Routinator has four CVE fixes in the latest 0.15.2 (we're now at
0.14.2), and some of them are marked as high severity

https://nvd.nist.gov/vuln/detail/CVE-2026-49232 - CVSS-B 8.7
https://nvd.nist.gov/vuln/detail/CVE-2026-49233 - CVSS-B 8.3
https://nvd.nist.gov/vuln/detail/CVE-2026-49234 - CVSS-B 8.2
https://nvd.nist.gov/vuln/detail/CVE-2026-49235 - CVSS-B 8.7

You might have noticed 0.14->0.15 indicates a breaking change, and
unfortunately... you're right. The reason is *another* security fix

https://nvd.nist.gov/vuln/detail/CVE-2023-39916 

No score available, and this one is in an option that is not on by
default - quoting NVD:

NLnet Labs’ Routinator 0.9.0 up to and including 0.12.1 as well as
0.14.0 up to and including 0.14.2 contains a possible path traversal
vulnerability in the optional, off-by-default keep-rrdp-responses
feature that allows users to store the content of responses received
for RRDP requests

From the upstream changelog, they have been trying to fix this for
several releases and finally gave up and pulled the plug:

"This once and for all fixes [CVE-2023-39916] which returned again in
release 0.14.0."

So out of an abundance of caution I'm giving a heads up and following
the incompatible update process for both Fedora and EPEL

The updates have been built but I am disabling automatic push by karma
and time:

https://bodhi.fedoraproject.org/updates/?search=0.15.2&packages=rust-routinator

Best regards,


-- 
 _o) Michel Lind
_( ) https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2
     README:    https://fedoraproject.org/wiki/User:Salimma#README

Attachment: signature.asc
Description: This is a digitally signed message part

-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to