Source: cfrpki Version: 1.2.2-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for cfrpki. CVE-2021-3761[0]: | Any CA issuer in the RPKI can trick OctoRPKI prior to 1.3.0 into | emitting an invalid VRP "MaxLength" value, causing RTR sessions to | terminate. An attacker can use this to disable RPKI Origin Validation | in a victim network (for example AS 13335 - Cloudflare) prior to | launching a BGP hijack which during normal operations would be | rejected as "RPKI invalid". Additionally, in certain deployments RTR | session flapping in and of itself also could cause BGP routing churn, | causing availability issues. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-3761 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3761 [1] https://github.com/cloudflare/cfrpki/commit/a8db4e009ef217484598ba1fd1c595b54e0f6422 [2] https://github.com/cloudflare/cfrpki/security/advisories/GHSA-c8xp-8mf3-62h9 Regards, Salvatore