This release fixes a number of vulnerabilities and security issues identified by a security audit performed by X41 D-Sec and financed by Sovereign Tech Agency.
We advise all users to upgrade at their earliest convenience.
Security fixes
-
Changed how transient errors when accepting incoming HTTP and RTR connections are handled: instead of exiting, a warning is printed and the error is ignored. ([#1099])
This issue was assigned CVE-2026-49232.
-
Extended the check for illegal path components in rsync URIs to also include the authority and module parts. (via rpki-rs#370)
This fixes a path traversal vulnerability that has been assigned CVE-2026-49233.
-
Fixed a panic when parsing certain AS numbers from strings. (via rpki-rs#373)
This fixes a vulnerability that has been assigned CVE-2026-49234.
-
Upgraded quick-xml to at least 0.39.4 to fix a regression in XML parsing that may lead a panic on certain crated XML files. (via rpki-rs#372)
This fixes a vulnerability that has been assigned CVE-2026-49235.
Improvements
- Restricted trust anchor certificates downloaded via HTTP to the size given via the
max_object_sizeconfig option. (#1090) - The
-eand--rshoptions will now be rejected in thersync-argsconfig option. Similarly, Routinator will not start if the equivalent evironment variableRSYNC_RSHis set. (#1091)
Bug fixes
- Set an RTR listener socket received via systemd to non-blocking. This fixes a panic in Tokio. (#1081 by @MaxHearnden)
- Fixed the
--rrdp-tcp-keepaliveto be a command line option rather than a command line argument. ([1085])
Other changes
- Support for Ubuntu Resolute Raccoon (26.04). (#1095)