CVE-2021-3909

NameCVE-2021-3909
DescriptionOctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5033-1, DSA-5041-1
Debian Bugs929024

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cfrpki (PTS)bullseye (security), bullseye1.4.2-1~deb11u1fixed
bookworm1.4.4-1fixed
fort-validator (PTS)bullseye (security), bullseye1.5.3-1~deb11u1fixed
bookworm1.5.4-1fixed
trixie, sid1.6.4+20240930-1fixed
rpki-client (PTS)bullseye6.8p1-2vulnerable
bookworm8.2-2fixed
trixie, sid9.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cfrpkisourcebullseye1.4.2-1~deb11u1DSA-5041-1
cfrpkisource(unstable)1.4.0-1
fort-validatorsourcebullseye1.5.3-1~deb11u1DSA-5033-1
fort-validatorsource(unstable)1.5.3-1
routinatorITP929024
rpki-clientsource(unstable)7.5-1

Notes

[bullseye] - rpki-client <ignored> (Fixed versions need more recent libretls)
https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244

Search for package or bug name: Reporting problems