19:06 Muhammad Moinur Rahman (bofh)  Author: Jaap Akkerhuis

net/routinator: Update version 0.13.0=>0.13.1

Changelog: https://github.com/NLnetLabs/routinator/releases/tag/v0.13.1

PR:		276892
Approved by:	submitter is maintainer

    d4c518f

08:42 Fernando Apesteguía (fernape)  Author: Jaap Akkerhuis

net/routinator: Update to 0.13.0

ChangeLog: https://nlnetlabs.nl/news/2023/Sep/21/routinator-0.13.0-released/

New

 * Added support for ASPA. Processing needs to be enabled via the new option
   enable-aspa which is only available if the aspa feature is explicitly
   selected during compilation. This is due to the specification still
   changing. The implementation currently conforms with
   draft-ietf-sidrops-aspa-profile-15.
 * Added support for version 2 of the RTR protocol. This primarly means support
   for the ASPA payload type.
 * Sending SIGUSR2 to Routinator will re-open a log file if logging to a file is
   enabled.
 * The HTTP server provides a new endpoint /json-delta/notify that can be used
   to wait for updated data similar to the RTR Notify PDU.
 * Added support for filtering and adding router keys via local exception files.

 * The vrps command and the HTTP payload output endpoints now allow excluding
   specific payload types for output.
 * Added a new member payload to the output of the /api/v1/status endpoint that
   gives an overall summary of the produced payload.
 * Added new members generated and generatedTime to the JSON object produced by
   the /json-delta endpoint.

Breaking Changes

 * A new field aspa was added to the jsonext format. See the manual page for
   more information.
 * A number of ASPA-related fields have been added to all metrics and status
   formats.
 * Renamed functions and attributes that refer to standalone end entity
   certificates to refer to router certificates so they don’t get confused
with
   the end entity certificates included with signed objects.
 * Renamed the JSON member in the HTTP status API from validEECerts to
   validRouterCerts. The old name is still available but may be removed in the
   future.
 * The regular json output format now includes router key and ASPA output. Since
   both are disabled by default, the format will still be compatible by default.
 * The minimal required Rust version has been increased to 1.70.

Bug Fixes

 * Fixed a bug in the RTR server where it would include router key PDUs even if
   the negotiated protocol version was 0.
 * Restored the ability to parse ASNs in JSON input to the validity command as
   string or number.
 * Update bcder to at least 0.7.3 to fix various decoding issues that could lead
   to a panic when processing invalid RPKI objects.
 * Check the request URI when generating a path for storing a copy of a RRDP
   response with the rrdp-keep-responses option to avoid path traversal.
   Found by Haya Shulman, Donika Mirdita and Niklas Vogel.  Assigned
   CVE-2023-39916

Other Changes

 * The log message for missing manifest now include the URI of the CA
   certificate for which the manifest is missing. (#864)
 * Binary packages are now also built for Debian bookworm. (#881)

PR:		274105
Reported by:	jaap@NLnetLabs.nl (maintainer)
Security:	CVE-2023-39916

    9b65e59

15:23 Robert Clausecker (fuz)  Author: Jaap Akkerhuis

net/routinator: Update to 0.12.2

Routinator 0.12.2 ‘Brutti, sporchi e cattivi’

This release fixes two issues in Routinator that can be exploited
remotely by rogue RPKI CAs and repositories. We therefore advise all
users of Routinator to upgrade to this release at their earliest
convenience.

The first issue, CVE-2022-39915, can lead to Routinator crashing when
trying to decode certain illegal RPKI objects.

The second issue, CVE-2022-39916, only affects users that have the
rrdp-keep-responses option enabled which allows storing all received
RRDP responses on disk. Because the file name for these responses is
derived from the URI and the path wasn’t checked properly, a RRDP URI
could be constructed that results in the response stored outside the
directory, possibly overwriting existing files.

We would like to thank Haya Shulman, Donika Mirdita and Niklas Vogel
for discovering and reporting these issues.

Changelog: https://nlnetlabs.nl/news/2023/Sep/13/routinator-0.12.2-released/

PR:		273826
MFH:		2023Q3

    9e3ed40

17:16 Fernando Apesteguía (fernape)  Author: Jaap Akkerhuis

net/routinator: Update to 0.12.1

ChangeLog: https://www.nlnetlabs.nl/news/2023/Jan/04/routinator-0.12.1-released/

Minor bugfixes.

 * Actually use the extra-tals-dir config file option.

 * Allow private keys prefixed both with BEGIN PRIVATE KEY and BEGIN RSA
 PRIVATE KEY in the files referred to by http-tls-key and rtr-tls-key
 configuration options.

 * On Unix, if chroot is requested but no working directory is explicitly
 provided, set the working directory to the chroot directory.

 * Fixed the error messages printed when the http-tls-key or http-tls-cert
 options are required but missing. They now refer to HTTP and not, as
 previously, to RTR.

PR:		268906
Reported by:	jaap@NLnetLabs.nl (maintainer)

    6199ca0

23:38 Guangyuan Yang (ygy)  Author: Jaap Akkerhuis

net/routinator: Update to 0.12.0

Changelog:	https://www.nlnetlabs.nl/news/2022/Nov/10/routinator-0.12.0-released/

PR:		267891

    b37598f