Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Check path before keeping RRDP responses. #892

Merged
merged 1 commit into from
Sep 13, 2023

Conversation

partim
Copy link
Member

@partim partim commented Sep 13, 2023

This PR adds a check of the request URI when generating a path for storing a copy of a RRDP response to avoid path traversal.

This PR provides the fix for CVE-2023-39916.

@partim partim merged commit 0ff795d into series-0.12 Sep 13, 2023
9 checks passed
@partim partim deleted the 0.12-rrdp-keep-responses-fix branch September 13, 2023 12:30
partim added a commit that referenced this pull request Sep 13, 2023
Bug Fixes

* Fixed various decoding issues that could lead to a panic when processing
  invalid RPKI objects. ([#891], via bcder release 0.7.3. Found by
  Haya Shulman, Donika Mirdita and Niklas Vogel. Assigned CVE-2023-39915)
* Check the request URI when generating a path for storing a copy of a RRDP
  response with the `rrdp-keep-responses` option to avoid path traversal.
  ([#892]. Found by Haya Shulman, Donika Mirdita and Niklas Vogel.
  Assigned CVE-2023-39916.)
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Sep 14, 2023
Pkgsrc changes:
 * Update cargo-depends.mk, update checksums.

Upstream changes:

## 0.12.2 "Brutti, sporchi e cattivi"

Release 2023-09-13.

Bug Fixes

* Fixed various decoding issues that could lead to a panic when processing
  invalid RPKI objects. ([#891], via bcder release 0.7.3. Found by
  Haya Shulman, Donika Mirdita and Niklas Vogel. Assigned CVE-2023-39915)
* Check the request URI when generating a path for storing a copy of a RRDP
  response with the `rrdp-keep-responses` option to avoid path traversal.
  ([#892]. Found by Haya Shulman, Donika Mirdita and Niklas Vogel.
  Assigned CVE-2023-39916.)

[#891]: NLnetLabs/routinator#891
[#892]: NLnetLabs/routinator#892


## 0.12.1 "Plan uw reis in de app"

Released 2023-01-04.

There are no changes since 0.12.1-rc2.


## 0.12.1-rc2

Released 2022-12-13.

Bug Fixes

* Allow private keys prefixed both with `BEGIN PRIVATE KEY` and
  `BEGIN RSA PRIVATE KEY` in the files referred to by `http-tls-key` and
  `rtr-tls-key` configuration options. ([#831], [#832])

[#831]: NLnetLabs/routinator#831
[#832]: NLnetLabs/routinator#831


## 0.12.1-rc1

Released 2022-12-05.

Bug Fixes

* Actually use the `extra-tals-dir` config file option. ([#821])
* On Unix, if chroot is requested but no working directory is explicitly
  provided, set the working directory to the chroot directory. ([#823])
* Fixed the error messages printed when the `http-tls-key` or
  `http-tls-cert` options are required but missing. They now refer to HTTP
  and not, as previously, to RTR. ([#824] by [@SanderDelden])

Other Changes

* Switch the packaging workflow to use [Ploutos]. ([#816])

[#816]: NLnetLabs/routinator#816
[#821]: NLnetLabs/routinator#821
[#823]: NLnetLabs/routinator#823
[#824]: NLnetLabs/routinator#824
[@SanderDelden]: https://github.com/SanderDelden
[Ploutos]: https://github.com/NLnetLabs/ploutos/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants