— Valentin Staubmann https://staubmann.eu +43 660 8707699
I prefer using signed emails. My public PGP key fingerprint is 430F 0145 F479 CB44 C3EC 55D5 4EBB FCCB 5305 D0B2 > Am 24.02.2025 um 00:22 schrieb Daniel Leidert <dleid...@debian.org>: > > ------------------------------------------------------------------------- > Debian LTS Advisory DLA-4066-1 debian-lts@lists.debian.org > https://www.debian.org/lts/security/ Daniel Leidert > February 24, 2025 https://wiki.debian.org/LTS > ------------------------------------------------------------------------- > > Package : fort-validator > Version : 1.5.3-1~deb11u2 > CVE ID : CVE-2024-45234 CVE-2024-45235 CVE-2024-45236 CVE-2024-45237 > CVE-2024-45238 CVE-2024-45239 CVE-2024-48943 > > Multiple vulnerabilities have been discovered in fort-validator, a RPKI > validator and RTR server. > > CVE-2024-45234 > > A malicious RPKI repository that descends from a (trusted) Trust > Anchor can serve (via rsync or RRDP) an ROA or a Manifest containing > a signedAttrs encoded in non-canonical form. This bypasses Fort's > BER decoder, reaching a point in the code that panics when faced > with data not encoded in DER. Because Fort is an RPKI Relying Party, > a panic can lead to Route Origin Validation unavailability, which > can lead to compromised routing. > > > CVE-2024-45235 > > A malicious RPKI repository that descends from a (trusted) Trust > Anchor can serve (via rsync or RRDP) a resource certificate > containing an Authority Key Identifier extension that lacks the > keyIdentifier field. Fort references this pointer without sanitizing > it first. Because Fort is an RPKI Relying Party, a crash can lead to > Route Origin Validation unavailability, which can lead to > compromised routing. > > CVE-2024-45236 > > A malicious RPKI repository that descends from a (trusted) Trust > Anchor can serve (via rsync or RRDP) a signed object containing an > empty signedAttributes field. Fort accesses the set's elements > without sanitizing it first. Because Fort is an RPKI Relying Party, > a crash can lead to Route Origin Validation unavailability, which > can lead to compromised routing. > > CVE-2024-45237 > > A malicious RPKI repository that descends from a (trusted) Trust > Anchor can serve (via rsync or RRDP) a resource certificate > containing a Key Usage extension composed of more than two bytes of > data. Fort writes this string into a 2-byte buffer without properly > sanitizing its length, leading to a buffer overflow. > > CVE-2024-45238 > > A malicious RPKI repository that descends from a (trusted) Trust > Anchor can serve (via rsync or RRDP) a resource certificate > containing a bit string that doesn't properly decode into a Subject > Public Key. OpenSSL does not report this problem during parsing, and > when compiled with OpenSSL libcrypto versions below 3, Fort > recklessly dereferences the pointer. Because Fort is an RPKI Relying > Party, a crash can lead to Route Origin Validation unavailability, > which can lead to compromised routing. > > CVE-2024-45239 > > A malicious RPKI repository that descends from a (trusted) Trust > Anchor can serve (via rsync or RRDP) an ROA or a Manifest containing > a null eContent field. Fort dereferences the pointer without > sanitizing it first. Because Fort is an RPKI Relying Party, a crash > can lead to Route Origin Validation unavailability, which can lead > to compromised routing. > > CVE-2024-48943 > > A malicious RPKI rsync repository can prevent Fort from finishing > its validation run by drip-feeding its content. The delayed > validation can lead to stale or unavailable Route Origin Validation. > > For Debian 11 bullseye, these problems have been fixed in version > 1.5.3-1~deb11u2. > > We recommend that you upgrade your fort-validator packages. > > For the detailed security status of fort-validator please refer to > its security tracker page at: > https://security-tracker.debian.org/tracker/fort-validator > > Further information about Debian LTS security advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://wiki.debian.org/LTS >
signature.asc
Description: Message signed with OpenPGP
