On Fri, 2026-07-03 at 13:39 +0100, Michel Lind wrote:
> Routinator has four CVE fixes in the latest 0.15.2 (we're now at
> 0.14.2), and some of them are marked as high severity
> 
> https://nvd.nist.gov/vuln/detail/CVE-2026-49232 - CVSS-B 8.7
> https://nvd.nist.gov/vuln/detail/CVE-2026-49233 - CVSS-B 8.3
> https://nvd.nist.gov/vuln/detail/CVE-2026-49234 - CVSS-B 8.2
> https://nvd.nist.gov/vuln/detail/CVE-2026-49235 - CVSS-B 8.7
> 
> You might have noticed 0.14->0.15 indicates a breaking change, and
> unfortunately... you're right. The reason is *another* security fix
> 
> https://nvd.nist.gov/vuln/detail/CVE-2023-39916 
> 
> No score available, and this one is in an option that is not on by
> default - quoting NVD:
> 
> NLnet Labs’ Routinator 0.9.0 up to and including 0.12.1 as well as
> 0.14.0 up to and including 0.14.2 contains a possible path traversal
> vulnerability in the optional, off-by-default keep-rrdp-responses
> feature that allows users to store the content of responses received
> for RRDP requests
> 
> From the upstream changelog, they have been trying to fix this for
> several releases and finally gave up and pulled the plug:
> 
> "This once and for all fixes [CVE-2023-39916] which returned again in
> release 0.14.0."
> 
> So out of an abundance of caution I'm giving a heads up and following
> the incompatible update process for both Fedora and EPEL
> 
> The updates have been built but I am disabling automatic push by
> karma
> and time:
> 
> https://bodhi.fedoraproject.org/updates/?search=0.15.2&packages=rust-routinator
> 
> Best regards,
> 
FESCo request:
https://forge.fedoraproject.org/fesco/tickets/issues/3635

Best regards,


-- 
 _o) Michel Lind
_( ) https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2
     README:    https://fedoraproject.org/wiki/User:Salimma#README

Attachment: signature.asc
Description: This is a digitally signed message part

-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to