SB2018071625 - Improper Certificate Validation in botan (Alpine package)

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper Certificate Validation (CVE-ID: CVE-2018-9127)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to Botan 2.2.0 - 2.4.0 improperly handles wildcard certificates and  accepts certain certificates as valid for hostnames when, under RFC 6125 rules, they should not match. This only affects certificates issued to the same domain as the host, so to impersonate a host one must already have a wildcard certificate matching other hosts in the same domain. For example, b*.example.com would match some hostnames that do not begin with a 'b' character.

Remediation

Install update from vendor's website.

References

• https://git.alpinelinux.org/aports/commit/?id=1c18797cef1fa8638c3386991406611d0e17ea19
• https://git.alpinelinux.org/aports/commit/?id=31ffebddd3560c53683bbdb09dfd0e004966e0c0
• https://git.alpinelinux.org/aports/commit/?id=abbc5024d4e18f26475d75f8cfb60bd09c8720ed