This repository has been archived by the owner on Jul 15, 2021. It is now read-only.
Releases: RIPE-NCC/rpki-validator-3
Releases · RIPE-NCC/rpki-validator-3
3.2-2021.04.07.12.55
No new RFCs and RIR policies will be implemented. Security updates will
continue until the 1st of July 2021
- Spring Boot 2.4.4
- Updated the banner and README.md
- Excluded xstream as a dependency (unused)
- fix: Updated default settings to cleanup every 2 days on non-CentOS
3.2-2021.03.02.15.08
Dependency upgrades due to non-applicable vulnerabilities in
dependencies.
- Spring Boot 2.4.3
This upgrades to Undertow 2.2.4.Final and prevents non-applicable warnings
about CVE-2020-27782 in the projects dependencies. The CVE is a denial of
service attack that is not applicable to RPKI Validator 3 because the AJP
connector is not used. - Netty 4.1.59
This upgrades to netty-handler 4.1.59 and prevents a non-applicable warning
about CVE-2021-21290 which is a local information disclosure issue in netty
iff the multipart decoder is used.
3.2-2021.02.09.09.34
- Added end-of-life warning in front page: The RIPE NCC RPKI Validator will be maintained until the 1st of July 2021
- Change the default value for the cleanup of repositories that have not been
referenced in a validation run to two days. - Change the default interval at which RRDP repositories are checked for
updated to 10 minutes.
3.2-2020.12.10.13.57: 3.2-2020.12.10 - includes relaxed validation rules
All users of 3.2-2020.10.28.23.06 are encouraged to upgrade to this release.
Changes:
- Validation rules have been relaxed: If the manifest is valid and objects on the manifest are present and have a matching hash, drop only the failed objects, not the the complete manifest.
- Re-validate the object tree when an object is about to expire.
- Implement updated manifest filename validation rules.
Bug fixes:
- BGP preview update could stop updating, this was fixed.
3.2-2020.10.28.23.06
New minor release due to change in validation behaviour.
- Use strict validation (
rpki.validator.strict-validation=true) by default, with minor differences from draft-ietf-sidrops-6486bis-00. - Use case insensitive URI schemes in object validations.
- Validate that RPKI repository object was found at the correct location.
- Stricter checking of certificate Subject and Issuer DN.
- Decrease bootstrap time by checking rsync repositories earlier after they are first encountered, and by triggering revalidation when needed.
- Fix Docker tag creation during the release.
- Add docker image for rtr server.
3.1-2020.09.25.11.16
Bug fix for repository cleanup.
3.1-2020.09.18.13.38
- Remove repositories from the cache if they are not referred by any certificate for long enough.
- Make 'strict mode' enabled by
rpki.validator.strict-validation=truemore compliant with RFC 6486bis. - Multiple changes for improving parallel execution and fix potential deadlock.
- Improvements in CPU and memory usage.
- Improvements in storing ROAs in the cache to save space for big ROA objects.
3.1-2020.08.06.14.39
3.1-2020.08.06.14.39
This tag was signed with the committer’s verified signature.
The key has expired.
ties
Ties de Kock
- Multiple performance improvements, resulting in about 25% lower CPU usage.
- Multiple improvements in memory consumption, especially with regard to peak memory usage.
- Fixes in rpki-rtr-server shell script to prevent startup failures.
- Added detailed metric for rrdp status (e.g. invalid responses):
rpkivalidator_rrdp_status_total
3.1-2020.07.06.14.28
- Introduce property
rpki.validator.strict-validationenabling strict validation, i.e. manifest
and CRL warnings will now be considered errors. Set to false by default. - Introduce property
rpki.validator.rsync-onlymainly for testing and research purposed.
Set to false by default. - Support HTTPS URL for trust anchor certificates in TAL files, falling back to rsync if needed.
- Fix Happy Eyeballs DNS resolver that could cause lots of stray threads CPU-consuming in some situations.
- Do no trust all the HTTPS certificates by default when downloading data using RRDP.
- Breaking: Rename prometheus metrics to follow naming standards. Validator
metrics start withrpkivalidator, rtr server metrics start withrtrserver. - Add metric for active rtr connections.
3.1-2020.05.22.11.25
3.1-2020.05.22.11.25
This tag was signed with the committer’s verified signature.
The key has expired.
ties
Ties de Kock
Security update:
After a change in our build infrastructure, the CentOS (rpm) artifact contained world-writable systemd service files that would allow users with write access to the machine to elevate privileges and get local code execution. This issue was fixed in this release.
Version affected: CentOS build of 3.1-2020.05.08.09.26.49
Other releases and builds were not affected.
Features and changes:
- Changed permissions for CentOS systemd service files.
- Packaging changes for Debian and Centos.
- Add endpoint that applies SLURM-based VRPs to extended export and fix a broken link.
- Fix NullPointerException when managing ignore filters with only ASN or prefix and not both.
- Reduce CPU usage for top-down tree validation for TA with a lot of delegated CAs.
- Fix priority of configuration properties.
- Update Docker image.