Corey Bonnell

**Name of the Vulnerable Software and Affected Versions** OpenSSL (affected versions not specified) **Description** A read buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. This occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. The read buffer overrun might result in a crash, which could lead to a denial of service attack. In theory, it could also result in the disclosure of private memory contents, such as private keys or sensitive plaintext, although no working exploit leading to memory contents disclosure is known at the time of release of this advisory. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 57 **Description** The issue is related to the display of Punycode format text for entire qualified international domain names in certain instances. When a sub-domain triggers the Punycode display, it can cause user confusion, potentially leading to limited spoofing attacks. The vulnerability is associated with an insufficient input validation mechanism in the Punycode conversion method implementation. **Recommendations** For versions prior to 57, update to version 57 or later to resolve the issue. As a temporary workaround, consider being cautious when encountering international domain names with sub-domains to minimize the risk of exploitation.