BSDSec

deadsimple BSD Security Advisories and Announcements

rpki-client 9.3 released

rpki-client 9.3 has just been released and will be available in the
rpki-client directory of any OpenBSD mirror soon. It is recommended
that all users upgrade to this version for improved reliability.

rpki-client is a FREE, easy-to-use implementation of the Resource
Public Key Infrastructure (RPKI) for Relying Parties to facilitate
validation of BGP announcements. The program queries the global RPKI
repository system and validates untrusted network inputs. The program
outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads
in configuration formats suitable for OpenBGPD and BIRD, and supports
emitting CSV and JSON for consumption by other routing stacks.

See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix
Origin Validation help secure the global Internet routing system.

rpki-client was primarily developed by Kristaps Dzonsons, Claudio
Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit
as part of the OpenBSD Project.

This release includes the following changes to the previous release:

- Avoid a quadratic complexity issue in ibuf_realloc() due to misuse of
  recallocarray(). Transferring a manifest with a large FileAndHash
  list across a privsep boundary could cost significant resources.

- RRDP sessions are periodically reinitialized to snapshot at random
  intervals. RRDP deltas and snapshots can diverge content-wise over
  time, leaving stale files in the cache. Reinitialization is triggered
  at random with increasing probability with increasing snapshot age, at
  least once every three months. This helps garbage collection.

- The internal state file format changed. The first run after an upgrade
  may produce harmless warning messages about invalid last_reset.

- Signed Prefix List statistics are now only emitted when rpki-client
  is run with -x.
  This changes the JSON output: without -x some keys are missing from
  'metadata'.

- The -r command line option formerly enabling RRDP has long been the
  default and is now removed.

- The CRL number extension in CRLs is checked to be in the range [0..2^159-1]
  and otherwise the CRL is considered invalid, see
  https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-crl-numbers

rpki-client works on all operating systems with a libcrypto library
based on OpenSSL 1.1 or LibreSSL 3.6, a libtls library compatible with
LibreSSL 3.6 or later, expat and zlib.

rpki-client is known to compile and run on at least the following
operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat,
Rocky, Ubuntu, macOS, and of course OpenBSD!

It is our hope that packagers take interest and help adapt
rpki-client-portable to more distributions.

The mirrors where rpki-client is available can be found on
https://www.rpki-client.org/portable.html

Reporting Bugs:
===============

General bugs may be reported to tech@openbsd.org

Portable bugs may be filed at
https://github.com/rpki-client/rpki-client-portable

We welcome feedback and improvements from the broader community.
Thanks to all of the contributors who helped make this release
possible.

Assistance to coordinate security issues is available via
security@openbsd.org.