On Fri, 2026-07-03 at 13:39 +0100, Michel Lind wrote: > Routinator has four CVE fixes in the latest 0.15.2 (we're now at > 0.14.2), and some of them are marked as high severity > > https://nvd.nist.gov/vuln/detail/CVE-2026-49232 - CVSS-B 8.7 > https://nvd.nist.gov/vuln/detail/CVE-2026-49233 - CVSS-B 8.3 > https://nvd.nist.gov/vuln/detail/CVE-2026-49234 - CVSS-B 8.2 > https://nvd.nist.gov/vuln/detail/CVE-2026-49235 - CVSS-B 8.7 > > You might have noticed 0.14->0.15 indicates a breaking change, and > unfortunately... you're right. The reason is *another* security fix > > https://nvd.nist.gov/vuln/detail/CVE-2023-39916 > > No score available, and this one is in an option that is not on by > default - quoting NVD: > > NLnet Labs’ Routinator 0.9.0 up to and including 0.12.1 as well as > 0.14.0 up to and including 0.14.2 contains a possible path traversal > vulnerability in the optional, off-by-default keep-rrdp-responses > feature that allows users to store the content of responses received > for RRDP requests > > From the upstream changelog, they have been trying to fix this for > several releases and finally gave up and pulled the plug: > > "This once and for all fixes [CVE-2023-39916] which returned again in > release 0.14.0." > > So out of an abundance of caution I'm giving a heads up and following > the incompatible update process for both Fedora and EPEL > > The updates have been built but I am disabling automatic push by > karma > and time: > > https://bodhi.fedoraproject.org/updates/?search=0.15.2&packages=rust-routinator > > Best regards, > EPEL issue filed: https://forge.fedoraproject.org/epel/steering/issues/369
Best regards, -- _o) Michel Lind _( ) https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2 README: https://fedoraproject.org/wiki/User:Salimma#README
signature.asc
Description: This is a digitally signed message part
-- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
