Fix bugs in wildcard matching

We would incorrectly accept invalid matches for example b*.example.net could match foobar.example.net Introduced in 289cc25709b08
author: Jack Lloyd <[email protected]> 2018-03-29 12:41:57 -0400
committer: Jack Lloyd <[email protected]> 2018-03-31 09:56:44 -0400
commit: eaac9648a401f62fa96f7cda0587a084ee6ac80b (patch)
tree: a142442fd7e9a1a6daf9dd0604f8ff48465d2b61 /doc
parent: dfc6b6ad819395828426c172b8ba2f5d53dda508 (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/doc/security.rst b/doc/security.rst
index a36173bc2..238c318fc 100644
--- a/doc/security.rst
+++ b/doc/security.rst
@@ -15,6 +15,19 @@ mail please use::
 This key can be found in the file ``doc/pgpkey.txt`` or online at
 https://keybase.io/jacklloyd and on most PGP keyservers.
 
+2018
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* 2018-03-29 (CVE-2018-9127): Invalid wildcard match
+
+  RFC 6125 wildcard matching was incorrectly implemented, so that a wildcard
+  certificate such as "b*.domain.com" would match any hosts "*b*.domain.com"
+  instead of just server names beginning with 'b'. The host and certificate
+  would still have to be in the same domain name. Reported by Fabian Weißberg of
+  Rohde and Schwarz Cybersecurity.
+
+  Bug introduced in 2.2.0, fixed in 2.5.0
+
 2017
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
author	Jack Lloyd <[email protected]>	2018-03-29 12:41:57 -0400
committer	Jack Lloyd <[email protected]>	2018-03-31 09:56:44 -0400
commit	eaac9648a401f62fa96f7cda0587a084ee6ac80b (patch)
tree	a142442fd7e9a1a6daf9dd0604f8ff48465d2b61 /doc
parent	dfc6b6ad819395828426c172b8ba2f5d53dda508 (diff)