This repository has been archived by the owner on Jul 15, 2021. It is now read-only.
/
Changelog.txt
191 lines (147 loc) · 9.38 KB
/
Changelog.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
* Wed Apr 7 2021 Ties de Kock <tdekock@ripe.net> - 3.2
No new RFCs and RIR policies will be implemented. Security updates will
continue until the 1st of July 2021
- Spring Boot 2.4.4
- Updated the banner and README.md
- Excluded xstream as a dependency (unused)
- fix: Updated default settings to cleanup every 2 days on non-CentOS
* Tue Mar 2 2021 Ties de Kock <tdekock@ripe.net> - 3.2
- Spring Boot 2.4.3
This upgrades to Undertow 2.2.4.Final and prevents non-applicable warnings
about CVE-2020-27782 in the projects dependencies. The CVE is a denial of
service attack that is not applicable to RPKI Validator 3 because the AJP
connector is not used.
- Netty 4.1.59
This upgrades to netty-handler 4.1.59 and prevents a non-applicable warning
about CVE-2021-21290 which is a local information disclosure issue in netty
iff the multipart decoder is used.
* Tue Feb 9 2021 Ties de Kock <tdekock@ripe.net> - 3.2
- Included deprecation warning in front page.
- Change the default value for the cleanup of repositories that have not been
referenced in a validation run to two days.
- Change the default interval at which RRDP repositories are checked for
updated to 10 minutes.
* Mon Dec 21 2020 Ties de Kock <tdekock@ripe.net> - 3.2
- Change the default value for the cleanup of repositories that have not been
referenced in a validation run to two days.
- Change the default interval at which RRDP repositories are checked for
updated to 10 minutes.
* Tue Dec 9 2020 Erik Rozendaal <erozendaal@ripe.net> - 3.2
- only fail full manifest when entries not found or hashes don't
match, individual object validation no longer causes the complete
manifest to fail.
- Increased quartz threads from 10 to 32 to avoid deadlocks
- update of rpki-commons to 1.17: strict manifest entry filename
validation.
- spring-boot 2.4.0
* Tue Nov 17 2020 Erik Rozendaal <erozendaal@ripe.net> - 3.2
- Update of rpki-commons to 1.16: updated dependencies including XStream security update.
* Mon Nov 16 2020 Ties de Kock <tdekock@ripe.net> - 3.2
- Update of rpki-commons to 1.15: more specific check on file-names, bouncy castle update which fixes algorithm identifier mis-match.
* Wed Oct 28 2020 Mikhail Puzanov <mpuzanov@ripe.net> - 3.2
**New minor release due to change in validation behaviour.**
- Use strict validation (`rpki.validator.strict-validation=true`) by default,
with minor differences from [draft-ietf-sidrops-6486bis-00](https://www.ietf.org/archive/id/draft-ietf-sidrops-6486bis-00.txt).
- Use case insensitive URI schemes in object validations.
- Validate that RPKI repository object was found at the correct location.
- Stricter checking of certificate Subject and Issuer DN.
- Decrease bootstrap time by checking rsync repositories earlier after they
are first encountered, and by triggering revalidation when needed.
- Fix Docker tag creation during the release.
- Add docker image for rtr server.
* Fri Sep 18 2020 Mikhail Puzanov <mpuzanov@ripe.net> - 3.1
- Remove repositories from the cache if they are not referred by any certificate for long enough.
- Make 'strict mode' enabled by `rpki.validator.strict-validation=true` more compliant with RFC 6486bis.
- Multiple changes for improving parallel execution and fix potential deadlock.
- Improvements in CPU and memory usage.
- Improvements in storing ROAs in the cache to save space for big ROA objects.
* Thu Aug 20 2020 Mikhail Puzanov <mpuzanov@ripe.net> - 3.1
- Revert changes related to RRDP parallel processing to avoid potential deadlock. This also reverts
all memory and metrics changes introduced in the previous release.
* Thu Aug 6 2020 Ties de Kock <tdekock@ripe.net> - 3.1
- Multiple performance improvements, about 25% less CPU usage.
- Multiple improvements in memory consumption, the validator is able to comfortably work with setting
`jvm.mem.maximum=768m` or even 512m.
- Fixes in rpki-rtr-server shell script to prevent startup failures.
- Added detailed metric for rrdp status (e.g. invalid responses): `rpkivalidator_rrdp_status_total`
* Mon Jul 6 2020 Mikhail Puzanov <mpuzanov@ripe.net> - 3.1
- Introduce property `rpki.validator.strict-validation` enabling strict validation, i.e. manifest
and CRL warnings will now be considered errors. Set to false by default.
- Introduce property `rpki.validator.rsync-only` mainly for testing and research purposed.
Set to false by default.
- Support HTTPS URL for trust anchor certificates in TAL files, falling back to rsync if needed.
- Fix Happy Eyeballs DNS resolver that could cause lots of stray threads CPU-consuming in some situations.
- Do no trust all the HTTPS certificates by default when downloading data using RRDP.
* Wed Jun 24 2020 Ties de Kock <tdekock@ripe.net> 3.1
- Breaking: Rename prometheus metrics to follow naming standards. Validator
metrics start with `rpkivalidator`, rtr server metrics start with `rtrserver`.
- Add metric for active rtr connections.
* Fri May 22 2020 Ties de Kock <tdekock@ripe.net> 3.1-2020.05.22.11.25
Security update: Changed permissions for CentOS systemd service files
After a change in our build infrastructure, the CentOS (rpm) artifact contained
world-writable systemd service files that would allow users with write access
to the machine to elevate privileges and get local code execution.
Version affected: CentOS build of 3.1-2020.05.08.09.26.49
Other releases and builds were not affected.
- Packaging changes for Debian and Centos.
- Add endpoint that applies SLURM-based VRPs to extended export and fix a broken link.
- Fix NullPointerException when managing ignore filters with only ASN or prefix and not both.
- Reduce CPU usage for top-down tree validation for TA with a lot of delegated CAs.
- Fix priority of configuration properties.
- Update Docker image
* Fri May 8 2020 Mikhail Puzanov <mpuzanovg@ripe.net> - 3.1
- Add SLURM-based VRPs to export.json
* Mon Mar 16 2020 Ties de Kock <tdekock@ripe.net> - 3.1
- Added prometheus metrics for http responses
- Support JDK 11 (starting from an earlier revision)
* Tue Mar 10 2020 Adianto Wibisono <awibisono@ripe.net> - 3.1
- Remove core-utils dependency, now works on ubuntu 16.
- Extended roa export end point with validity and serial number added, see issue #39
* Thu Mar 5 2020 Ties de Kock <tdekock@ripe.net> - 3.1
- Updated spring boot to 2.2.5.
- Add prometheus endpoint at /metrics.
* Mon Mar 2 2020 Mikhail Puzanov <mpuzanovg@ripe.net> - 3.1
- Use Undertow instead of Tomcat to reduce memory usage.
* Mon Feb 3 2020 Mikhail Puzanov <mpuzanovg@ripe.net> - 3.1
- Improve scalability for parallel validation execution, reduce memory usage.
* Mon Jan 13 2020 Mikhail Puzanov <mpuzanovg@ripe.net> - 3.1
- Add "rpki.validator.rsync.proxy.host" and "rpki.validator.rsync.proxy.port" settings to support HTTP and rsync
proxies in uniform way.
* Tue Jan 8 2020 Mikhail Puzanov <mpuzanovg@ripe.net> - 3.1
- Fix deciding when to return "ready: true" from validator to rtr-server.
After the fix, users should not experience temporary drops in the the amount of VRPs
when restarting validator (https://github.com/RIPE-NCC/rpki-validator-3/issues/124).
* Mon Dec 16 2019 Mikhail Puzanov <mpuzanovg@ripe.net> - 3.1
- Fix picking up the latest manifest (don't rely on increasing serial numbers).
- Fix healthcehck page for the case of multiple TAs with the same name.
- Improve error handling when parsing RRDP deltas.
* Fri Nov 8 2019 Mikhail Puzanov <mpuzanovg@ripe.net> - 3.1
- Debian packages are now generated with every release.
* Tue Nov 5 2019 Adianto Wibisono <awibisono@ripe.net> - 3.1
- Alpine based docker image based on generic image, not systemd.
- Docker hub image: ripencc/rpki-validator-3-docker:alpine
* Wed Oct 30 2019 Oleg Muravskiy <oleg@ripe.net> - 3.1
- Happy Eyeballs resolver will not try to resolve literal IP addresses passed to it.
* Tue Oct 29 2019 Oleg Muravskiy <oleg@ripe.net> - 3.1
- Fix CPU utilisation by the Happy Eeyballs resolver.
* Tue Oct 29 2019 Mikhail Puzanov <mpuzanovg@ripe.net> - 3.1
- Property 'rpki.validator.rrdp.repository.download.interval' added to tune the period between
RRDP trust anchors re-validations.
* Fri Oct 18 2019 Oleg Muravskiy <oleg@ripe.net> - 3.1
- Add Happy Eyeballs address resolver for HTTP requests from the validator.
* Fri Oct 18 2019 Mikhail Puzanov <mpuzanovg@ripe.net> - 3.1
- Fix SLURM support according to RFC 8416.
* Tue Jul 2 2019 Mikhail Puzanov <mpuzanov@ripe.net> - 3.1
- Minimize memory consumption and disk requirement by dropping Hibernate/H2 database,
and use Xodus https://github.com/JetBrains/xodus as persistence instead.
- Improve responsiveness, set default RPKI object clean up grace period to 48 hours (used to be 7 days).
- Store all the ignore filters and white lists in a slurm.json file instead of the database, so now
the database can be deleted any time without losing any user-configured data.
- For migration, the content of the 'db' directory should be remove and export and re-import of SLURM is required.
* Mon Apr 8 2019 Adianto Wibisono <awibisono@@ripe.net> - 3.0
- Avoid unique constraint violation due to redundant background jobs
- Shorter DB clean up grace period default configuration: from 6 days to 3 days
- Immediate prefetch on uploaded Tals, to shorten bootstrap for the first time.
* Tue Mar 19 2019 Mikhail Puzanov <mpuzanov@ripe.net> - 3.0
- fixed issue with very slow initial sync (https://github.com/RIPE-NCC/rpki-validator-3/issues/77)
- fixed issues with too many messages in log from API logger (https://github.com/RIPE-NCC/rpki-validator-3/issues/75)