[RPKI] Routinator 0.12.2 'Brutti, sporchi e cattivi' released

[Martin Hoffmann]

Hi!

Today we have released version 0.12.2 of Routinator.

Routinator is an RPKI relying party software that collects and
validates statements in the Resource Public Key Infrastructure
(RPKI) about allowed route origins and makes them available to the
BGP workflow.

This release fixes two issues in Routinator that can be exploited
remotely by rogue RPKI CAs and repositories. We therefore advise all
users of Routinator to upgrade to this release at their earliest
convenience.

The first issue, CVE-2022-39915, can lead to Routinator
crashing when trying to decode certain illegal RPKI objects.

The second issue, CVE-2022-39916, only affects users that
have the 'rrdp-keep-responses' option enabled which allows storing
all received RRDP responses on disk. Because the file name for these
responses is derived from the URI and the path wasn’t checked properly,
a RRDP URI could be constructed that results in the response stored
outside the directory, possibly overwriting existing files.

We would like to thank Haya Shulman, Donika Mirdita and Niklas Vogel for
discovering and reporting these issues.

On behalf of the NLnet Labs RPKI Team,
Martin