mirror of
https://github.com/rustsec/advisory-db.git
synced 2026-07-16 00:12:29 -04:00
Add webpki URI name constraints bug
This commit is contained in:
committed by
Dirkjan Ochtman
parent
356aad6a39
commit
b928e1de99
21
crates/rustls-webpki/RUSTSEC-0000-0000.md
Normal file
21
crates/rustls-webpki/RUSTSEC-0000-0000.md
Normal file
@@ -0,0 +1,21 @@
|
||||
```toml
|
||||
[advisory]
|
||||
id = "RUSTSEC-0000-0000"
|
||||
package = "rustls-webpki"
|
||||
date = "2026-04-14"
|
||||
keywords = ["name constraints", "x509"]
|
||||
aliases = ["GHSA-965h-392x-2mh5"]
|
||||
|
||||
[versions]
|
||||
patched = [">= 0.103.12, < 0.104.0-alpha.1", ">= 0.104.0-alpha.6"]
|
||||
```
|
||||
|
||||
# Name constraints for URI names were incorrectly accepted
|
||||
|
||||
Name constraints for URI names were ignored and therefore accepted.
|
||||
|
||||
Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented. URI name constraints are now rejected unconditionally.
|
||||
|
||||
Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.
|
||||
|
||||
This vulnerability is identified as [GHSA-965h-392x-2mh5](https://github.com/rustls/webpki/security/advisories/GHSA-965h-392x-2mh5). Thank you to @1seal for the report.
|
||||
Reference in New Issue
Block a user