Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <7d37dead-2a5c-4c26-b0c9-145b1cbba02d@oracle.com>
Date: Mon, 30 Mar 2026 12:48:51 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: pyca/cryptography: CVE-2026-34073: X.509: bypass of
 name constraints on wildcard SANs with matching peer names

https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43
advises:
> Package:                cryptography (pip)
> Affected versions:      <= 46.0.5
> Patched versions:       >= 46.0.6
> Severity:               Low
> CVE ID:                 CVE-2026-34073
> Weaknesses:             CWE-295
> 
> Summary
> -------
> In versions of cryptography prior to 46.0.5, DNS name constraints were
> only validated against SANs within child certificates, and not the
> "peer name" presented during each validation. Consequently,
> cryptography would allow a peer named bar.example.com to validate
> against a wildcard leaf certificate for *.example.com, even if the
> leaf's parent certificate (or upwards) contained an excluded subtree
> constraint for bar.example.com.
> 
> This behavior resulted from a gap between RFC 5280 (which defines Name
> Constraint semantics) and RFC 9525 (which defines service identity
> semantics): put together, neither states definitively whether Name
> Constraints should be applied to peer names. To close this gap,
> cryptography now conservatively rejects any validation where the peer
> name would be rejected by a name constraint if it were a SAN instead.
> 
> In practice, exploitation of this bypass requires an uncommon X.509
> topology, one that the Web PKI avoids because it exhibits these kinds
> of problems. Consequently, we consider this a medium-to-low impact
> severity.
> 
> See CVE-2025-61727 for a similar bypass in Go's crypto/x509.
> 
> Remediation
> -----------
> Users should upgrade to 46.0.6 or newer.
> 
> Attribution
> -----------
> Reporter: 1seal (https://github.com/1seal)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.