deadsimple BSD Security Advisories and Announcements

rpki-client 8.9 released

rpki-client 8.9 has just been released and will be available in the
rpki-client directory of any OpenBSD mirror soon. It is recommended
that all users update to this version for improved reliability.

rpki-client is a FREE, easy-to-use implementation of the Resource
Public Key Infrastructure (RPKI) for Relying Parties (RP) to
facilitate validation of BGP announcements. The program queries the
global RPKI repository system and validates untrusted network inputs.
The program outputs validated ROA payloads, BGPsec Router keys, and
ASPA payloads in configuration formats suitable for OpenBGPD and BIRD,
and supports emitting CSV and JSON for consumption by other routing

See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix
Origin Validation help secure the global Internet routing system.

rpki-client was primarily developed by Kristaps Dzonsons, Claudio
Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit
as part of the OpenBSD Project.

This release includes the following changes to the previous release:

- The handling of manifests fetched via rsync or RRDP was reworked to
  fully conform to RFC 9286. The issuance date and manifest number of
  the purported new manifest file must have been increased, otherwise
  the cached version is used.

- As a consequence of the above changes, some warnings for .mft files
  were reworded. The notion of a stale manifest is no longer used.
  The following counters will be removed in rpki-client 9.0:
  - The stalemanifest counter in JSON output.
  - The "stale" state for manifest objects in Open Metrics output.

- A race condition between closing an idle connection and scheduling a
  new request on it could trigger an assert in rare circumstances.

- The evaluation time specified with -P now also applies to trust anchor

- Check that the entire CMS eContent was consumed. Previously, trailing
  data would be silently discarded on deserialization of products.

- In file mode do not consider overclaiming intermediate CA certificates
  as invalid.  A warning is still issued.

- Print the revocation time of certificates in file mode.

- Be more careful when converting OpenSSL numeric identifiers (NIDs)
  to strings.

rpki-client works on all operating systems with a libcrypto library
based on OpenSSL 1.1 or LibreSSL 3.6, a libtls library compatible
with LibreSSL 3.6 or later, and zlib.

rpki-client is known to compile and run on at least the following
operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat,
Rocky, Ubuntu, macOS, and of course OpenBSD!

It is our hope that packagers take interest and help adapt
rpki-client-portable to more distributions.

The mirrors where rpki-client can be found are on

Reporting Bugs:

General bugs may be reported to

Portable bugs may be filed at

We welcome feedback and improvements from the broader community.
Thanks to all of the contributors who helped make this release

Assistance to coordinate security issues is available via