NLnetLabs/routinator v0.10.2

0.10.2 ‘Skuffet, men ikke overrasket’

on GitHub

Bug Fixes

• The rrdp-timeout configuration setting now correctly limits the maximum length an RRDP request can take. This prevents a possible issue where a RRDP repository maliciously or erroneously delays a request and subsequently a validation run. (#666, CVE-2021-43173)

New

• The new configuration setting max-ca-depth limits the length a chain of CAs from a trust anchor. By default it is set to 32. This fixes a possible vulnerability where a CA creates an infinite chain of CAs. (#665, CVE-2021-43172)

Other Changes

• Support for the gzip transfer encoding for RRDP has been removed because gzip in combination with XML provides multiple ways to delay validation. The configuration setting rrdp-disable-gzip is now deprecated and will be removed in the next breaking release. (#667, CVE-2021-43174)