This page collects WhisperX intelligence signals tagged #TLS. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
Ryプロジェクトが、業界標準のTLSライブラリであるOpenSSLへの依存を決定したことを受け、重大なセキュリティ脆弱性が発覚した場合の緊急対応体制の構築に着手した。Heartbleed (CVE-2014-0160) のような過去の深刻な脆弱性を教訓に、脆弱性検知からユーザー通知までの包括的なワークフローを事前に策定する。これは、RyがOpenSSLに依存する以上、セキュリティインシデント時に迅速かつ確実に対応できる体制が不可欠であるという認識に基づく。 策定すべき内容は、脆弱性の早期検知、影響評価、対応フロー、ユーザーへの通知、予防策の5つの柱に分けられる。具体的には、GitHub DependabotやCVE監視による脆弱性...
A critical denial-of-service (DoS) vulnerability, dormant for over a decade, has been detected in a modern enterprise monitoring setup. A scan of a Windows Server 2016 system running Nagios Cross-Platform Agent (NCPA) version 2.4.0 flagged the presence of CVE-2011-1473 and CVE-2011-5094. These flaws, which affect the S...
A critical security vulnerability in the ubiquitous Python `requests` library allows TLS certificate verification to be permanently disabled for a web origin, creating a silent path for man-in-the-middle attacks. The flaw, tracked as CVE-2024-35195, resides in the library's session handling. When an initial request to ...
A newly disclosed vulnerability in Go's core cryptographic libraries creates a denial-of-service risk for a wide range of applications. The flaw, tracked as CVE-2026-32280, resides in how the `crypto/x509` and `crypto/tls` packages process certificate chains. Specifically, during chain building, the system fails to cor...
Go 语言标准库的证书验证机制中发现一个潜在的服务拒绝(DoS)漏洞。当验证使用策略的证书链时,如果链中的证书包含非常大量的策略映射(policy mappings),验证过程会变得异常低效,可能消耗大量计算资源,导致服务中断。关键点在于,此漏洞仅影响对“受信任”证书链的验证——即那些由 VerifyOptions.Roots CertPool 或系统证书池中根证书颁发机构(CA)签发的证书。这意味着攻击者可能通过提交一个包含大量策略映射的、看似合法的受信任证书,来耗尽服务器的处理能力。 该漏洞被分配了编号 CVE-2026-32281,其影响范围覆盖 Go 的多个主要分支,包括 release-1.17、release-1.16...
A critical security vulnerability has been identified in the widely-used `rustls-webpki` crate, a core component for certificate validation in Rust's TLS ecosystem. The flaw, tracked as RUSTSEC-2026-0099 and GHSA-xgp8-3hg3-c2mh, involves the improper acceptance of permitted subtree name constraints for certificates ass...
A critical vulnerability in the `rustls-webpki` library, a core component for TLS certificate validation in Rust, incorrectly accepts wildcard certificates that violate explicit name constraints. The flaw, designated RUSTSEC-2026-0099, means a certificate for `*.example.com` could be wrongly validated as permitted unde...
A critical validation flaw in the `rustls-webpki` library, a core component for TLS certificate verification in Rust, has been disclosed. The vulnerability, tracked as RUSTSEC-2026-0099 and GHSA-xgp8-3hg3-c2mh, incorrectly accepts permitted subtree name constraints for certificates asserting a wildcard DNS name. This m...
A critical security flaw in a PostgreSQL database driver actively disables TLS certificate verification, opening all encrypted connections to potential man-in-the-middle (MITM) attacks. The vulnerability is hardcoded in the source, leaving users with no way to opt-in to proper certificate validation. This means any att...
A critical vulnerability in the widely-used `rustls-webpki` library incorrectly accepts wildcard certificates that should be blocked by DNS name constraints. The flaw, designated RUSTSEC-2026-0099 and GHSA-xgp8-3hg3-c2mh, allows a certificate asserting a wildcard name like `*.example.com` to be validated even when a pe...
Rustls-webpki 库中发现一个关键安全漏洞,该漏洞错误地接受了本应被拒绝的 URI 名称约束。此漏洞编号为 RUSTSEC-2026-0098 和 GHSA-965h-392x-2mh5,影响版本 0.101.7。核心问题在于,库在处理 X.509 证书时,完全忽略了针对 URI 名称的约束条件,导致这些约束形同虚设,被错误地“接受”。值得注意的是,该库本身并未提供用于断言 URI 名称的 API,且 URI 名称约束功能在其他方面也尚未实现。目前,所有 URI 名称约束现已被无条件拒绝。 该漏洞的利用路径相对受限,但风险依然存在。由于名称约束是对其他方面已正确签发的证书施加的限制,因此只有在签名验证通过后,此漏洞才可能...
A critical security flaw in the widely used Rust cryptography library `webpki` has been patched, addressing a vulnerability that could allow a certificate with a wildcard name to bypass DNS name constraints. The bug, tracked as GHSA-xgp8-3hg3-c2mh, incorrectly accepted permitted subtree name constraints for DNS names i...
Rustls-webpki 库中发现两个关键安全漏洞,影响其证书验证逻辑。第一个漏洞(RUSTSEC-2026-0098)的核心在于,库在处理包含 URI 名称约束的证书时,错误地接受了这些约束,而非按规范进行验证或拒绝。该库本身并未提供用于断言 URI 名称的 API,且 URI 名称约束功能并未完全实现。目前,所有 URI 名称约束已被无条件拒绝。值得注意的是,名称约束是对其他方面已正确签发的证书施加的限制,因此该漏洞仅在签名验证通过后才可被触及,需要依赖证书的错误签发才能被利用。 第二个漏洞(RUSTSEC-2026-0099)涉及对包含通配符(wildcard)域名的证书错误地接受名称约束。这可能导致本应被限制访问特定子域...
A critical dependency chain in the Rust ecosystem is exposing projects to multiple security vulnerabilities. The MQTT client library `rumqttc v0.25.1` is pinning outdated and vulnerable versions of two key `rustls` dependencies, creating a single point of failure that blocks the entire TLS stack from updating to secure...
Rustls-webpki 库中发现两个关键安全漏洞,涉及证书验证中名称约束的处理逻辑缺陷。第一个漏洞(RUSTSEC-2026-0098)导致 URI 名称约束被错误地接受而非拒绝。该库本身并未提供用于断言 URI 名称的 API,且 URI 名称约束功能并未实现,但验证逻辑却错误地忽略了这些约束。这意味着,在签名验证通过后,攻击者可能利用错误签发的证书绕过预期的名称限制。该漏洞已被分配编号 GHSA-965h-392x-2mh5,并由安全研究员 @1seal 报告。 第二个漏洞(RUSTSEC-2026-0099)涉及对包含通配符(wildcard)的证书断言错误地接受了名称约束。这两个漏洞的共同点在于,它们都位于证书验证流程...
A critical security vulnerability in the widely used `rustls-webpki` library incorrectly accepts name constraints for certificates asserting a wildcard DNS name. This flaw, designated RUSTSEC-2026-0099, allows a certificate for `*.example.com` to be incorrectly validated against a permitted subtree constraint of `accep...
La bibliothèque cryptographique OpenSSL franchit un cap majeur avec le passage à la version 4.0, une mise à jour qui intègre une fonctionnalité cruciale pour la vie privée sur le web : Encrypted Client Hello (ECH). Cette technologie, définie par la RFC 9849, permet désormais aux clients de chiffrer la première partie d...
A critical vulnerability in the Go programming language's TLS certificate verification process, designated CVE-2026-32280, creates a direct path to resource exhaustion and denial-of-service attacks. The flaw resides in the `crypto/x509` package, where the chain-building logic fails to correctly limit computational work...
Rustls-webpki 库中发现两个关键安全漏洞,可能影响依赖其进行 TLS 证书验证的 Rust 应用程序的安全性。第一个漏洞(RUSTSEC-2026-0098)的核心在于,库在处理包含 URI 名称约束的 X.509 证书时,错误地接受了这些约束,而实际上它并未实现相应的验证逻辑。这意味着,一个本应被拒绝的、包含特定 URI 限制的证书,可能被错误地视为有效。该漏洞的利用前提是攻击者能够获得一个被错误签发的证书,并在通过签名验证后触发此缺陷。 第二个漏洞(RUSTSEC-2026-0099)涉及对包含通配符(wildcard)域名的证书处理。库在应用名称约束时,未能正确处理此类证书,可能导致约束被不当绕过或错误应用,从而...
A critical validation flaw in `rustls-webpki`, the widely deployed Rust library for TLS certificate chain verification, permitted wildcard certificate names to bypass DNS name constraints that should have restricted them. The vulnerability, designated RUSTSEC-2026-0099, was identified in version 0.103.10 and patched ac...