Skip to content

v3.6.4

Latest
Latest
Compare
Choose a tag to compare
@github-actions github-actions released this 12 Oct 14:52
· 9 commits to master since this release
v3.6.4
This tag was signed with the committer’s verified signature.
christopher-henderson Christopher Henderson
GPG key ID: 2632D36B664B36BC
Learn about vigilant mode.
ddaf5cc
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

ZLint v3.6.4

The ZMap team is happy to share ZLint v3.6.4.

Thank you to everyone who contributes to ZLint!

New Lints

  • e_crl_distrib_points_not_http The scheme of each CRL Distribution Point MUST be 'http'
  • e_cs_crl_distribution_points This extension MUST be present. It MUST NOT be marked critical. It MUST contain the HTTP URL of the CA's CRL service
  • e_cs_eku_required If the Certificate is a Code Signing Certificate, then id-kp-codeSigning MUST be present. anyExtendedKeyUsage and id-kp-serverAuth MUST NOT be present
  • e_cs_key_usage_required This extension MUST be present and MUST be marked critical. The bit position for digitalSignature MUST be set. The bit positions for keyCertSign and cRLSign MUST NOT be set. All other bit positions SHOULD NOT be set.
  • e_cs_rsa_key_size e_cs_rsa_key_size

Bug Fixes

  • Corrected the semantics of e_ev_orgid_inconsistent_subj_and_ext to address Mozilla #1897538 (https://bugzilla.mozilla.org/show_bug.cgi?id=1897538)
  • Corrected e_sub_cert_aia_does_not_contain_ocsp_url to have an ineffective date.
  • Corrected an issue in the CLI parser wherein filtering on RFC8813 would result in an error.
  • Corrected an issue in the CLI parser wherein filtering rules would not be applied when running lints against a CRL.

Changelog

  • ddaf5cc util: gtld_map autopull updates for 2024-09-28T16:21:05 UTC (#882)
  • 77a6468 fix: Fix PSD2 based cabfOrganizationIdentifier check (#880)
  • 372cdc6 RFC8813 is not referrable from the CLI as a valid lint source (#879)
  • caa62ac Add lint to check that all CRL Distribution Points only contain "http" URLs (per CABF BRs 7.1.2.11.2) (#867)
  • 8eb670f Fix old lint checking that an OCSP URL is present in TLS Server certificates: add ineffective date (#871)
  • 2e67fb9 Update main.go to have CRL linting lint on provided registry (#874)
  • f83e4e2 README: Add pkimetal to users list (#873)
  • 33ee62a Add Code Signing lints for EKU, Key Usage, RSA Key Size and CRLDistributionPoints (#865)

Full Changelog:v3.6.3...v3.6.4

Assets 7
Loading