rsync CVE-2022-29154 and RPKI Validation

• Previous message (by thread): rsync CVE-2022-29154 and RPKI Validation
• Next message (by thread): rsync CVE-2022-29154 and RPKI Validation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 9/9/22 2:36 AM, Vincent Bernat wrote:
> The attacker is still limited to the target directory. The attacker can send files that were 
> excluded or not requested, but they still end up in the target directory. RPKI validators download 
> stuff in a dedicated download directory

Ah, okay, thanks, its a shame that wasn't included in any of the disclosure posts I managed to find :(

> (but it may be shared with several peers)

I assume I'm mis-reading this - RPKI servers aren't able to overwrite output from other RPKI 
servers, so it shouldn't be shared, no?

Thanks,
Matt

• Previous message (by thread): rsync CVE-2022-29154 and RPKI Validation
• Next message (by thread): rsync CVE-2022-29154 and RPKI Validation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]