rsync CVE-2022-29154 and RPKI Validation

• Previous message (by thread): Get Ready for NANOG U Fall Tour + N86 + Hackathon Registration
• Next message (by thread): rsync CVE-2022-29154 and RPKI Validation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Has anyone done an analysis of the rsync CVE-2022-29154 (which "allows malicious remote servers to 
write arbitrary files inside the directories of connecting peers") and its potential impact on RPKI 
validators? It looks like both Debian [1] and Ubuntu [2] opted *not* to patch rsync in their 
release/security package streams.

Are rsync-based (or rsync-fallback, which I believe is still required for all RPKI validators?) RPKI 
validators all vulnerable to takeover from this, or is there some reason why this doesn't apply to 
RPKI validation?

Thanks,
Matt


[1] https://security-tracker.debian.org/tracker/CVE-2022-29154
[2] https://ubuntu.com/security/CVE-2022-29154

• Previous message (by thread): Get Ready for NANOG U Fall Tour + N86 + Hackathon Registration
• Next message (by thread): rsync CVE-2022-29154 and RPKI Validation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]