Skip to content

Releases: rpki-client/rpki-client-portable

v7.6

15 Dec 17:12
@cjeker cjeker
7.6
20d0b23
Compare
Choose a tag to compare
v7.6

This release includes the following changes to the previous release:

  • Enforce the correct namespace of rrdp files.
  • Fail certificate verification if a certificate contains unknown
    critical extensions.
  • Improve cleanup of rrdp directory contents.
  • Introduce a validated cache which holds all the files that have
    successfully been verified by rpki-client.
  • Add a new option '-f ' to validate a signed object in a file
    against the RPKI cache.
Loading

v7.5

15 Dec 17:14
@cjeker cjeker
7.5
7654a2c
Compare
Choose a tag to compare
v7.5

This release includes the following changes to the previous release:

  • Make rpki-client more resilient regarding untrusted input:
    • fail repository synchronisation after 15min runtime
    • limit the number of repositories per TAL
    • don't allow DOCTYPE definitions in RRDP XML files
    • fix detection of HTTP redirect loops.
  • limit the number of concurrent rsync processes.
  • fix CRLF in tal files.
Loading

v7.4

15 Dec 17:15
@cjeker cjeker
7.4
fb0f8f1
Compare
Choose a tag to compare
v7.4

This release includes the following changes to the previous release:

  • Added support for validating BGPsec Router Public Keys.
  • Fix issues with chunked transfer encoding in the RRDP HTTP client.
  • Cleanup and improvement of how IO is handled.
  • Improvements in the way X509 certificates are verified.
  • Make rpki-client more resilient regarding untrusted input:
    • Limit the allowed character set for filename listings on
      Manifests.
    • Limit the length of SIA URIs.
    • Limit the size of certain untrusted inputs.
    • Don't exit on failures to parse x509 objects.
    • Limit the size of objects retreived via RRDP or RSYNC.
    • Limit the number of FileAndHash entries on a manifest.
    • Constrain RRDP such that the delta/snapshot files must be hosted
      at the same host as the notification file.
Loading

v7.3

15 Dec 17:17
@cjeker cjeker
7.3
0bf531a
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v7.3

This release includes the following changes to the previous release:

  • Improve the HTTP client code (status code handling, http proxy support, keep-alive).
  • In RRDP, do not access URI with userinfo (@-sign)
  • Improve RRDP syncing by considering a notification file serial jumping backwards as synced repository.
  • Make -R (rsync only) also apply to the fetching of TA files.
  • Only sync *.{cer,crl,gbr,mft,roa} files via rsync and exclude all others.
  • When producing output for OpenBGPd, make use of the 'roa-set expires' attribute to prevent machines from loading outdated roa-sets.
  • In RRDP, limit the number of deltas to 300 per repo. If more deltas exist, downloading a full snapshot is faster.
  • Limit the validation depth of X509 certificate chains to 12, double the current depth seen in RPKI.
Loading

v7.2

15 Dec 17:18
@cjeker cjeker
7.2
49729f2
Compare
Choose a tag to compare
v7.2

This release includes the following changes to the previous release:

  • Use RRDP as default protocol for syncronizing the RPKI repository
    data, with rsync used as secondary.
  • At startup, warn if the filesystem containing the cache directory
    is probably too small. 500 MB is the suggested minimum size.
  • Handle running out of disk space more gracefully, including cleanup
    of temporary and old files before exiting.
  • Improve the HTTP/1.1 request headers being sent.
  • Improved validation checks for ROA and MFT objects.
Loading