nanog mailing list archives
Re: rsync CVE-2022-29154 and RPKI Validation
From: Matt Corallo <nanog () as397444 net>
Date: Fri, 9 Sep 2022 13:36:39 -0400
On 9/9/22 2:36 AM, Vincent Bernat wrote:
The attacker is still limited to the target directory. The attacker can send files that were excluded or not requested, but they still end up in the target directory. RPKI validators download stuff in a dedicated download directory
Ah, okay, thanks, its a shame that wasn't included in any of the disclosure posts I managed to find :(
(but it may be shared with several peers)
I assume I'm mis-reading this - RPKI servers aren't able to overwrite output from other RPKI servers, so it shouldn't be shared, no?
Thanks, Matt
Current thread:
- rsync CVE-2022-29154 and RPKI Validation Matt Corallo (Sep 08)
- Re: rsync CVE-2022-29154 and RPKI Validation Vincent Bernat (Sep 08)
- Re: rsync CVE-2022-29154 and RPKI Validation Matt Corallo (Sep 09)
- Re: rsync CVE-2022-29154 and RPKI Validation Vincent Bernat (Sep 09)
- Re: rsync CVE-2022-29154 and RPKI Validation Matt Corallo (Sep 09)
- Re: rsync CVE-2022-29154 and RPKI Validation Matt Corallo (Sep 09)
- Re: rsync and RPKI Validation Geoff Huston (Sep 09)
- Re: rsync CVE-2022-29154 and RPKI Validation Vincent Bernat (Sep 08)