-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 29 Mar 2025 03:13:08 +0100
Source: fort-validator
Binary: fort-validator fort-validator-dbgsym
Architecture: mips64el
Version: 1.5.4-1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: mipsel Build Daemon (mipsel-osuosl-03) <buildd_mips64el-mipsel-osuosl-03@buildd.debian.org>
Changed-By: Daniel Leidert <dleidert@debian.org>
Description:
 fort-validator - RPKI validator and RTR server
Changes:
 fort-validator (1.5.4-1+deb12u1) bookworm; urgency=medium
 .
   * Non-maintainer upload by the Debian LTS Team.
   * d/control (Build-Depends): Add rsync for running tests.
   * d/patches/CVE-2024-45234.patch: Add patch to fix CVE-2024-45234.
     - A malicious RPKI repository that descends from a (trusted) Trust Anchor
       can serve (via rsync or RRDP) an ROA or a Manifest containing a
       signedAttrs encoded in non-canonical form. This bypasses Fort's BER
       decoder, reaching a point in the code that panics when faced with data
       not encoded in DER. Because Fort is an RPKI Relying Party, a panic can
       lead to Route Origin Validation unavailability, which can lead to
       compromised routing.
   * d/patches/CVE-2024-45235.patch: Add patch to fix CVE-2024-45235.
     - A malicious RPKI repository that descends from a (trusted) Trust Anchor
       can serve (via rsync or RRDP) a resource certificate containing an
       Authority Key Identifier extension that lacks the keyIdentifier field.
       Fort references this pointer without sanitizing it first. Because Fort
       is an RPKI Relying Party, a crash can lead to Route Origin Validation
       unavailability, which can lead to compromised routing.
   * d/patches/CVE-2024-45236.patch: Add patch to fix CVE-2024-45236.
     - A malicious RPKI repository that descends from a (trusted) Trust Anchor
       can serve (via rsync or RRDP) a signed object containing an empty
       signedAttributes field. Fort accesses the set's elements without
       sanitizing it first. Because Fort is an RPKI Relying Party, a crash can
       lead to Route Origin Validation unavailability, which can lead to
       compromised routing.
   * d/patches/CVE-2024-45237.patch: Add patch to fix CVE-2024-45237.
     - A malicious RPKI repository that descends from a (trusted) Trust Anchor
       can serve (via rsync or RRDP) a resource certificate containing a Key
       Usage extension composed of more than two bytes of data. Fort writes this
       string into a 2-byte buffer without properly sanitizing its length,
       leading to a buffer overflow.
   * d/patches/CVE-2024-45238.patch: Add patch to fix CVE-2024-45238.
     - A malicious RPKI repository that descends from a (trusted) Trust Anchor
       can serve (via rsync or RRDP) a resource certificate containing a bit
       string that doesn't properly decode into a Subject Public Key. OpenSSL
       does not report this problem during parsing, and when compiled with
       OpenSSL libcrypto versions below 3, Fort recklessly dereferences the
       pointer. Because Fort is an RPKI Relying Party, a crash can lead to Route
       Origin Validation unavailability, which can lead to compromised routing.
   * d/patches/CVE-2024-45239.patch: Add patch to fix CVE-2024-45239.
     - A malicious RPKI repository that descends from a (trusted) Trust Anchor
       can serve (via rsync or RRDP) an ROA or a Manifest containing a null
       eContent field. Fort dereferences the pointer without sanitizing it
       first. Because Fort is an RPKI Relying Party, a crash can lead to Route
       Origin Validation unavailability, which can lead to compromised routing.
   * d/patches/CVE-2024-48943.patch: Add patch to fix CVE-2024-48943.
     - A malicious RPKI rsync repository can prevent Fort from finishing its
       validation run by drip-feeding its content. This can lead to delayed
       validation and a stale or unavailable Route Origin Validation.
       (thanks to Jochen Sprickerhof for helping backporting the test case)
Checksums-Sha1:
 b3c7839e0e8519db4c71958adcc54d0b815ed362 645620 fort-validator-dbgsym_1.5.4-1+deb12u1_mips64el.deb
 60a8538103289d43b4c520c60a77458ee9bee242 7073 fort-validator_1.5.4-1+deb12u1_mips64el-buildd.buildinfo
 a5c8b7e6d1b8a2c8f89bb9ac5e758aad0229eb3f 183688 fort-validator_1.5.4-1+deb12u1_mips64el.deb
Checksums-Sha256:
 a8ca30c94e2301ecb464700861303d5ad2a070e7f497da874e460d6ad59e1e8d 645620 fort-validator-dbgsym_1.5.4-1+deb12u1_mips64el.deb
 1aaa835e6d475085b9bb071ed50ae7c55150fade222503256692a3db30dd9ba6 7073 fort-validator_1.5.4-1+deb12u1_mips64el-buildd.buildinfo
 63ca66c1dcee27ea0f65c62c7928c455ac91f6c90899922e76b583fb1063838f 183688 fort-validator_1.5.4-1+deb12u1_mips64el.deb
Files:
 e4dcfb251b59b778b8ffc1292d784dde 645620 debug optional fort-validator-dbgsym_1.5.4-1+deb12u1_mips64el.deb
 cde1ac4db415b2826d83847a25a92d03 7073 net optional fort-validator_1.5.4-1+deb12u1_mips64el-buildd.buildinfo
 86768e5b2e8de6f6010196f48067c0ac 183688 net optional fort-validator_1.5.4-1+deb12u1_mips64el.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEesE3YcWKZXIkRPMemf85J+x5/aoFAmhpV3QACgkQmf85J+x5
/arTYRAApiAvkMc8+3ramC4NoaFjMqtSqBmhxRMAwQIGe86zpP3FI1SSPg/9uO6w
I4pcnWWCe57CC2dKowv4e4rHs6tGbUBlSdMgVs0sl9LhdPx3Qfo3sulWFHPK6yUT
xM1dPuxQDlRhj+8WKIFEpkF4vqlA99uvcfQ4NcDwK7YCngUBWtlKzV3NB8gHgSI4
W89Y+PMWe0Lj9ZyuSwrdg3sVvKj3RVDaARZHQVbWl1nYrEPqagP41F8f4VY4G0+3
SMMluIF6Q/+j1EZSyj/HpV4xqVA0sAvjk/FCcIgN3KZb3hTnaeG1blsIWwNEQdwD
IC34NQnHykuQM+IAwLiHGeGe5FX/K18MQeSpvAbwxcJuTULup+FOXXnw4vcDgfFx
2ZXw9HMEnUSKsnVzn/AT6jZOBHcqs7aTljdvQQQICRjOpje6X006YykY4S8z6u5f
SoX5ipSyFxTddL28TKjbrV7XouBX/sCuciMabn4rssdJ0anKk6BpuebhfEFLLa7P
z75JRr9IKCvltHrt/zj4QnbSt8cJIxTU7F5Og/UK6ewfAcnBAw9lF4nIRCZhFkmd
eXdMjBszdtcObo3Nl5gm6dwhixASFHcfkQeG5JaHOIA2vPSlCjgQZ+WZO1BXeAQh
dDUNj7oa4cANHZ6kB6rvZUs+7mss2UkKsdm66jVfg3vfCEHkUDU=
=4Esm
-----END PGP SIGNATURE-----