CRLs not considered authoritative by Distribution Point due to faulty matching logic

If a certificate had more than one distributionPoint, then only the first distributionPoint would be considered against each CRL's IssuingDistributionPoint distributionPoint, and then the certificate's subsequent distributionPoints would be ignored. The impact was that correctly provided CRLs wou...

CVE-2026-4428

A logic error in CRL distribution point validation in AWS-LC before 1.71.0 causes partitioned CRLs to be incorrectly rejected as out of scope, which allows a revoked certificate to bypass certificate revocation checks. To remediate this issue, users should upgrade to AWS-LC 1.71.0 or...

CVE-2026-4428 CRL Distribution Point Scope Check Logic Error in AWS-LC

A logic error in CRL distribution point validation in AWS-LC before 1.71.0 causes partitioned CRLs to be incorrectly rejected as out of scope, which allows a revoked certificate to bypass certificate revocation checks. To remediate this issue, users should upgrade to AWS-LC 1.71.0 or...

UBUNTU-CVE-2026-3548

Two buffer overflow vulnerabilities existed in the wolfSSL CRL parser when parsing CRL numbers: a heap-based buffer overflow could occur when improperly storing the CRL number as a hexadecimal string, and a stack-based overflow for sufficiently sized CRL numbers. With appropriately crafted CRLs,...

CVE-2026-3548 Buffer overflow in CRL number parsing in wolfSSL

Two buffer overflow vulnerabilities existed in the wolfSSL CRL parser when parsing CRL numbers: a heap-based buffer overflow could occur when improperly storing the CRL number as a hexadecimal string, and a stack-based overflow for sufficiently sized CRL numbers. With appropriately crafted CRLs,...

CRL Distribution Point Scope Check Logic Error in AWS-LC

A logic error in CRL distribution point matching in AWS-LC allows a revoked certificate to bypass revocation checks during certificate validation, when the application enables CRL checking and uses partitioned CRLs with Issuing Distribution Point IDP extensions. Customers of AWS services do not...

RUSTSEC-2026-0042 CRL Distribution Point Scope Check Logic Error in AWS-LC

A logic error in CRL distribution point matching in AWS-LC allows a revoked certificate to bypass revocation checks during certificate validation, when the application enables CRL checking and uses partitioned CRLs with Issuing Distribution Point IDP extensions. Customers of AWS services do not...

EUVD-2012-4474

Malware in sbrugna...

NewStart CGSL MAIN 5.04 : openssl Vulnerability (NS-SA-2023-0101)

The remote NewStart CGSL host, running version MAIN 5.04, has openssl packages installed that are affected by a vulnerability: - There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1STRING but the public...

K16913: OpenSSL vulnerability CVE-2015-1789

Security Advisory Description The X509cmptime function in crypto/x509/x509vfy.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service out-of-bounds read and application crash via a crafted length field in...

CVE-2008-3280

It was found that various OpenID Providers OPs had TLS Server Certificates that used weak keys, as a result of the Debian Predictable Random Number Generator CVE-2008-0166. In combination with the DNS Cache Poisoning issue CVE-2008-1447 and the fact that almost all SSL/TLS implementations do not...

Design/Logic Flaw

It was found that various OpenID Providers OPs had TLS Server Certificates that used weak keys, as a result of the Debian Predictable Random Number Generator CVE-2008-0166. In combination with the DNS Cache Poisoning issue CVE-2008-1447 and the fact that almost all SSL/TLS implementations do not...

CVE-2008-3280

Technical details for CVE-2008-3280 are not provided in the supplied documents. Related issues (CVE-2008-0166, CVE-2008-1447) are mentioned, but this CVE’s specifics are not disclosed here.

puppet-agent: Puppet Agent does not properly verify SSL connection when downloading a CRL

A flaw was found in Puppet, where the Puppet Agent did not verify the peer in the SSL connection before downloading to the Certificate Revocation List CRL. The primary risk is the availability of communications to computing systems and not Puppet itself. This flaw allows an attacker to submit a...

openSUSE Security Update : pam_pkcs11 (openSUSE-2019-838)

This update for pampkcs11 fixes the following security issues : - It was possible to replay an authentication by using a specially prepared smartcard or token bsc1105012 - Prevent buffer overflow if a user has a home directory with a length of more than 512 bytes bsc1105012 - Memory not cleaned...

Fedora 28 : python-cryptography / python-cryptography-vectors (2018-a9fe5e183e)

New upstream release 2.3 Fixes possible tag truncation security bug in AEAD API, see RHBZ1602752 2.3 - 2018-07-18 - SECURITY ISSUE: finalizewithtag allowed tag truncation by default which can allow tag forgery in some cases. The method now enforces the mintaglength provided to the GCM constructor...

Security update for pam_pkcs11 (moderate)

This update for pampkcs11 fixes the following security issues: - It was possible to replay an authentication by using a specially prepared smartcard or token bsc1105012 - Prevent buffer overflow if a user has a home directory with a length of more than 512 bytes bsc1105012 - Memory not cleaned...

Fedora 27 : python-cryptography / python-cryptography-vectors (2018-06c24068c6)

New upstream release 2.3 Fixes possible tag truncation security bug in AEAD API, see RHBZ1602752 2.3 - 2018-07-18 - SECURITY ISSUE: finalizewithtag allowed tag truncation by default which can allow tag forgery in some cases. The method now enforces the mintaglength provided to the GCM constructor...

[SECURITY] Fedora 27 Update: botan-1.10.17-1.fc27

Botan is a BSD-licensed crypto library written in C++. It provides a wide variety of basic cryptographic algorithms, X.509 certificates and CRLs, PKCS \10 certificate requests, a filter/pipe message processing system, and a wide variety of other features, all written in portable C++. The API...

[SECURITY] Fedora 25 Update: botan-1.10.17-1.fc25

Botan is a BSD-licensed crypto library written in C++. It provides a wide variety of basic cryptographic algorithms, X.509 certificates and CRLs, PKCS \10 certificate requests, a filter/pipe message processing system, and a wide variety of other features, all written in portable C++. The API...