mbedtls/ChangeLog.d/x509-verify-non-dns-san.txt

Security
   * Fix a vulnerability in the verification of X.509 certificates when
     matching the expected common name (the cn argument of
     mbedtls_x509_crt_verify()) with the actual certificate name: when the
     subjecAltName extension is present, the expected name was compared to any
     name in that extension regardless of its type. This means that an
     attacker could for example impersonate a 4-bytes or 16-byte domain by
     getting a certificate for the corresponding IPv4 or IPv6 (this would
     require the attacker to control that IP address, though). Similar attacks
     using other subjectAltName name types might be possible. Found and
     reported by kFYatek in #3498.
Add ChangeLog entry for X.509 CN-type vulnerability Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> 2020-07-24 10:33:39 +02:00			`Security`
			`* Fix a vulnerability in the verification of X.509 certificates when`
			`matching the expected common name (the cn argument of`
			`mbedtls_x509_crt_verify()) with the actual certificate name: when the`
			`subjecAltName extension is present, the expected name was compared to any`
			`name in that extension regardless of its type. This means that an`
			`attacker could for example impersonate a 4-bytes or 16-byte domain by`
			`getting a certificate for the corresponding IPv4 or IPv6 (this would`
			`require the attacker to control that IP address, though). Similar attacks`
			`using other subjectAltName name types might be possible. Found and`
			`reported by kFYatek in #3498.`