-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2023-9c7d495a72 2023-03-28 00:15:38.158876 -------------------------------------------------------------------------------- Name : rpki-client Product : Fedora 38 Version : 8.3 Release : 1.fc38 URL : https://www.rpki-client.org/ Summary : OpenBSD RPKI validator to support BGP Origin Validation Description : The OpenBSD rpki-client is a free, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP) to facilitate validation of the Route Origin of a BGP announcement. The program queries the RPKI repository system, downloads and validates Route Origin Authorisations (ROAs) and finally outputs Validated ROA Payloads (VRPs) in the configuration format of OpenBGPD, BIRD, and also as CSV or JSON objects for consumption by other routing stacks. -------------------------------------------------------------------------------- Update Information: # rpki-client 8.3 - The `expires` key in the JSON/CSV/OpenBGPD output formats is now calculated with more accuracy. The calculation takes into account the nextUpdate value of all intermediate CRLs in the signature path towards the trust anchor, in addition to the expiry moment of the leaf-CRL and CAs. - Handling of CRLs and Manifests in the face of inconsistent RRDP delta publications has been improved. A copy of an alternative version of the applicable CRL is kept in the staging area of the cache directory, in order to increase the potential for establishing a complete publication point, in cases where a single publication point update was smeared across multiple RRDP delta files. - The OpenBGPD configuration output now includes validated Autonomous System Provider Authorization (ASPA) payloads as an `aspa-set {}` configuration block. - When rpki-client is invoked with increased verbosity (`-v`), the current RRDP Serial & Session ID are shown to aid debugging. - Self-signed X.509 certificates (such as Trust Anchor certificates) now are considered invalid if they contain an X.509 `AuthorityInfoAccess` extension. - Signed Objects where the CMS signing-time attribute contains a timestamp later then the X.509 certificate's `notAfter` timestamp are considered invalid. - Manifests where the CMS signing-time attribute contains a timestamp later then the Manifest eContent `nextUpdate` timestamp are considered invalid. - Any objects whose CRL Distribution Points extension contains a CRLIssuer, CRL Reasons, or `nameRelativeToCRLIssuer` field are considered invalid in accordance with RFC 6487 section 4.8.6. - For every X.509 certificate the SHA-1 of the Subject Public Key is calculated and compared to the Subject Key Identifier (SKI), if a mismatch is found the certificate is not trusted. - Require the outside-TBS signature OID for every X.509 intermediate CA certificate and CRL to be `sha256WithRSAEncryption`. - Require the RSA key pair modulus and public exponent parameters to strictly conform to the RFC 7935 profile. - Ensure there is no trailing garbage present in Signed Objects beyond the self-embedded length field. - Require RRDP Session IDs to strictly be version 4 UUIDs. - When decoding and validating an individual RPKI file using filemode (`rpki- client -f file`), display the signature path towards the trust anchor, and the timestamp when the signature path will expire. - When decoding and validating an individual RPKI file using filemode (`rpki-client -f file`), display the optional CMS signing-time, and non-optional X.509 notBefore, and X.509 notAfter timestamps. -------------------------------------------------------------------------------- ChangeLog: * Sun Mar 19 2023 Robert Scheck <robert@xxxxxxxxxxxxxxxxx> 8.3-1 - Upgrade to 8.3 (#2179641) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2179641 - rpki-client-8.3 is available https://bugzilla.redhat.com/show_bug.cgi?id=2179641 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2023-9c7d495a72' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list -- package-announce@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue