Source: haskell-crypton-x509-validation Version: 1.6.14-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for haskell-crypton-x509-validation. CVE-2026-9648[0]: | The crypton-x509-validation Haskell library fails to enforce X.509 | NameConstraints, allowing TLS clients to accept certificates whose | Subject Alternative Names fall outside the issuing CA’s permitted | subtrees. This oversight enables an attacker who compromises a name- | constrained sub-CA to impersonate domains beyond its intended scope. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-9648 https://www.cve.org/CVERecord?id=CVE-2026-9648 [1] https://www.kb.cert.org/vuls/id/862559 [2] https://github.com/kazu-yamamoto/crypton-certificate/pull/30 [3] https://github.com/kazu-yamamoto/crypton-certificate/commit/f4b77edf6ead77f4a886da40e41eab20f0180e39 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
