Описание
OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| routinator | itp | package | ||
| cfrpki | fixed | 1.4.0-1 | package | |
| fort-validator | fixed | 1.5.3-1 | package | |
| rpki-client | fixed | 7.5-1 | package | |
| rpki-client | ignored | bullseye | package |
Примечания
https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244
Связанные уязвимости
OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive.
OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive.
Infinite open connection causes OctoRPKI to hang forever