yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-22 10:55:38 +01:00
Code Issues Packages Projects Releases Wiki Activity
dev/gilles-peskine-arm/travis-20200821
mbedtls/ChangeLog.d/x509-verify-non-dns-san.txt
Manuel Pégourié-Gonnard 204e05404f Add ChangeLog entry for X.509 CN-type vulnerability 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-11 10:24:21 +02:00

12 lines
700 B
Plaintext
Raw Permalink Blame History

Security
* Fix a vulnerability in the verification of X.509 certificates when
matching the expected common name (the cn argument of
mbedtls_x509_crt_verify()) with the actual certificate name: when the
subjecAltName extension is present, the expected name was compared to any
name in that extension regardless of its type. This means that an
attacker could for example impersonate a 4-bytes or 16-byte domain by
getting a certificate for the corresponding IPv4 or IPv6 (this would
require the attacker to control that IP address, though). Similar attacks
using other subjectAltName name types might be possible. Found and
reported by kFYatek in #3498.
Reference in New Issue View Git Blame Copy Permalink