-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-f112c32404 2024-07-05 06:20:54.570794 -------------------------------------------------------------------------------- Name : rpki-client Product : Fedora 40 Version : 9.1 Release : 1.fc40 URL : https://www.rpki-client.org/ Summary : OpenBSD RPKI validator to support BGP Origin Validation Description : The OpenBSD rpki-client is a free, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP) to facilitate validation of the Route Origin of a BGP announcement. The program queries the RPKI repository system, downloads and validates Route Origin Authorisations (ROAs) and finally outputs Validated ROA Payloads (VRPs) in the configuration format of OpenBGPD, BIRD, and also as CSV or JSON objects for consumption by other routing stacks. -------------------------------------------------------------------------------- Update Information: rpki-client 9.1 Impose same-origin policy for RRDP This addresses an oversight in the original RRDP specification (RFC8182) which allowed any publication server to cause load on another server by tricking RPs into making cross-origin requests. Imposing a same-origin policy in RRDP client/server communication isolates resources such as Delta and Snapshot files from different Repository Servers, reducing possible attack vectors. https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rrdp-same-origin Introduce tiebreaking for trust anchors Instead of always using newly-retrieved trust anchors, compare a fetched TA with one stored in the cache. Later notBefore and earlier notAfter are used to identify a trust anchor certificate as newer. This prevents certain forms of replay attack. https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-rpki-ta-tiebreaker Fix internal identification of CA resource certificates The rpki-client utility tracks CA certificates across privilege separation boundaries. The original design was to use the subject key identifier, which is problematic because the SKI is not guaranteed to be globally unique. On the one hand, operators could choose to reuse their keys for multiple CAs and on the other hand, publishing a CA cert in the RPKI requires no proof of possession: anyone can publish CA certificates with any public key they please. Verify self-signage for trust anchors In other PKIs, trust anchors come from a trusted source and contain little to no important information apart from the public key. Therefore, libcrypto's chain verifier does not check their signatures by default because this "doesn't add any security and just wastes time". None of this is true in the RPKI and therefore trust anchors need an extra verification step. Introduce a check for filenames as presented by publication points Filenames presented by publication points are unsigned data, they must match the location in the signed object's EE certificate SIA extension which is signed data. This prevents some forms of replay attack. https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-manifest-numbers Improved compliance with RFCs 6487 and 8209 for certificates and CRLs The issuer field of certificates and CRLs is checked to comply with section 4.4 of RFC 6487. Various aspects of URIs provided in SIA, AIA and CRL distribution points were improved. Criticality of key usage is now enforced and the extension is inspected for all certificate types. Presence of CMS signing-time is now enforced and presence of CMS binary-signing- time is disallowed, per RFC 9589. https://www.rfc-editor.org/rfc/rfc9589.html Lowered the maximum acceptable manifest number to 2^159 - 1, per https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-manifest-numbers Limit number of validated ASPAs per customer ASID, per https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-profile Ignore the CRL Number extension in CRLs, per https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-rpki-crl-numbers Various minor bug fixes and improvements in logging and error reporting -------------------------------------------------------------------------------- ChangeLog: * Wed Jun 26 2024 Robert Scheck <robert@xxxxxxxxxxxxxxxxx> 9.1-1 - Upgrade to 9.1 (#2293864) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2293864 - rpki-client-9.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2293864 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-f112c32404' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- package-announce@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue