8 Sep
2022
8 Sep
'22
10:56 p.m.
Has anyone done an analysis of the rsync CVE-2022-29154 (which "allows malicious remote servers to write arbitrary files inside the directories of connecting peers") and its potential impact on RPKI validators? It looks like both Debian [1] and Ubuntu [2] opted *not* to patch rsync in their release/security package streams. Are rsync-based (or rsync-fallback, which I believe is still required for all RPKI validators?) RPKI validators all vulnerable to takeover from this, or is there some reason why this doesn't apply to RPKI validation? Thanks, Matt [1] https://security-tracker.debian.org/tracker/CVE-2022-29154 [2] https://ubuntu.com/security/CVE-2022-29154