fort-validator (1.5.4-1+deb12u1) bookworm; urgency=medium

  * Non-maintainer upload by the Debian LTS Team.
  * d/control (Build-Depends): Add rsync for running tests.
  * d/patches/CVE-2024-45234.patch: Add patch to fix CVE-2024-45234.
    - A malicious RPKI repository that descends from a (trusted) Trust Anchor
      can serve (via rsync or RRDP) an ROA or a Manifest containing a
      signedAttrs encoded in non-canonical form. This bypasses Fort's BER
      decoder, reaching a point in the code that panics when faced with data
      not encoded in DER. Because Fort is an RPKI Relying Party, a panic can
      lead to Route Origin Validation unavailability, which can lead to
      compromised routing.
  * d/patches/CVE-2024-45235.patch: Add patch to fix CVE-2024-45235.
    - A malicious RPKI repository that descends from a (trusted) Trust Anchor
      can serve (via rsync or RRDP) a resource certificate containing an
      Authority Key Identifier extension that lacks the keyIdentifier field.
      Fort references this pointer without sanitizing it first. Because Fort
      is an RPKI Relying Party, a crash can lead to Route Origin Validation
      unavailability, which can lead to compromised routing.
  * d/patches/CVE-2024-45236.patch: Add patch to fix CVE-2024-45236.
    - A malicious RPKI repository that descends from a (trusted) Trust Anchor
      can serve (via rsync or RRDP) a signed object containing an empty
      signedAttributes field. Fort accesses the set's elements without
      sanitizing it first. Because Fort is an RPKI Relying Party, a crash can
      lead to Route Origin Validation unavailability, which can lead to
      compromised routing.
  * d/patches/CVE-2024-45237.patch: Add patch to fix CVE-2024-45237.
    - A malicious RPKI repository that descends from a (trusted) Trust Anchor
      can serve (via rsync or RRDP) a resource certificate containing a Key
      Usage extension composed of more than two bytes of data. Fort writes this
      string into a 2-byte buffer without properly sanitizing its length,
      leading to a buffer overflow.
  * d/patches/CVE-2024-45238.patch: Add patch to fix CVE-2024-45238.
    - A malicious RPKI repository that descends from a (trusted) Trust Anchor
      can serve (via rsync or RRDP) a resource certificate containing a bit
      string that doesn't properly decode into a Subject Public Key. OpenSSL
      does not report this problem during parsing, and when compiled with
      OpenSSL libcrypto versions below 3, Fort recklessly dereferences the
      pointer. Because Fort is an RPKI Relying Party, a crash can lead to Route
      Origin Validation unavailability, which can lead to compromised routing.
  * d/patches/CVE-2024-45239.patch: Add patch to fix CVE-2024-45239.
    - A malicious RPKI repository that descends from a (trusted) Trust Anchor
      can serve (via rsync or RRDP) an ROA or a Manifest containing a null
      eContent field. Fort dereferences the pointer without sanitizing it
      first. Because Fort is an RPKI Relying Party, a crash can lead to Route
      Origin Validation unavailability, which can lead to compromised routing.
  * d/patches/CVE-2024-48943.patch: Add patch to fix CVE-2024-48943.
    - A malicious RPKI rsync repository can prevent Fort from finishing its
      validation run by drip-feeding its content. This can lead to delayed
      validation and a stale or unavailable Route Origin Validation.
      (thanks to Jochen Sprickerhof for helping backporting the test case)

 -- Daniel Leidert <dleidert@debian.org>  Sat, 29 Mar 2025 03:13:08 +0100

fort-validator (1.5.4-1) unstable; urgency=medium

  * New upstream release.
  * Enabled the test suite.

 -- Marco d'Itri <md@linux.it>  Tue, 07 Feb 2023 14:58:46 +0100

fort-validator (1.5.3-1) unstable; urgency=high

  * New upstream release.

 -- Marco d'Itri <md@linux.it>  Tue, 09 Nov 2021 15:52:13 +0100

fort-validator (1.5.2-1) unstable; urgency=medium

  * New upstream release.

 -- Marco d'Itri <md@linux.it>  Fri, 29 Oct 2021 11:58:38 +0200

fort-validator (1.5.1-1) unstable; urgency=medium

  * New upstream release.

 -- Marco d'Itri <md@linux.it>  Mon, 09 Aug 2021 04:54:00 +0200

fort-validator (1.5.0-1) unstable; urgency=medium

  * New upstream release.

 -- Marco d'Itri <md@linux.it>  Thu, 11 Feb 2021 01:16:46 +0100

fort-validator (1.4.2-1) unstable; urgency=medium

  * New upstream release.

 -- Marco d'Itri <md@linux.it>  Mon, 26 Oct 2020 17:47:54 +0100

fort-validator (1.4.1-1) unstable; urgency=medium

  * New upstream release.

 -- Marco d'Itri <md@linux.it>  Tue, 29 Sep 2020 18:08:45 +0200

fort-validator (1.4.0-1) unstable; urgency=medium

  * New upstream release.

 -- Marco d'Itri <md@linux.it>  Tue, 25 Aug 2020 02:10:00 +0200

fort-validator (1.3.0-1) unstable; urgency=medium

  * New upstream release.

 -- Marco d'Itri <md@linux.it>  Thu, 09 Jul 2020 23:58:11 +0200

fort-validator (1.2.1-1) unstable; urgency=medium

  * New upstream release. Fixes:
    - FTBFS with gcc 10. (Closes: #957221)
  * Improve the daemon sandboxing.

 -- Marco d'Itri <md@linux.it>  Sat, 09 May 2020 13:05:09 +0200

fort-validator (1.2.0-1) unstable; urgency=medium

  * New upstream release.

 -- Marco d'Itri <md@linux.it>  Wed, 19 Feb 2020 05:52:23 +0100

fort-validator (1.1.3-1) unstable; urgency=medium

  * New upstream release.

 -- Marco d'Itri <md@linux.it>  Tue, 10 Dec 2019 00:18:24 +0100

fort-validator (1.1.2-1) unstable; urgency=medium

  * New upstream release.

 -- Marco d'Itri <md@linux.it>  Tue, 12 Nov 2019 15:04:24 +0100

fort-validator (1.1.1-2) unstable; urgency=medium

  * Depend on rpki-trust-anchors.
  * Build-Depend on pkg-config.

 -- Marco d'Itri <md@linux.it>  Mon, 04 Nov 2019 01:51:01 +0100

fort-validator (1.1.1-1) unstable; urgency=medium

  * Initial release. (Closes: #942321)

 -- Marco d'Itri <md@linux.it>  Fri, 01 Nov 2019 01:48:34 +0100
