Skip to content

Commit

Permalink
Release 0.12.2 ‘Brutti, sporchi e cattivi.’ (#893)
Browse files Browse the repository at this point in the history
Bug Fixes

* Fixed various decoding issues that could lead to a panic when processing
  invalid RPKI objects. ([#891], via bcder release 0.7.3. Found by
  Haya Shulman, Donika Mirdita and Niklas Vogel. Assigned CVE-2023-39915)
* Check the request URI when generating a path for storing a copy of a RRDP
  response with the `rrdp-keep-responses` option to avoid path traversal.
  ([#892]. Found by Haya Shulman, Donika Mirdita and Niklas Vogel.
  Assigned CVE-2023-39916.)
  • Loading branch information
partim authored Sep 13, 2023
1 parent 0ff795d commit 4b41c41
Show file tree
Hide file tree
Showing 7 changed files with 64 additions and 10 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/pkg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ on:

jobs:
package:
uses: NLnetLabs/ploutos/.github/workflows/pkg-rust.yml@v5
uses: NLnetLabs/ploutos/.github/workflows/pkg-rust.yml@v7
secrets:
DOCKER_HUB_ID: ${{ secrets.DOCKER_HUB_ID }}
DOCKER_HUB_TOKEN: ${{ secrets.DOCKER_HUB_TOKEN }}
Expand Down
2 changes: 1 addition & 1 deletion Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion Cargo.toml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
[package]
# Note: some of these values are also used when building Debian packages below.
name = "routinator"
version = "0.12.1"
version = "0.12.2"
edition = "2021"
rust-version = "1.62"
authors = ["The NLnet Labs RPKI Team <[email protected]>"]
Expand Down
18 changes: 18 additions & 0 deletions Changelog.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,23 @@
# Change Log

## 0.12.2 ‘Brutti, sporchi e cattivi’

Release 2023-09-13.

Bug Fixes

* Fixed various decoding issues that could lead to a panic when processing
invalid RPKI objects. ([#891], via bcder release 0.7.3. Found by
Haya Shulman, Donika Mirdita and Niklas Vogel. Assigned CVE-2023-39915)
* Check the request URI when generating a path for storing a copy of a RRDP
response with the `rrdp-keep-responses` option to avoid path traversal.
([#892]. Found by Haya Shulman, Donika Mirdita and Niklas Vogel.
Assigned CVE-2023-39916.)

[#891]: https://github.com/NLnetLabs/routinator/pull/891
[#892]: https://github.com/NLnetLabs/routinator/pull/892


## 0.12.1 ‘Plan uw reis in de app’

Released 2023-01-04.
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ ARG MODE=build
# ========
#
# Only used when MODE=build.
ARG BASE_IMG=alpine:3.16
ARG BASE_IMG=alpine:3.18


# CARGO_ARGS
Expand Down
8 changes: 4 additions & 4 deletions doc/routinator.1
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.TH "ROUTINATOR" "1" "Jan 04, 2023" "0.12.1" "Routinator"
.TH "ROUTINATOR" "1" "Sep 13, 2023" "0.12.2" "Routinator"
.SH NAME
routinator \- RPKI relying party software
.SH SYNOPSIS
Expand Down Expand Up @@ -171,7 +171,7 @@ was \fIwarn\fP\&. In all previous versions \fIwarn\fP was hard\-wired.
.INDENT 0.0
.TP
.B \-\-unsafe\-vrps=policy
This option defines how to deal with "unsafe VRPs." If the address
This option defines how to deal with \(dqunsafe VRPs.\(dq If the address
prefix of a VRP overlaps with any resources assigned to a CA that has
been rejected because if failed to validate completely, the VRP is said
to be unsafe since using it may lead to legitimate routes being flagged
Expand Down Expand Up @@ -505,7 +505,7 @@ identical to the CSV produced by the RIPE NCC Validator.
.B csvext
An extended version of csv each line contains these
comma\-separated values: the rsync URI of the ROA the line
is taken from (or "N/A" if it isn\(aqt from a ROA), the
is taken from (or \(dqN/A\(dq if it isn\(aqt from a ROA), the
autonomous system number, the prefix in slash notation, the
maximum prefix length, the not\-before date and not\-after
date of the validity of the ROA.
Expand Down Expand Up @@ -663,7 +663,7 @@ the prefix is RPKI valid or invalid.
The option can be given multiple times, in which case VRPs for all
prefixes are provided. It can also be combined with one or more
ASN selections. Then all matching VRPs are included. That is,
selectors combine as "or" not "and".
selectors combine as \(dqor\(dq not \(dqand\(dq.
.UNINDENT
.INDENT 7.0
.TP
Expand Down
40 changes: 38 additions & 2 deletions pkg/rules/packages-to-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,20 @@ image:
- "debian:stretch" # debian/9
- "debian:buster" # debian/10
- "debian:bullseye" # debian/11
- "debian:bookworm" # debian/12
- 'centos:7'
- 'rockylinux:8' # compatible with EOL centos:8
- 'rockylinux:9'
target:
- 'x86_64'
test-image:
# Set 'test-image' to the empty string for all matrix permutations so that the default ('image') will be used
# to launch an LXC container to test the created packages in. Why explicitly set what is already the default?
# If this isn't present, later entries in the include set below will overwrite earlier entries that differ
# only by their 'test-image' value. If however 'test-image' is present in the original matrix by defining it
# here, then 'included' entries will no longer overwrite each other because they alter a key that is present
# in the original matrix. This is just how GitHub Actions matrix include rules work.
- ""
include:
- image: "centos:7"
systemd_service_unit_file: pkg/common/routinator-minimal.routinator.service
Expand All @@ -30,7 +40,9 @@ include:
# image we are building it in.
- image: 'rockylinux:8'
systemd_service_unit_file: pkg/common/routinator.routinator.service
os: 'centos:8'

- image: 'rockylinux:9'
systemd_service_unit_file: pkg/common/routinator.routinator.service

# package for the Raspberry Pi 4b as an ARMv7 cross compiled variant of the Debian Bullseye upon which
# Raspbian 11 is based.
Expand All @@ -49,9 +61,33 @@ include:
image: 'debian:buster'
target: 'aarch64-unknown-linux-musl'

# the include entries below will not cause additional packages to be built because they specify combinations
# of matrix keys and values as already exist elsewhere in the matrix, but they will cause an additional tests
# to be run in the package testing phase, which will install the package in an LXC container running the
# specified 'test-image' instead of the 'image' it was built in.
- pkg: 'routinator'
image: 'rockylinux:9'
target: 'x86_64'
test-image: 'almalinux:9'

- pkg: 'routinator'
image: 'rockylinux:9'
target: 'x86_64'
test-image: 'centos:9-Stream'

# 'mode' is not used by the package building workflow job, but is used by the package testing workflow job.
# Ploutos will not include this key when using this matrix definition to generate package building matrix
# permutations but will use it when generating package testing permutations.
mode:
test-mode:
- 'fresh-install'
- 'upgrade-from-published'

# Disable upgrade testing on Rocky Linux 9 and Debian Bookworm as we haven't published any packages for
# those O/S versions yet.
test-exclude:
- pkg: 'routinator'
image: 'rockylinux:9'
mode: 'upgrade-from-published'
- pkg: 'routinator'
image: 'debian:bookworm'
mode: 'upgrade-from-published'

0 comments on commit 4b41c41

Please sign in to comment.