|Description||OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)|
Vulnerable and fixed packages
The table below lists information on source packages.
|cfrpki (PTS)||bullseye (security), bullseye||1.4.2-1~deb11u1||fixed|
|fort-validator (PTS)||bullseye (security), bullseye||1.5.3-1~deb11u1||fixed|
|trixie, bookworm, sid||1.5.4-1||fixed|
The information below is based on the following data on fixed versions.
[bullseye] - rpki-client <ignored> (Fixed versions need more recent libretls)