REDHAT-BUG-2445763
gnutls compares nameConstraints labels using a case-sensitive memcmp path without an ascii-casefold canonicalization step. when excludedSubtrees/permittedSubtrees dNSName (dns) or rfc822Name (email) constraints are present, attacker-controlled casing differences in the leaf certificate SAN can cause a false accept (policy bypass) where the certificate should be rejected.
Affected Software
Event History
Frequently Asked Questions
What is the severity of REDHAT-BUG-2445763?
The severity of REDHAT-BUG-2445763 is considered high due to potential exploitation of case sensitivity vulnerabilities.
How do I fix REDHAT-BUG-2445763?
To fix REDHAT-BUG-2445763, ensure that you upgrade to the latest version of GnuTLS where this issue is addressed.
What impact does REDHAT-BUG-2445763 have on GnuTLS users?
REDHAT-BUG-2445763 can allow attackers to bypass name constraints due to case sensitivity, compromising the security of SSL/TLS connections.
Which versions of GnuTLS are affected by REDHAT-BUG-2445763?
REDHAT-BUG-2445763 affects versions of GnuTLS that do not implement ASCII case-folding for name constraints.
Is there a workaround for REDHAT-BUG-2445763 until a patch is available?
A temporary workaround for REDHAT-BUG-2445763 is to validate certificate SAN entries in a case-insensitive manner before processing.