Your message dated Sat, 18 Sep 2021 22:33:25 +0000 with message-id <e1mrith-000fai...@fasolo.debian.org> and subject line Bug#994572: fixed in cfrpki 1.3.0-1 has caused the Debian Bug report #994572, regarding cfrpki: CVE-2021-3761 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 994572: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994572 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: cfrpki Version: 1.2.2-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for cfrpki. CVE-2021-3761[0]: | Any CA issuer in the RPKI can trick OctoRPKI prior to 1.3.0 into | emitting an invalid VRP "MaxLength" value, causing RTR sessions to | terminate. An attacker can use this to disable RPKI Origin Validation | in a victim network (for example AS 13335 - Cloudflare) prior to | launching a BGP hijack which during normal operations would be | rejected as "RPKI invalid". Additionally, in certain deployments RTR | session flapping in and of itself also could cause BGP routing churn, | causing availability issues. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-3761 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3761 [1] https://github.com/cloudflare/cfrpki/commit/a8db4e009ef217484598ba1fd1c595b54e0f6422 [2] https://github.com/cloudflare/cfrpki/security/advisories/GHSA-c8xp-8mf3-62h9 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: cfrpki Source-Version: 1.3.0-1 Done: Marco d'Itri <m...@linux.it> We believe that the bug you reported is fixed in the latest version of cfrpki, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 994...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Marco d'Itri <m...@linux.it> (supplier of updated cfrpki package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 18 Sep 2021 23:59:55 +0200 Source: cfrpki Architecture: source Version: 1.3.0-1 Distribution: unstable Urgency: medium Maintainer: Marco d'Itri <m...@linux.it> Changed-By: Marco d'Itri <m...@linux.it> Closes: 994572 Changes: cfrpki (1.3.0-1) unstable; urgency=medium . * New upstream release. Fixes: + Prevent ROA issuers from making cfrpki emit an invalid VRP "MaxLength" value, hence causing RTR sessions to terminate. (CVE-2021-3761, Closes: #994572) Checksums-Sha1: 5d19885ad085319cedb5a6c41bf433ba52479c07 1670 cfrpki_1.3.0-1.dsc d74acdd1857c41bcaf07284e05b345760b6ff932 2065076 cfrpki_1.3.0.orig.tar.xz 1977f5cb1fba2e48fcc0ee614d955787e0a5e4f3 5192 cfrpki_1.3.0-1.debian.tar.xz cad6bb779f9ce453f22950d1ff75e46c6a996162 8852 cfrpki_1.3.0-1_amd64.buildinfo Checksums-Sha256: 9602ba1cce21afd6dd6d4679171689baf25f1f92d85b16c201e8b4c7ba168425 1670 cfrpki_1.3.0-1.dsc fba61b3a12cc24b6068b67ade787f8ae93574f8c261ec8e0210310747e9857f2 2065076 cfrpki_1.3.0.orig.tar.xz 96a0ebf4319d49e8b241e074d0231aba6327b4631d96d64122f174fd29eeff48 5192 cfrpki_1.3.0-1.debian.tar.xz a20ff103962bfac9c49114f625eaadd7d784242a5b2130529e4625b6929b9b87 8852 cfrpki_1.3.0-1_amd64.buildinfo Files: 3bf3c9f7b4c90ff59e36a8944fdfe2f6 1670 net optional cfrpki_1.3.0-1.dsc 42f004de4882ba40a895921daafeb623 2065076 net optional cfrpki_1.3.0.orig.tar.xz e0099512b83cd78f1102634983ebb784 5192 net optional cfrpki_1.3.0-1.debian.tar.xz 1963f5ba0aba67308f159e4102e4a050 8852 net optional cfrpki_1.3.0-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQQnKUXNg20437dCfobLPsM64d7XgQUCYUZonQAKCRDLPsM64d7X gU0eAQDlFn/z/gbCaqcX6TnNhdSQq7B7s2jpWrXfA4icq5dH4gEAwt8rDxD0J76M Qe04AaCWvBhL5Hrl0qIncgLHYpnMPws= =BrXL -----END PGP SIGNATURE-----
--- End Message ---
