Releases: NLnetLabs/routinator
Releases · NLnetLabs/routinator
0.13.2 ‘Existential Funk’
Bug Fixes
- Fix the RTR listener so that Routinator won’t exit if an incoming RTR
connection is closed again too quickly. (#937, reported by Yohei
Nishimura, Atsushi Enomoto, Ruka Miyachi; Internet Multifeed Co., Japan.
Assigned CVE-2024-1622.)
0.13.1 ‘Aziz, Light!’
New
- Added support for private keys marked as “EC PRIVATE KEY“ in the PEM files for TLS server configuration. (#921)
- The rsync collector now logs stderr output of the rsync command directly instead of collecting it and logging it in one go after the commend returned. ([#290])
Bug Fixes
- The
dump
command will now succeed even if certain directories or files in the repository cache are missing. (#916) - A more meaningful message is now printed when decoding RPKI objects fails. It will still not give much detail but at least it isn’t confusing any more. (#917)
Other changes
- Updated the
nlnetlabs-testbed
TAL to the current location and key. (#922)
0.13.1-rc1
New
- Added support for private keys marked as “EC PRIVATE KEY“ in the PEM files for TLS server configuration. (#921)
- The rsync collector now logs stderr output of the rsync command directly instead of collecting it and logging it in one go after the commend returned. ([#290])
Bug Fixes
- The
dump
command will now succeed even if certain directories or files in the repository cache are missing. (#916) - A more meaningful message is now printed when decoding RPKI objects fails. It will still not give much detail but at least it isn’t confusing any more. (#917)
- The RTR server now returns the expected protocol version in the version negotiation error message rather than the requested version. (rpki-rs #280)
- The RTR server does not accept protocol version 2 for now to avoid sending illegal ASPA PDUs. This is a workaround until the final format of the PDU is specified. (rpki-rs #281)
Other changes
- Updated the
nlnetlabs-testbed
TAL to the current location and key. (#922)
0.13.0 ‘Should Have Started This in a Screen’
New
- Added support for ASPA. Processing needs to be enabled via the new option
enable-aspa
which is only available if theaspa
feature is explicitly selected during compilation. This is due to the specification still changing. The implementation currently conforms with draft-ietf-sidrops-aspa-profile-15. (#847, #873, #874, #878) - Added support for version 2 of the RTR protocol. This primarly means support for the ASPA payload type. (#847)
- Sending SIGUSR2 to Routinator will re-open a log file if logging to a file is enabled. (#859)
- The HTTP server provides a new endpoint
/json-delta/notify
that can be used to wait for updated data similar to the RTR Notify PDU. (#863) - Added support for filtering and adding router keys via local exception files. (#865)
- The
vrps
command and the HTTP payload output endpoints now allow excluding specific payload types for output. (#866) - Added a new member
payload
to the output of the/api/v1/status
endpoint that gives an overall summary of the produced payload. (#867) - Added new members
generated
andgeneratedTime
to the JSON object produced by the/json-delta
endpoint. (#868)
Breaking Changes
- A new field
aspa
was added to the jsonext format. See the manual page for more information. (#847) - A number of ASPA-related fields have been added to all metrics and status formats. (#847)
- Renamed functions and attributes that refer to standalone end entity certificates to refer to router certificates so they don’t get confused with the end entity certificates included with signed objects. (#854)
- Renamed the JSON member in the HTTP status API from
validEECerts
tovalidRouterCerts
. The old name is still available but may be removed in the future. (#854) - The regular
json
output format now includes router key and ASPA output. Since both are disabled by default, the format will still be compatible by default. (#866) - The minimal required Rust version has been increased to 1.70. (#847, #853, #869, #879)
Bug Fixes
- Fixed a bug in the RTR server where it would include router key PDUs even if the negotiated protocol version was 0. (via rpki-rs #250)
- Restored the ability to parse ASNs in JSON input to the
validity
command as string or number. (#861) - Update bcder to at least 0.7.3 to fix various decoding issues that could lead to a panic when processing invalid RPKI objects.
- Check the request URI when generating a path for storing a copy of a RRDP response with the
rrdp-keep-responses
option to avoid path traversal. (#894. Found by Haya Shulman, Donika Mirdita and Niklas Vogel. Assigned CVE-2023-39916.)
Other Changes
0.13.0-rc2
Bug Fixes
- Fixed various decoding issues that could lead to a panic when processing invalid RPKI objects. (via bcder release 0.7.3. Found by Haya Shulman, Donika Mirdita and Niklas Vogel. Assigned CVE-2023-39915)
- Check the request URI when generating a path for storing a copy of a RRDP response with the
rrdp-keep-responses
option to avoid path traversal. ([#892]. Found by Haya Shulman, Donika Mirdita and Niklas Vogel. Assigned CVE-2023-39916.)
0.12.2 ‘Brutti, sporchi e cattivi’
Bug Fixes
- Fixed various decoding issues that could lead to a panic when processing invalid RPKI objects. (#891, via bcder release 0.7.3. Found by Haya Shulman, Donika Mirdita and Niklas Vogel. Assigned CVE-2023-39915)
- Check the request URI when generating a path for storing a copy of a RRDP response with the
rrdp-keep-responses
option to avoid path traversal. (#892. Found by Haya Shulman, Donika Mirdita and Niklas Vogel. Assigned CVE-2023-39916.)
0.13.1-rc1
New
- Added support for ASPA. Processing needs to be enabled via the new option
enable-aspa
which is only available if theaspa
feature is explicitly selected during compilation. This is due to the specification still changing. The implementation currently conforms with draft-ietf-sidrops-aspa-profile-15. (#847, #873, #874, #878) - Added support for version 2 of the RTR protocol. This primarly means support for the ASPA payload type. (#847)
- Sending SIGUSR2 to Routinator will re-open a log file if logging to a file is enabled. (#859)
- The HTTP server provides a new endpoint
/json-delta/notify
that can be used to wait for updated data similar to the RTR Notify PDU. (#863) - Added support for filtering and adding router keys via local exception files. (#865)
- The
vrps
command and the HTTP payload output endpoints now allow excluding specific payload types for output. (#866) - Added a new member
payload
to the output of the/api/v1/status
endpoint that gives an overall summary of the produced payload. (#867) - Added new members
generated
andgeneratedTime
to the JSON object produced by the/json-delta
endpoint. (#868)
Breaking Changes
- A new field
aspa
was added to the jsonext format. See the manual page for more information. (#847) - A number of ASPA-related fields have been added to all metrics and status formats. (#847)
- Renamed functions and attributes that refer to standalone end entity certificates to refer to router certificates so they don’t get confused with the end entity certificates included with signed objects. (#854)
- Renamed the JSON member in the HTTP status API from
validEECerts
tovalidRouterCerts
. The old name is still available but may be removed in the future. (#854) - The regular
json
output format now includes router key and ASPA output. Since both are disabled by default, the format will still be compatible by default. (#866) - The minimal required Rust version has been increased to 1.70. (#847, #853, #869, #879)
Bug Fixes
- Fixed a bug in the RTR server where it would include router key PDUs even if the negotiated protocol version was 0. (via rpki-rs #250)
- Restored the ability to parse ASNs in JSON input to the
validity
command as string or number. (#861)
Other Changes
0.12.1 ‘Plan uw reis in de app’
Bug Fixes
- Actually use the
extra-tals-dir
config file option. (#821) - Allow private keys prefixed both with
BEGIN PRIVATE KEY
andBEGIN RSA PRIVATE KEY
in the files referred to byhttp-tls-key
andrtr-tls-key
configuration options. (#831, #832) - On Unix, if chroot is requested but no working directory is explicitly provided, set the working directory to the chroot directory. (#823)
- Fixed the error messages printed when the
http-tls-key
orhttp-tls-cert
options are required but missing. They now refer to HTTP and not, as previously, to RTR. (#824 by @SanderDelden)
Other Changes
0.12.1-rc2
0.12.1-rc1
Bug Fixes
- Actually use the
extra-tals-dir
config file option. (#821) - On Unix, if chroot is requested but no working directory is explicitly provided, set the working directory to the chroot directory. (#823)
- Fixed the error messages printed when the
http-tls-key
orhttp-tls-cert
options are required but missing. They now refer to HTTP and not, as previously, to RTR. (#824 by @SanderDelden)
Other Changes