Your submission was sent successfully! Close


Published: 10 April 2017

botan 1.11.x before 1.11.22 improperly handles wildcard matching against hostnames, which might allow remote attackers to have unspecified impact via a valid X.509 certificate, as demonstrated by accepting * as a match for Otherwise valid certificates using wildcards would be accepted as matching certain hostnames that should they should not according to RFC 6125. For example a certificate issued for ‘*’ should match ‘’ but not ‘’ or ‘’. Previously Botan would accept such a certificate as valid for ‘’. RFC 6125 also requires that when matching a X.509 certificate against a DNS name, the CN entry is only compared if no subjectAlternativeName entry is available. Previously X509_Certificate::matches_dns_name would always check both names.



CVSS 3 base score: 9.8


Package Release Status
Launchpad, Ubuntu, Debian
Released (1.11.22)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected)