Routinator has four CVE fixes in the latest 0.15.2 (we're now at 0.14.2), and some of them are marked as high severity
https://nvd.nist.gov/vuln/detail/CVE-2026-49232 - CVSS-B 8.7 https://nvd.nist.gov/vuln/detail/CVE-2026-49233 - CVSS-B 8.3 https://nvd.nist.gov/vuln/detail/CVE-2026-49234 - CVSS-B 8.2 https://nvd.nist.gov/vuln/detail/CVE-2026-49235 - CVSS-B 8.7 You might have noticed 0.14->0.15 indicates a breaking change, and unfortunately... you're right. The reason is *another* security fix https://nvd.nist.gov/vuln/detail/CVE-2023-39916 No score available, and this one is in an option that is not on by default - quoting NVD: NLnet Labs’ Routinator 0.9.0 up to and including 0.12.1 as well as 0.14.0 up to and including 0.14.2 contains a possible path traversal vulnerability in the optional, off-by-default keep-rrdp-responses feature that allows users to store the content of responses received for RRDP requests From the upstream changelog, they have been trying to fix this for several releases and finally gave up and pulled the plug: "This once and for all fixes [CVE-2023-39916] which returned again in release 0.14.0." So out of an abundance of caution I'm giving a heads up and following the incompatible update process for both Fedora and EPEL The updates have been built but I am disabling automatic push by karma and time: https://bodhi.fedoraproject.org/updates/?search=0.15.2&packages=rust-routinator Best regards, -- _o) Michel Lind _( ) https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2 README: https://fedoraproject.org/wiki/User:Salimma#README
signature.asc
Description: This is a digitally signed message part
-- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
