git.ipfire.org Git - thirdparty/gnutls.git/commit

]> git.ipfire.org Git - thirdparty/gnutls.git/commit

projects / thirdparty / gnutls.git / commit

author	Alexander Sosedkin <asosedkin@redhat.com>
	Tue, 14 Apr 2026 15:41:30 +0000 (17:41 +0200)
committer	Alexander Sosedkin <asosedkin@redhat.com>
	Wed, 29 Apr 2026 13:35:03 +0000 (15:35 +0200)
commit	1dead2faec6320aaba321eb56f20d442df192b83
tree	35915393ec03705b84330ce864c33ebc718dbd4a	tree \| snapshot
parent	ccbdcced91277615d34cf7c996715799fd2d9e2a	commit \| diff

x509/name_constraints: fix intersecting empty constraints

Permitted name constraints were wrongfully ignored
when prior CAs only had excluded name constraints,
resulting in a name constraint bypass.

With this change, they are taken into account and propagate.

Reported-by: Haruto Kimura (Stella)
Fixes: #1824
Fixes: CVE-2026-42011
Fixes: GNUTLS-SA-2026-04-29-6
CVSS: 4.8 Medium CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

lib/x509/name_constraints.c

diff | blob | blame | history

Mirror of https://gitlab.com/gnutls/gnutls.git

RSS Atom