The int_x509_param_set_hosts function in lib/libcrypto/x509/x509_vpm.c in
LibreSSL 2.7.0 before 2.7.1 does not support a certain special case of a
zero name length, which causes silent omission of hostname verification, and
consequently allows man-in-the-middle attackers to spoof servers and obtain
sensitive information via a crafted certificate. NOTE: the LibreSSL
documentation indicates that this special case is supported, but the
BoringSSL documentation does not.
Only an unkeyworded version was affected. Fixed version available, repository is clean.
(In reply to Thomas Deutschmann from comment #1)
> Only an unkeyworded version was affected. Fixed version available,
> repository is clean.
Yeah but I still removed 2.7.0 and 2.7.1. Only 2.7.2 is still on the tree which is not vulnerable.