Bug Fixes
- The
rrdp-timeout
configuration setting now correctly limits the maximum length an RRDP request can take. This prevents a possible issue where a RRDP repository maliciously or erroneously delays a request and subsequently a validation run. (#666, CVE-2021-43173)
New
- The new configuration setting
max-ca-depth
limits the length a chain of CAs from a trust anchor. By default it is set to 32. This fixes a possible vulnerability where a CA creates an infinite chain of CAs. (#665, CVE-2021-43172)
Other Changes
- Support for the gzip transfer encoding for RRDP has been removed because gzip in combination with XML provides multiple ways to delay validation. The configuration setting
rrdp-disable-gzip
is now deprecated and will be removed in the next breaking release. (#667, CVE-2021-43174)