Add ChangeLog entry for X.509 CN-type vulnerability Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

commit: 204e05404f568e4868b3fdac70887a097a270770 [log] [tgz]
author: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Fri Jul 24 10:33:39 2020 +0200
committer: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Tue Aug 11 10:24:21 2020 +0200
tree: 5b631465f197d0ea77eff831e740e1fa0dc53ee9
parent: f58e5cc4f4d0729a8762e98ebcd17028b6aba059 [diff]
diff --git a/ChangeLog.d/x509-verify-non-dns-san.txt b/ChangeLog.d/x509-verify-non-dns-san.txt
new file mode 100644
index 0000000..0cd81b3
--- /dev/null
+++ b/ChangeLog.d/x509-verify-non-dns-san.txt

@@ -0,0 +1,11 @@
+Security
+   * Fix a vulnerability in the verification of X.509 certificates when
+     matching the expected common name (the cn argument of
+     mbedtls_x509_crt_verify()) with the actual certificate name: when the
+     subjecAltName extension is present, the expected name was compared to any
+     name in that extension regardless of its type. This means that an
+     attacker could for example impersonate a 4-bytes or 16-byte domain by
+     getting a certificate for the corresponding IPv4 or IPv6 (this would
+     require the attacker to control that IP address, though). Similar attacks
+     using other subjectAltName name types might be possible. Found and
+     reported by kFYatek in #3498.
commit	204e05404f568e4868b3fdac70887a097a270770	[log] [tgz]
author	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Fri Jul 24 10:33:39 2020 +0200
committer	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Tue Aug 11 10:24:21 2020 +0200
tree	5b631465f197d0ea77eff831e740e1fa0dc53ee9
parent	f58e5cc4f4d0729a8762e98ebcd17028b6aba059 [diff]