Dear colleagues, As a result of a coordinated vulnerability disclosure process, many relying party (RP)/"RPKI validator" implementations will release a new version tomorrow at 15:00 CET. The vulnerabilities can hang or crash an RP instance. The vulnerabilities are not likely to have a direct impact: An attacker needs to participate in the RPKI ecosystem actively and have control over a publication point. Unfortunately, authoritative public information is only available in Dutch [0].
We consider it unlikely that the new relying party versions will interact with our new RPKI publication server. However, because we could not test using these upcoming releases, out of an abundance of caution, we have decided to postpone our release of the new publication server until the sixteenth of November. Furthermore, we will not do any other deployments tomorrow. We encourage you to apply these security updates as soon as possible when they become available. As a reminder, support for the RIPE NCC RPKI Validator 3 ended on the first of July; security updates for RPKI Validator 3 will not be available; please use a supported RP implementation. Kind regards, Ties de Kock [0] https://www.ncsc.nl/actueel/nieuws/2021/oktober/29/aanstaande-bekendmaking-cvd-procedure-rpki
