-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 29 Mar 2025 03:13:08 +0100
Source: fort-validator
Binary: fort-validator fort-validator-dbgsym
Architecture: ppc64el
Version: 1.5.4-1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: ppc64el Build Daemon (ppc64el-conova-01) <buildd_ppc64el-ppc64el-conova-01@buildd.debian.org>
Changed-By: Daniel Leidert <dleidert@debian.org>
Description:
 fort-validator - RPKI validator and RTR server
Changes:
 fort-validator (1.5.4-1+deb12u1) bookworm; urgency=medium
 .
   * Non-maintainer upload by the Debian LTS Team.
   * d/control (Build-Depends): Add rsync for running tests.
   * d/patches/CVE-2024-45234.patch: Add patch to fix CVE-2024-45234.
     - A malicious RPKI repository that descends from a (trusted) Trust Anchor
       can serve (via rsync or RRDP) an ROA or a Manifest containing a
       signedAttrs encoded in non-canonical form. This bypasses Fort's BER
       decoder, reaching a point in the code that panics when faced with data
       not encoded in DER. Because Fort is an RPKI Relying Party, a panic can
       lead to Route Origin Validation unavailability, which can lead to
       compromised routing.
   * d/patches/CVE-2024-45235.patch: Add patch to fix CVE-2024-45235.
     - A malicious RPKI repository that descends from a (trusted) Trust Anchor
       can serve (via rsync or RRDP) a resource certificate containing an
       Authority Key Identifier extension that lacks the keyIdentifier field.
       Fort references this pointer without sanitizing it first. Because Fort
       is an RPKI Relying Party, a crash can lead to Route Origin Validation
       unavailability, which can lead to compromised routing.
   * d/patches/CVE-2024-45236.patch: Add patch to fix CVE-2024-45236.
     - A malicious RPKI repository that descends from a (trusted) Trust Anchor
       can serve (via rsync or RRDP) a signed object containing an empty
       signedAttributes field. Fort accesses the set's elements without
       sanitizing it first. Because Fort is an RPKI Relying Party, a crash can
       lead to Route Origin Validation unavailability, which can lead to
       compromised routing.
   * d/patches/CVE-2024-45237.patch: Add patch to fix CVE-2024-45237.
     - A malicious RPKI repository that descends from a (trusted) Trust Anchor
       can serve (via rsync or RRDP) a resource certificate containing a Key
       Usage extension composed of more than two bytes of data. Fort writes this
       string into a 2-byte buffer without properly sanitizing its length,
       leading to a buffer overflow.
   * d/patches/CVE-2024-45238.patch: Add patch to fix CVE-2024-45238.
     - A malicious RPKI repository that descends from a (trusted) Trust Anchor
       can serve (via rsync or RRDP) a resource certificate containing a bit
       string that doesn't properly decode into a Subject Public Key. OpenSSL
       does not report this problem during parsing, and when compiled with
       OpenSSL libcrypto versions below 3, Fort recklessly dereferences the
       pointer. Because Fort is an RPKI Relying Party, a crash can lead to Route
       Origin Validation unavailability, which can lead to compromised routing.
   * d/patches/CVE-2024-45239.patch: Add patch to fix CVE-2024-45239.
     - A malicious RPKI repository that descends from a (trusted) Trust Anchor
       can serve (via rsync or RRDP) an ROA or a Manifest containing a null
       eContent field. Fort dereferences the pointer without sanitizing it
       first. Because Fort is an RPKI Relying Party, a crash can lead to Route
       Origin Validation unavailability, which can lead to compromised routing.
   * d/patches/CVE-2024-48943.patch: Add patch to fix CVE-2024-48943.
     - A malicious RPKI rsync repository can prevent Fort from finishing its
       validation run by drip-feeding its content. This can lead to delayed
       validation and a stale or unavailable Route Origin Validation.
       (thanks to Jochen Sprickerhof for helping backporting the test case)
Checksums-Sha1:
 22a547de7cc1a402900fb25f01544dcf83346c3e 635564 fort-validator-dbgsym_1.5.4-1+deb12u1_ppc64el.deb
 99bda916c090067f1de705f3950b672fe3abdf92 7265 fort-validator_1.5.4-1+deb12u1_ppc64el-buildd.buildinfo
 eb607518140849cd3d1e0a5a270de05155a118ac 226136 fort-validator_1.5.4-1+deb12u1_ppc64el.deb
Checksums-Sha256:
 9088c0f7f2e48f08875ccc90566a72e0d94465497a7e69bff90d493b2fc0fbee 635564 fort-validator-dbgsym_1.5.4-1+deb12u1_ppc64el.deb
 f705072898c4d60457c246c4a953e039aa4168b9a1082cf76ea7f0c7f1d9dc3b 7265 fort-validator_1.5.4-1+deb12u1_ppc64el-buildd.buildinfo
 36b06035ac409cdb0410a1539f461c7245dfca5df385b519a445b2f33dab80f0 226136 fort-validator_1.5.4-1+deb12u1_ppc64el.deb
Files:
 51595c2098d0be3f3fe34afafffb7a50 635564 debug optional fort-validator-dbgsym_1.5.4-1+deb12u1_ppc64el.deb
 1bbe3bd24edd0cabe859613da3f0bccb 7265 net optional fort-validator_1.5.4-1+deb12u1_ppc64el-buildd.buildinfo
 9c3e0da9d968243e876ea52598d7558c 226136 net optional fort-validator_1.5.4-1+deb12u1_ppc64el.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEvNkWZvjZkiWgJGRETMSrGPLkYxUFAmhpU1cACgkQTMSrGPLk
YxV34hAAqJtCjoLspEw24uj9NiO/9zLLjb/2/T15tqI2oeUitCrjSENoJwiLyz2C
007qP86MKuG4+8kFP6rpnhL9SPBO7A7CXbDKFJAGP5ZhDm4AuwsB2ZrxUepN1vYQ
Bv4ptUN/IhZh/KvcRgTqX7OeL3XJmYXvTZFmu/3xqNg6JyADV+Qa7YA70yq0HVH7
tVyTlqwaeq+mEb2z37cLNAepQgr6u3+ZZZqecuGZ1INp6mqsGBMlF7/S87tzIzXd
zMq568jVd2XYCY6/Km428sCGUO1b6+BpCUpnXmBR5+r4/WE0SH+keaX+uYXKkXYu
UYKNiRx+OHcDBdBFPoqxiAYMACLJd/UDOUxpSzTuInqOqhvS+oxYiWNVeAoAj9Uj
3SeHWSNMFwa8tILnQS1OMi08B9LdUAOG82gAD7N2PEBjVrOAmXAdAMbVSeGi/fAN
5gm0LVu5hqmB2S7g8L5+EXP/VKPb5A7aeBVr9ogS3ZrwR8waUe6PJr0CbIm4lnmz
PGdNI0PNzMX7Hg2s8WbV8XFhWt1c082Ed9MBbsHcA0K0dTRkHtB+HJBzZ/1X/lpz
UAV1ywLBOQcStNopGnuqVBLOacoqC+T70kQVvfZDQpZpcv8j/oNmWuzbrTX91SVC
WI1jntoiMtIdN2eh0onRvbjMdYg85XEt4RfN3SMq9o7b9QaHveU=
=SHY+
-----END PGP SIGNATURE-----