From 4b41c41f4bbc460669a00a8aad44c4a753665c66 Mon Sep 17 00:00:00 2001 From: Martin Hoffmann Date: Wed, 13 Sep 2023 15:18:38 +0200 Subject: [PATCH] =?UTF-8?q?Release=200.12.2=20=20=E2=80=98Brutti,=20sporch?= =?UTF-8?q?i=20e=20cattivi.=E2=80=99=20(#893)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bug Fixes * Fixed various decoding issues that could lead to a panic when processing invalid RPKI objects. ([#891], via bcder release 0.7.3. Found by Haya Shulman, Donika Mirdita and Niklas Vogel. Assigned CVE-2023-39915) * Check the request URI when generating a path for storing a copy of a RRDP response with the `rrdp-keep-responses` option to avoid path traversal. ([#892]. Found by Haya Shulman, Donika Mirdita and Niklas Vogel. Assigned CVE-2023-39916.) --- .github/workflows/pkg.yml | 2 +- Cargo.lock | 2 +- Cargo.toml | 2 +- Changelog.md | 18 +++++++++++++++ Dockerfile | 2 +- doc/routinator.1 | 8 +++---- pkg/rules/packages-to-build.yml | 40 +++++++++++++++++++++++++++++++-- 7 files changed, 64 insertions(+), 10 deletions(-) diff --git a/.github/workflows/pkg.yml b/.github/workflows/pkg.yml index 580915dd..707412a9 100644 --- a/.github/workflows/pkg.yml +++ b/.github/workflows/pkg.yml @@ -14,7 +14,7 @@ on: jobs: package: - uses: NLnetLabs/ploutos/.github/workflows/pkg-rust.yml@v5 + uses: NLnetLabs/ploutos/.github/workflows/pkg-rust.yml@v7 secrets: DOCKER_HUB_ID: ${{ secrets.DOCKER_HUB_ID }} DOCKER_HUB_TOKEN: ${{ secrets.DOCKER_HUB_TOKEN }} diff --git a/Cargo.lock b/Cargo.lock index e6fb843a..d5e0f58a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1145,7 +1145,7 @@ dependencies = [ [[package]] name = "routinator" -version = "0.12.1" +version = "0.12.2" dependencies = [ "base64", "bcder", diff --git a/Cargo.toml b/Cargo.toml index 5eb82a38..a66c89c0 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,7 +1,7 @@ [package] # Note: some of these values are also used when building Debian packages below. name = "routinator" -version = "0.12.1" +version = "0.12.2" edition = "2021" rust-version = "1.62" authors = ["The NLnet Labs RPKI Team "] diff --git a/Changelog.md b/Changelog.md index 6a5c00d7..3391a10d 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,23 @@ # Change Log +## 0.12.2 ‘Brutti, sporchi e cattivi’ + +Release 2023-09-13. + +Bug Fixes + +* Fixed various decoding issues that could lead to a panic when processing + invalid RPKI objects. ([#891], via bcder release 0.7.3. Found by + Haya Shulman, Donika Mirdita and Niklas Vogel. Assigned CVE-2023-39915) +* Check the request URI when generating a path for storing a copy of a RRDP + response with the `rrdp-keep-responses` option to avoid path traversal. + ([#892]. Found by Haya Shulman, Donika Mirdita and Niklas Vogel. + Assigned CVE-2023-39916.) + +[#891]: https://github.com/NLnetLabs/routinator/pull/891 +[#892]: https://github.com/NLnetLabs/routinator/pull/892 + + ## 0.12.1 ‘Plan uw reis in de app’ Released 2023-01-04. diff --git a/Dockerfile b/Dockerfile index b4a58a34..33670a0e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -44,7 +44,7 @@ ARG MODE=build # ======== # # Only used when MODE=build. -ARG BASE_IMG=alpine:3.16 +ARG BASE_IMG=alpine:3.18 # CARGO_ARGS diff --git a/doc/routinator.1 b/doc/routinator.1 index 40cfaeb3..44413694 100644 --- a/doc/routinator.1 +++ b/doc/routinator.1 @@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "ROUTINATOR" "1" "Jan 04, 2023" "0.12.1" "Routinator" +.TH "ROUTINATOR" "1" "Sep 13, 2023" "0.12.2" "Routinator" .SH NAME routinator \- RPKI relying party software .SH SYNOPSIS @@ -171,7 +171,7 @@ was \fIwarn\fP\&. In all previous versions \fIwarn\fP was hard\-wired. .INDENT 0.0 .TP .B \-\-unsafe\-vrps=policy -This option defines how to deal with "unsafe VRPs." If the address +This option defines how to deal with \(dqunsafe VRPs.\(dq If the address prefix of a VRP overlaps with any resources assigned to a CA that has been rejected because if failed to validate completely, the VRP is said to be unsafe since using it may lead to legitimate routes being flagged @@ -505,7 +505,7 @@ identical to the CSV produced by the RIPE NCC Validator. .B csvext An extended version of csv each line contains these comma\-separated values: the rsync URI of the ROA the line -is taken from (or "N/A" if it isn\(aqt from a ROA), the +is taken from (or \(dqN/A\(dq if it isn\(aqt from a ROA), the autonomous system number, the prefix in slash notation, the maximum prefix length, the not\-before date and not\-after date of the validity of the ROA. @@ -663,7 +663,7 @@ the prefix is RPKI valid or invalid. The option can be given multiple times, in which case VRPs for all prefixes are provided. It can also be combined with one or more ASN selections. Then all matching VRPs are included. That is, -selectors combine as "or" not "and". +selectors combine as \(dqor\(dq not \(dqand\(dq. .UNINDENT .INDENT 7.0 .TP diff --git a/pkg/rules/packages-to-build.yml b/pkg/rules/packages-to-build.yml index 963b7c1b..4dcb0b4c 100644 --- a/pkg/rules/packages-to-build.yml +++ b/pkg/rules/packages-to-build.yml @@ -11,10 +11,20 @@ image: - "debian:stretch" # debian/9 - "debian:buster" # debian/10 - "debian:bullseye" # debian/11 + - "debian:bookworm" # debian/12 - 'centos:7' - 'rockylinux:8' # compatible with EOL centos:8 + - 'rockylinux:9' target: - 'x86_64' +test-image: + # Set 'test-image' to the empty string for all matrix permutations so that the default ('image') will be used + # to launch an LXC container to test the created packages in. Why explicitly set what is already the default? + # If this isn't present, later entries in the include set below will overwrite earlier entries that differ + # only by their 'test-image' value. If however 'test-image' is present in the original matrix by defining it + # here, then 'included' entries will no longer overwrite each other because they alter a key that is present + # in the original matrix. This is just how GitHub Actions matrix include rules work. + - "" include: - image: "centos:7" systemd_service_unit_file: pkg/common/routinator-minimal.routinator.service @@ -30,7 +40,9 @@ include: # image we are building it in. - image: 'rockylinux:8' systemd_service_unit_file: pkg/common/routinator.routinator.service - os: 'centos:8' + + - image: 'rockylinux:9' + systemd_service_unit_file: pkg/common/routinator.routinator.service # package for the Raspberry Pi 4b as an ARMv7 cross compiled variant of the Debian Bullseye upon which # Raspbian 11 is based. @@ -49,9 +61,33 @@ include: image: 'debian:buster' target: 'aarch64-unknown-linux-musl' + # the include entries below will not cause additional packages to be built because they specify combinations + # of matrix keys and values as already exist elsewhere in the matrix, but they will cause an additional tests + # to be run in the package testing phase, which will install the package in an LXC container running the + # specified 'test-image' instead of the 'image' it was built in. + - pkg: 'routinator' + image: 'rockylinux:9' + target: 'x86_64' + test-image: 'almalinux:9' + + - pkg: 'routinator' + image: 'rockylinux:9' + target: 'x86_64' + test-image: 'centos:9-Stream' + # 'mode' is not used by the package building workflow job, but is used by the package testing workflow job. # Ploutos will not include this key when using this matrix definition to generate package building matrix # permutations but will use it when generating package testing permutations. -mode: +test-mode: - 'fresh-install' - 'upgrade-from-published' + +# Disable upgrade testing on Rocky Linux 9 and Debian Bookworm as we haven't published any packages for +# those O/S versions yet. +test-exclude: + - pkg: 'routinator' + image: 'rockylinux:9' + mode: 'upgrade-from-published' + - pkg: 'routinator' + image: 'debian:bookworm' + mode: 'upgrade-from-published'