Source: fort-validator Version: 1.6.4+20240930-1 Severity: important Tags: security upstream Forwarded: https://github.com/NICMx/FORT-validator/issues/82 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for fort-validator. CVE-2024-56169[0]: | A validation integrity issue was discovered in Fort through 1.6.4 | before 2.0.0. RPKI Relying Parties (such as Fort) are supposed to | maintain a backup cache of the remote RPKI data. This can be | employed as a fallback in case a new fetch fails or yields incorrect | files. However, the product currently uses its cache merely as a | bandwidth saving tool (because fetching is performed through | deltas). If a fetch fails midway or yields incorrect files, there is | no viable fallback. This leads to incomplete route origin validation | data. CVE-2024-56170[1]: | A validation integrity issue was discovered in Fort through 1.6.4 | before 2.0.0. RPKI manifests are listings of relevant files that | clients are supposed to verify. Assuming everything else is correct, | the most recent version of a manifest should be prioritized over | other versions, to prevent replays, accidental or otherwise. | Manifests contain the manifestNumber and thisUpdate fields, which | can be used to gauge the relevance of a given manifest, when | compared to other manifests. The former is a serial-like sequential | number, and the latter is the date on which the manifest was | created. However, the product does not compare the up-to-dateness of | the most recently fetched manifest against the cached manifest. As | such, it's prone to a rollback to a previous version if it's served | a valid outdated manifest. This leads to outdated route origin | validation. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-56169 https://www.cve.org/CVERecord?id=CVE-2024-56169 [1] https://security-tracker.debian.org/tracker/CVE-2024-56170 https://www.cve.org/CVERecord?id=CVE-2024-56170 [2] https://github.com/NICMx/FORT-validator/issues/82 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
