Bug 2453276 (CVE-2026-34073)
| Summary: | CVE-2026-34073 python-cryptography: Cryptography: Security bypass due to improper DNS name constraint validation | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | alinfoot, anpicker, anthomas, aprice, bbrownin, bdettelb, bparees, brasmith, cahl, caswilli, cmyers, cochase, derez, dfreiber, dnakabaa, doconnor, dranck, drow, dschmidt, dtrifiro, eborisov, ebourniv, ehelms, erezende, ggainey, hasun, jburrell, jdobes, jfula, jkoehler, jlanda, jmitchel, jowilson, jpasqual, jsamir, juwatts, jwong, kaycoth, kgaikwad, kshier, lball, lcouzens, lgallett, ljawale, lphiri, luizcosta, mbarnett, mhayden, mhulan, msilmser, ngough, nmoumoul, nweather, nyancey, oezr, omaciel, ometelka, orabin, osousa, pakotvan, pbohmill, pcreech, ptisnovs, rbobbitt, rbryant, rchan, rhel-process-autobot, sbunciak, sdoran, simaishi, smallamp, smcdonal, stcannon, sthirugn, syedriko, teagle, tmalecek, ttakamiy, veshanka, vkumar, watson-tool-maintainers, weaton, xdharmai, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in the `cryptography` library. This vulnerability occurs because DNS (Domain Name System) name constraints were not properly validated against the "peer name" during certificate validation, only against Subject Alternative Names (SANs) within child certificates. This oversight could allow a malicious actor to bypass security restrictions, enabling a certificate for a specific domain to be validated against a broader wildcard certificate, even when an exclusion for that specific domain exists. This could lead to an attacker impersonating a legitimate server or service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2453609, 2453610, 2453611 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2026-03-31 03:01:49 UTC
|