aboutsummaryrefslogtreecommitdiffstats
path: root/doc/security.rst
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2018-03-29 12:41:57 -0400
committerJack Lloyd <[email protected]>2018-03-31 09:56:44 -0400
commiteaac9648a401f62fa96f7cda0587a084ee6ac80b (patch)
treea142442fd7e9a1a6daf9dd0604f8ff48465d2b61 /doc/security.rst
parentdfc6b6ad819395828426c172b8ba2f5d53dda508 (diff)
Fix bugs in wildcard matching
We would incorrectly accept invalid matches for example b*.example.net could match foobar.example.net Introduced in 289cc25709b08
Diffstat (limited to 'doc/security.rst')
-rw-r--r--doc/security.rst13
1 files changed, 13 insertions, 0 deletions
diff --git a/doc/security.rst b/doc/security.rst
index a36173bc2..238c318fc 100644
--- a/doc/security.rst
+++ b/doc/security.rst
@@ -15,6 +15,19 @@ mail please use::
This key can be found in the file ``doc/pgpkey.txt`` or online at
https://keybase.io/jacklloyd and on most PGP keyservers.
+2018
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* 2018-03-29 (CVE-2018-9127): Invalid wildcard match
+
+ RFC 6125 wildcard matching was incorrectly implemented, so that a wildcard
+ certificate such as "b*.domain.com" would match any hosts "*b*.domain.com"
+ instead of just server names beginning with 'b'. The host and certificate
+ would still have to be in the same domain name. Reported by Fabian Weißberg of
+ Rohde and Schwarz Cybersecurity.
+
+ Bug introduced in 2.2.0, fixed in 2.5.0
+
2017
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^