# Process this file with autoconf to produce a configure script.
AC_PREREQ([2.69])
-AC_INIT([fort],[1.6.5],[validadorfort@fortproject.net])
+AC_INIT([fort],[1.6.6],[validadorfort@fortproject.net])
AC_CONFIG_SRCDIR([src/main.c])
AM_INIT_AUTOMAKE([subdir-objects])
#--- Alpine build container ---
FROM alpine:latest AS builder
-ARG FORT_VERSION=1.6.5
+ARG FORT_VERSION=1.6.6
# Install compiler and dependencies
RUN apk --update --no-cache add build-base autoconf automake pkgconfig jansson-dev check-dev \
| Impact | Crash. (Potential unavailability of Route Origin Validation.) |
| Patch | Commit [17f0952](https://github.com/NICMx/FORT-validator/commit/17f095210553182b0e0a28ee6fd41b0d3c8fc1d3), released in Fort 1.6.5. |
| Acknowledgments | Niklas Vogel |
+
+# CVE-____-_____
+
+(Awaiting CVE number assignment.)
+
+CWE-167 in manifest validation in LACNIC FORT-Validator 1.6.5 induces invalidation of legitimate RPKI objects.
+
+| Description | RFC 9286 (section 6.4) states that all files from an RPKI Manifest need to be present for a given Repository Publication Point (RPP) to be considered valid. To optimize bandwidth usage and minimize cache burnout, FORT 1.6.5 is filtering unknown files during the rsync download step.<br>If an RPP provides (and lists in the Manifest) a file that is blocked by the rsync filters, and FORT downloads it via rsync, the filtered file will cause the relevant 9286 validation to drop all the other files from the RPP as well.<br>The rsync filters are necessary to prevent accidental cache pollution and minimize network traffic. Given their missing implementation, unknown objects provide no value to the RPKI validation process.<br>This vulnerability does not actually require an attacker; it's currently happening in the wild because of the introduction of new RPKI object "ASPA."<br>The reason why it's a security risk is because it results in the elimination of adjacent RPKI data, which tends to be trusted by some of the Internet's BGP routing infrastructure to make routing decisions. |
+| Impact | Partial unavailability of Route Origin Validation. |
+| Patch | Commit [7f3094d](https://github.com/NICMx/FORT-validator/commit/7f3094d8d50c32df208ed81e54a1da78e33167d9), released in Fort 1.6.6. |
+| Acknowledgements | Frank Hill |
layout: "default"
image: "/img/logo_validador_og.png"
-fort-latest-version: 1.6.5
+fort-latest-version: 1.6.6
plugins:
- jekyll-seo-tag
- jekyll-sitemap
-.TH fort 8 "2024-12-18" "v1.6.5" "FORT validator"
+.TH fort 8 "2025-02-05" "v1.6.6" "FORT validator"
.SH NAME
fort \- RPKI validator and RTR server
.P
.\".SH COPYRIGHT
-.\" FORT-validator 2024
+.\" FORT-validator 2025
.\" MIT License
.SH SEE ALSO
#include "http/http.h"
-#include <curl/curl.h>
-
#include "cache/local_cache.h"
#include "common.h"
#include "config.h"
MOCK_ABORT_PTR(state_retrieve, validation, void)
__MOCK_ABORT(tal_get_file_name, char const *, NULL, struct tal *tal)
__MOCK_ABORT(uri_get_global, char const *, NULL, struct rpki_uri *uri)
+__MOCK_ABORT(uri_get_global_len, size_t, 0, struct rpki_uri *uri)
__MOCK_ABORT(uri_get_local, char const *, NULL, struct rpki_uri *uri)
__MOCK_ABORT(uri_get_rrdp_workspace, char *, NULL, char const *tal,
struct rpki_uri *notif)
projects / thirdparty / FORT-validator.git / commitdiff
