-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-251404df6c 2025-01-22 02:22:25.687972+00:00 -------------------------------------------------------------------------------- Name : rpki-client Product : Fedora 41 Version : 9.4 Release : 1.fc41 URL : https://www.rpki-client.org/ Summary : OpenBSD RPKI validator to support BGP Origin Validation Description : The OpenBSD rpki-client is a free, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP) to facilitate validation of the Route Origin of a BGP announcement. The program queries the RPKI repository system, downloads and validates Route Origin Authorisations (ROAs) and finally outputs Validated ROA Payloads (VRPs) in the configuration format of OpenBGPD, BIRD, and also as CSV or JSON objects for consumption by other routing stacks. -------------------------------------------------------------------------------- Update Information: rpki-client 9.4 rpki-client 9.4 will gradually stop accepting ultra long-lived TA certificates. The utility now warns about TA certificates with an expiry date more than 15 years into the future. After February 2nd, 2026, such certificates will be rejected, and from March 3rd 2027 onwards, TA certificates with a validity period exceeding 3 years will be rejected. This is done to encourage reasonably frequent reissuance of TA certificates and ensures that changes in the SubjectInfoAccess and Internet Number Resources are propagated to the entire ecosystem. It also strengthens the mitigations for TA replay attacks introduced via the TA tie breaking mechanism. For further background see: https://mailarchive.ietf.org/arch/msg/sidrops/-Y5NfXnGfDbeGOCAFj5xHgU90Zo/ https://datatracker.ietf.org/doc/draft-ietf-sidrops-rpki-ta-tiebreaker/ The generated BIRD config file was reworked. BIRD versions 1.x are no longer supported and the -T option to customize the ROA table name was removed. The config file now includes the ASPA-set by default and is therefore only compatible with BIRD 2.16 and later. If compatibility with older BIRD versions is required, the ASPA-set can be excluded with the -A flag. Operators should delete any remaining bird1v4 and bird1v6 output files. Validated ROA payloads from AS0 TALs are by default excluded from the output files as they are not recommended for automatic filtering of BGP routes. This precaution can be overridden with the new -0 flag. Various improvements to the ibuf API, including a new reader API which is used to make all message parsing in rpki-client memory safe. Warn about gaps in manifest issuance. Such gaps can appear for example if rpki- client isn't run frequently enough, if there are issues with an RFC 8181 publication server or if there is an operational error on the side of the CA. Work around a backward compatibility break accidentally introduced in OpenSSL 3.4.0, which resulted in all RPKI signed objects being rejected. Earlier and later versions of OpenSSL are not affected. Improved validity period checking in file mode. The product's lifetime and the expiration time of the signature path are now taken into account. Better cleanup in case of a fallback from RRDP to RSYNC. In rare circumstances, files were moved to the wrong place in the cache. -------------------------------------------------------------------------------- ChangeLog: * Mon Jan 13 2025 Robert Scheck <robert@xxxxxxxxxxxxxxxxx> 9.4-1 - Upgrade to 9.4 (#2336356) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2336356 - rpki-client-9.4 is available https://bugzilla.redhat.com/show_bug.cgi?id=2336356 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-251404df6c' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- package-announce@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
