From eaac9648a401f62fa96f7cda0587a084ee6ac80b Mon Sep 17 00:00:00 2001
From: Jack Lloyd <jack@randombit.net>
Date: Thu, 29 Mar 2018 12:41:57 -0400
Subject: Fix bugs in wildcard matching

We would incorrectly accept invalid matches for example b*.example.net
could match foobar.example.net

Introduced in 289cc25709b08
---
 doc/security.rst | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'doc')

diff --git a/doc/security.rst b/doc/security.rst
index a36173bc2..238c318fc 100644
--- a/doc/security.rst
+++ b/doc/security.rst
@@ -15,6 +15,19 @@ mail please use::
 This key can be found in the file ``doc/pgpkey.txt`` or online at
 https://keybase.io/jacklloyd and on most PGP keyservers.
 
+2018
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* 2018-03-29 (CVE-2018-9127): Invalid wildcard match
+
+  RFC 6125 wildcard matching was incorrectly implemented, so that a wildcard
+  certificate such as "b*.domain.com" would match any hosts "*b*.domain.com"
+  instead of just server names beginning with 'b'. The host and certificate
+  would still have to be in the same domain name. Reported by Fabian Weißberg of
+  Rohde and Schwarz Cybersecurity.
+
+  Bug introduced in 2.2.0, fixed in 2.5.0
+
 2017
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-- 
cgit v1.2.3