[RPKI] [EXTERNAL] Krill 0.12.1 'Safety Belts' released

Compton, Rich A Rich.Compton at charter.com
Tue Jan 17 17:06:48 UTC 2023

I think you have the wrong link to the CVE. I think it should be https://nlnetlabs.nl/downloads/krill/CVE-2023-0158.txt

On 1/17/23, 8:45 AM, "RPKI on behalf of Tim Bruijnzeels via RPKI" <rpki-bounces at lists.nlnetlabs.nl <mailto:rpki-bounces at lists.nlnetlabs.nl> on behalf of rpki at lists.nlnetlabs.nl <mailto:rpki at lists.nlnetlabs.nl>> wrote:

CAUTION: The e-mail below is from an external source. Please exercise caution before opening attachments, clicking links, or following guidance.

Dear list,

We just released Krill 0.12.1 'Safety Belts'.

This release introduces two fixes for the Krill Publication Server. If you only use Krill as an RPKI Certificate Authority and publish elsewhere, e.g. in an RPKI Publication Server provided by your RIR or NIR, then there is no need to update to this release.

Firstly, this release fixes [CVE-2023-0158](https://nlnetlabs.nl/downloads/routinator/CVE-2023-0158.txt <https://nlnetlabs.nl/downloads/routinator/CVE-2023-0158.txt>)

This CVE describes an exposure where remote attackers could cause Krill to crash if it is used as an RPKI Publication Server and if its "/rrdp" endpoint is accessible over the public internet. Note that servers are not affected if the advice in [our documentation](https://krill.docs.nlnetlabs.nl/en/stable/publication-server.html#synchronise-repository-data <https://krill.docs.nlnetlabs.nl/en/stable/publication-server.html#synchronise-repository-data>) was followed and a separate web server is used to serve the RRDP data.

Secondly, locking was added in this release to ensure that updates to the repository content are always applied sequentially. This fixes a concurrency issue introduced in Krill 0.12.0 that could result in rejecting an update from a publishing CA. In such cases the affected update would not be visible for RPKI validators, until a later publication attempt would be successful.

We advise that users upgrade to this version of Krill if they use it as their RPKI Publication Server. We also continue to recommend that a separate web server is used for serving the RRDP data.

Please let us know if you have comments or questions. 

On behalf of the NLnet Labs RPKI Team,


RPKI mailing list
RPKI at lists.nlnetlabs.nl <mailto:RPKI at lists.nlnetlabs.nl>
https://lists.nlnetlabs.nl/mailman/listinfo/rpki <https://lists.nlnetlabs.nl/mailman/listinfo/rpki>

The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.

More information about the RPKI mailing list