman, Donika Mirdita and Niklas Vogel. Assigned CVE-2023-39915)
+* Check the request URI when generating a path for storing a copy of a RRDP
+  response with the `rrdp-keep-responses` option to avoid path traversal.
+  ([#892]. Found by Haya Shulman, Donika Mirdita and Niklas Vogel.
+  Assigned CVE-2023-39916.)
+
+[#891]: https://github.com/NLnetLabs/routinator/pull/891
+[#892]: https://github.com/NLnetLabs/routinator/pull/892
+
+
 ## 0.12.1 ‘Plan uw reis in de app’
 
 Released 2023-01-04.

diff --git a/Dockerfile b/Dockerfile
@@ -44,7 +44,7 @@ ARG MODE=build
 # ========
 #
 # Only used when MODE=build.
-ARG BASE_IMG=alpine:3.16
+ARG BASE_IMG=alpine:3.18
 
 
 # CARGO_ARGS

diff --git a/doc/routinator.1 b/doc/routinator.1
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "ROUTINATOR" "1" "Jan 04, 2023" "0.12.1" "Routinator"
+.TH "ROUTINATOR" "1" "Sep 13, 2023" "0.12.2" "Routinator"
 .SH NAME
 routinator \- RPKI relying party software
 .SH SYNOPSIS
@@ -171,7 +171,7 @@ was \fIwarn\fP\&. In all previous versions \fIwarn\fP was hard\-wired.
 .INDENT 0.0
 .TP
 .B \-\-unsafe\-vrps=policy
-This option defines how to deal with "unsafe VRPs." If the address
+This option defines how to deal with \(dqunsafe VRPs.\(dq If the address
 prefix of a VRP overlaps with any resources assigned to a CA that has
 been rejected because if failed to validate completely, the VRP is said
 to be unsafe since using it may lead to legitimate routes being flagged
@@ -505,7 +505,7 @@ identical to the CSV produced by the RIPE NCC Validator.
 .B csvext
 An extended version of csv each line contains these
 comma\-separated values: the rsync URI of the ROA the line
-is taken from (or "N/A" if it isn\(aqt from a ROA), the
+is taken from (or \(dqN/A\(dq if it isn\(aqt from a ROA), the
 autonomous system number, the prefix in slash notation, the
 maximum prefix length, the not\-before date and not\-after
 date of the validity of the ROA.
@@ -663,7 +663,7 @@ the prefix is RPKI valid or invalid.
 The option can be given multiple times, in which case VRPs for all
 prefixes are provided. It can also be combined with one or more
 ASN selections. Then all matching VRPs are included. That is,
-selectors combine as "or" not "and".
+selectors combine as \(dqor\(dq not \(dqand\(dq.
 .UNINDENT
 .INDENT 7.0
 .TP

diff --git a/pkg/rules/packages-to-build.yml b/pkg/rules/packages-to-build.yml
@@ -11,10 +11,20 @@ image:
   - "debian:stretch"  # debian/9
   - "debian:buster"   # debian/10
   - "debian:bullseye" # debian/11
+  - "debian:bookworm" # debian/12
   - 'centos:7'
   - 'rockylinux:8'    # compatible with EOL centos:8
+  - 'rockylinux:9'
 target:
   - 'x86_64'
+test-image:
+  # Set 'test-image' to the empty string for all matrix permutations so that the default ('image') will be used
+  # to launch an LXC container to test the created packages in. Why explicitly set what is already the default?
+  # If this isn't present, later entries in the include set below will overwrite earlier entries that differ
+  # only by their 'test-image' value. If however 'test-image' is present in the original matrix by defining it
+  # here, then 'included' entries will no longer overwrite each other because they alter a key that is present
+  # in the original matrix. This is just how GitHub Actions matrix include rules work.
+  - ""
 include:
   - image: "centos:7"
     systemd_service_unit_file: pkg/common/routinator-minimal.routinator.service
@@ -30,7 +40,9 @@ include:
   # image we are building it in.
   - image: 'rockylinux:8'
     systemd_service_unit_file: pkg/common/routinator.routinator.service
-    os: 'centos:8'
+
+  - image: 'rockylinux:9'
+    systemd_service_unit_file: pkg/common/routinator.routinator.service
 
   # package for the Raspberry Pi 4b as an ARMv7 cross compiled variant of the Debian Bullseye upon which
   # Raspbian 11 is based.
@@ -49,9 +61,33 @@ include:
     image: 'debian:buster'
     target: 'aarch64-unknown-linux-musl'
 
+  # the include entries below will not cause additional packages to be built because they specify combinations
+  # of matrix keys and values as already exist elsewhere in the matrix, but they will cause an additional tests
+  # to be run in the package testing phase, which will install the package in an LXC container running the 
+  # specified 'test-image' instead of the 'image' it was built in.
+  - pkg: 'routinator'
+    image: 'rockylinux:9'
+    target: 'x86_64'
+    test-image: 'almalinux:9'
+
+  - pkg: 'routinator'
+    image: 'rockylinux:9'
+    target: 'x86_64'
+    test-image: 'centos:9-Stream'
+
 # 'mode' is not used by the package building workflow job, but is used by the package testing workflow job.
 # Ploutos will not include this key when using this matrix definition to generate package building matrix
 # permutations but will use it when generating package testing permutations.
-mode:   
+test-mode:   
   - 'fresh-install'
   - 'upgrade-from-published'
+
+# Disable upgrade testing on Rocky Linux 9 and Debian Bookworm as we haven't published any packages for
+# those O/S versions yet.
+test-exclude:
+  - pkg: 'routinator'
+    image: 'rockylinux:9'
+    mode: 'upgrade-from-published'
+  - pkg: 'routinator'
+    image: 'debian:bookworm'
+    mode: 'upgrade-from-published'