Candidate: CVE-2021-43174
PublicDate: 2021-11-09 17:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43174
 https://www.nlnetlabs.nl/downloads/routinator/CVE-2021-43172_CVE-2021-43173_CVE-2021-43174.txt
 https://github.com/NLnetLabs/routinator/pull/667
Description:
 NLnet Labs Routinator versions 0.9.0 up to and including 0.10.1, support
 the gzip transfer encoding when querying RRDP repositories. This encoding
 can be used by an RRDP repository to cause an out-of-memory crash in these
 versions of Routinator. RRDP uses XML which allows arbitrary amounts of
 white space in the encoded data. The gzip scheme compresses such white
 space extremely well, leading to very small compressed files that become
 huge when being decompressed for further processing, big enough that
 Routinator runs out of memory when parsing input data waiting for the next
 XML element.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929024
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_routinator:
upstream_routinator: needs-triage
trusty_routinator: ignored (out of standard support)
xenial_routinator: ignored (out of standard support)

Patches_cfrpki:
upstream_cfrpki: released (1.4.0-1)
trusty_cfrpki: ignored (out of standard support)
xenial_cfrpki: ignored (out of standard support)
impish_cfrpki: needs-triage
jammy_cfrpki: not-affected (1.4.2-1)
devel_cfrpki: not-affected (1.4.2-1)