> I've started to look at the first vulnerability, but it is not as > straightforward as I was hoping. Perhaps Luiz Angelo Daros de Luca, > reporter and author of the fixes, can help me out with this.
Sure. And I do have interest in getting it fixed. It is both a security fix (when it does not block what it should) and a bug fix (when it blocks what it shouldn't). It affects special certificates with multiple name constraints, used mostly to limit the power of an internal CA. It is normally not used in public CA. The fix is a drop-in replacement for the validation function ConfirmNameConstraints() and a small applicable change to MatchBaseName(). There are some required commits to get that change cleanly applied and I don't think it is worth it (a55e94cf6f touches almost all the tree). I think you can use this standalone backport: https://github.com/luizluca/wolfssl/commit/ede75f0f0618243147ad8315b8c059ce77c751e7 When applied to 4.7.0, it will have the same final result for ConfirmNameConstraints() and MatchBaseName() as the upstream patch. Regards, Luiz _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
