CVE-2018-8970 (https://nvd.nist.gov/vuln/detail/CVE-2018-8970): The int_x509_param_set_hosts function in lib/libcrypto/x509/x509_vpm.c in LibreSSL 2.7.0 before 2.7.1 does not support a certain special case of a zero name length, which causes silent omission of hostname verification, and consequently allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. NOTE: the LibreSSL documentation indicates that this special case is supported, but the BoringSSL documentation does not.
Only an unkeyworded version was affected. Fixed version available, repository is clean.
(In reply to Thomas Deutschmann from comment #1) > Only an unkeyworded version was affected. Fixed version available, > repository is clean. Yeah but I still removed 2.7.0 and 2.7.1. Only 2.7.2 is still on the tree which is not vulnerable.