rsync CVE-2022-29154 and RPKI Validation

Matt Corallo nanog at
Fri Sep 9 02:56:09 UTC 2022

Has anyone done an analysis of the rsync CVE-2022-29154 (which "allows malicious remote servers to 
write arbitrary files inside the directories of connecting peers") and its potential impact on RPKI 
validators? It looks like both Debian [1] and Ubuntu [2] opted *not* to patch rsync in their 
release/security package streams.

Are rsync-based (or rsync-fallback, which I believe is still required for all RPKI validators?) RPKI 
validators all vulnerable to takeover from this, or is there some reason why this doesn't apply to 
RPKI validation?



More information about the NANOG mailing list