Red Hat Bugzilla – Bug 1311620
CVE-2015-7826 botan: acceptance of invalid certificate names
Last modified: 2018-01-31 11:55:07 EST
RFC 6125 specifies how to match a X.509v3 certificate against a DNS name for application usage.
Otherwise valid certificates using wildcards would be accepted as matching certain hostnames they should not according to RFC 6125. For example a certificate issued for ‘*.example.com’ should match ‘foo.example.com’ but not ‘example.com’ or ‘bar.foo.example.com’. Previously Botan would accept such a certificate as valid for ‘bar.foo.example.com’.
RFC 6125 also requires that when matching a X.509 certificate against a DNS name, the CN entry is only compared if no subjectAlternativeName entry is available. Previously X509_Certificate::matches_dns_name would always check both names.
CVE-2015-7826 only affects 1.11.X for X<22.
In Fedora/EPEL, we have 1.8.X and 1.10.X (i.e. stable) versions.