rsync CVE-2022-29154 and RPKI Validation
Matt Corallo
nanog at as397444.net
Fri Sep 9 17:36:39 UTC 2022
On 9/9/22 2:36 AM, Vincent Bernat wrote:
> The attacker is still limited to the target directory. The attacker can send files that were
> excluded or not requested, but they still end up in the target directory. RPKI validators download
> stuff in a dedicated download directory
Ah, okay, thanks, its a shame that wasn't included in any of the disclosure posts I managed to find :(
> (but it may be shared with several peers)
I assume I'm mis-reading this - RPKI servers aren't able to overwrite output from other RPKI
servers, so it shouldn't be shared, no?
Thanks,
Matt
More information about the NANOG
mailing list