Bugzilla – Bug 968029
VUL-0: CVE-2015-7826: Botan: Acceptance of invalid certificate names
Last modified: 2016-03-21 09:16:53 UTC
http://botan.randombit.net/security.html 2015-10-26 (CVE-2015-7826): Acceptance of invalid certificate names RFC 6125 specifies how to match a X.509v3 certificate against a DNS name for application usage. Otherwise valid certificates using wildcards would be accepted as matching certain hostnames that should they should not according to RFC 6125. For example a certificate issued for ‘*.example.com’ should match ‘foo.example.com’ but not ‘example.com’ or ‘bar.foo.example.com’. Previously Botan would accept such a certificate as valid for ‘bar.foo.example.com’. RFC 6125 also requires that when matching a X.509 certificate against a DNS name, the CN entry is only compared if no subjectAlternativeName entry is available. Previously X509_Certificate::matches_dns_name would always check both names. Found in a review by Sirrix AG and 3curity GmbH. Introduced in 1.11.0, fixed in 1.11.22 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7826 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7826.html
bugbot adjusting priority
In all our codestreams (opensuse included), we have Botan < 1.11.0