rsync CVE-2022-29154 and RPKI Validation

Matt Corallo nanog at
Fri Sep 9 17:36:39 UTC 2022

On 9/9/22 2:36 AM, Vincent Bernat wrote:
> The attacker is still limited to the target directory. The attacker can send files that were 
> excluded or not requested, but they still end up in the target directory. RPKI validators download 
> stuff in a dedicated download directory

Ah, okay, thanks, its a shame that wasn't included in any of the disclosure posts I managed to find :(

> (but it may be shared with several peers)

I assume I'm mis-reading this - RPKI servers aren't able to overwrite output from other RPKI 
servers, so it shouldn't be shared, no?


More information about the NANOG mailing list