Fedora 40: rpki-client 9.5 critical: denial of service fix

The OpenBSD rpki-client is a free, easy-to-use implementation of the

Resource Public Key Infrastructure (RPKI) for Relying Parties (RP) to

facilitate validation of the Route Origin of a BGP announcement. The

program queries the RPKI repository system, downloads and validates

Route Origin Authorisations (ROAs) and finally outputs Validated ROA

Payloads (VRPs) in the configuration format of OpenBGPD, BIRD, and

also as CSV or JSON objects for consumption by other routing stacks.

rpki-client 9.5 rpki-client now includes arin.tal which is no longer legally encumbered. See https://www.arin.net/announcements/20250116-tal/ rpki-client reports Certification Authorities that do not meaningfully participate in the RPKI as non-functional CAs. By definition, a CA is non- functional if there is no currently valid Manifest. The number of such CAs is printed at the end of each run and more detailed information is available in the JSON (-j) and ometrics (-m) output. OpenBSD reliability errata 014: Incorrect internal RRDP state handling in rpki- client can lead to a denial of service. Affected are rpki-client versions 7.5 - 9.4. Termination of rsync child processes with SIGTERM is no longer treated as an error if rpki-client has sent this signal. This only affects openrsync. Do not exit filemode with an error if a .gbr or a .tak object contains control characters in its UTF-8 strings. Instead, only warn and emit a sanitized version in JSON output. Upcoming...