diff options
author | Jack Lloyd <[email protected]> | 2018-03-29 12:41:57 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2018-03-31 09:56:44 -0400 |
commit | eaac9648a401f62fa96f7cda0587a084ee6ac80b (patch) | |
tree | a142442fd7e9a1a6daf9dd0604f8ff48465d2b61 /doc/security.rst | |
parent | dfc6b6ad819395828426c172b8ba2f5d53dda508 (diff) |
Fix bugs in wildcard matching
We would incorrectly accept invalid matches for example b*.example.net
could match foobar.example.net
Introduced in 289cc25709b08
Diffstat (limited to 'doc/security.rst')
-rw-r--r-- | doc/security.rst | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/doc/security.rst b/doc/security.rst index a36173bc2..238c318fc 100644 --- a/doc/security.rst +++ b/doc/security.rst @@ -15,6 +15,19 @@ mail please use:: This key can be found in the file ``doc/pgpkey.txt`` or online at https://keybase.io/jacklloyd and on most PGP keyservers. +2018 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* 2018-03-29 (CVE-2018-9127): Invalid wildcard match + + RFC 6125 wildcard matching was incorrectly implemented, so that a wildcard + certificate such as "b*.domain.com" would match any hosts "*b*.domain.com" + instead of just server names beginning with 'b'. The host and certificate + would still have to be in the same domain name. Reported by Fabian Weißberg of + Rohde and Schwarz Cybersecurity. + + Bug introduced in 2.2.0, fixed in 2.5.0 + 2017 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |