nanog mailing list archives
rsync CVE-2022-29154 and RPKI Validation
From: Matt Corallo <nanog () as397444 net>
Date: Thu, 8 Sep 2022 22:56:09 -0400
Has anyone done an analysis of the rsync CVE-2022-29154 (which "allows malicious remote servers to write arbitrary files inside the directories of connecting peers") and its potential impact on RPKI validators? It looks like both Debian [1] and Ubuntu [2] opted *not* to patch rsync in their release/security package streams.
Are rsync-based (or rsync-fallback, which I believe is still required for all RPKI validators?) RPKI validators all vulnerable to takeover from this, or is there some reason why this doesn't apply to RPKI validation?
Thanks, Matt [1] https://security-tracker.debian.org/tracker/CVE-2022-29154 [2] https://ubuntu.com/security/CVE-2022-29154
Current thread:
- rsync CVE-2022-29154 and RPKI Validation Matt Corallo (Sep 08)
- Re: rsync CVE-2022-29154 and RPKI Validation Vincent Bernat (Sep 08)
- Re: rsync CVE-2022-29154 and RPKI Validation Matt Corallo (Sep 09)
- Re: rsync CVE-2022-29154 and RPKI Validation Vincent Bernat (Sep 09)
- Re: rsync CVE-2022-29154 and RPKI Validation Matt Corallo (Sep 09)
- Re: rsync CVE-2022-29154 and RPKI Validation Matt Corallo (Sep 09)
- Re: rsync and RPKI Validation Geoff Huston (Sep 09)
- Re: rsync CVE-2022-29154 and RPKI Validation Vincent Bernat (Sep 08)