90 matches found
K000161963: Golang vulnerability CVE-2025-61727
Security Advisory Description An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example . com does not prevent a leaf certificate from claiming the SAN .example.co...
EUVD-2026-39549
Certificates with wildcard DNS SANs e.g. .example.com bypassed CA name-constraint checks. A certificate with a wildcard DNS SAN that should be rejected by the issuing CA's permitted/excluded DNS name constraints could be accepted...
Astra Linux – Vulnerability in vsftpd
ALPACA is an application layer protocol content confusion attack, exploiting TLS servers that implement different protocols but use compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker, who has access to the victim’s traffic at the TCP/IP layer, can redirect...
Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: golang (UTSA-2026-016811)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016811 advisory. An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes...
GHSA-XGP8-3HG3-C2MH webpki: Name constraints were accepted for certificates asserting a wildcard name
Permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name. This was incorrect because, given a name constraint of accept.example.com, .example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very simila...
webpki: Name constraints were accepted for certificates asserting a wildcard name
Permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name. This was incorrect because, given a name constraint of accept.example.com, .example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very simila...
Name constraints were accepted for certificates asserting a wildcard name
Permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name. This was incorrect because, given a name constraint of accept.example.com, .example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very simila...
RUSTSEC-2026-0099 Name constraints were accepted for certificates asserting a wildcard name
Permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name. This was incorrect because, given a name constraint of accept.example.com, .example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very simila...
OPENSUSE-SU-2026:20506-1 Security update for python-cryptography
This update for python-cryptography fixes the following issues: - CVE-2026-34073: Fixed X.509 bypass of name constraints on wildcard SANs with matching peer names. bsc1260876 - CVE-2026-26007: missing validation can lead to security issues for signature verification ECDSA and shared key negotiati...
Google Go 安全漏洞
Google Go is a static, strongly typed, compiled, concurrent programming language with garbage collection features from the American company Google. There is a security vulnerability in Google Go, which stems from the incorrect application of DNS constraints during certificate chain verification...
PYSEC-2026-35
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography...
DEBIAN-CVE-2026-34073
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography...
CVE-2026-34073
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography...
CVE-2026-34073
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography...
CVE-2026-34073 cryptography has incomplete DNS name constraint enforcement on peer names
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography...
GHSA-M959-CC7F-WV43 cryptography has incomplete DNS name constraint enforcement on peer names
Summary In versions of cryptography prior to 46.0.5, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf...
Improper Certificate Validation
Overview Affected versions of this package are vulnerable to Improper Certificate Validation through the NameChain DNS verification logic in src/rust/cryptography-x509-verification. An attacker can make a peer name, such as bar.example.com, validate against a wildcard leaf certificate like...
PT-2026-28601
Name of the Vulnerable Software and Affected Versions cryptography versions prior to 46.0.5 Description Versions of cryptography before 46.0.5 had a flaw in how DNS name constraints were validated. The validation only checked against Subject Alternative Names SANs in child certificates, not the...
CLEANSTART-2026-XZ04425 excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate
Multiple security vulnerabilities affect the prometheus-fips package. An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. See references for individual vulnerability details...
CLEANSTART-2026-AT88149 excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate
Multiple security vulnerabilities affect the mongodb package. An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. See references for individual vulnerability details...