A panic was reachable when parsing certificate revocation lists via [BorrowedCertRevocationList::from der] or [OwnedCertRevocationList::from der]. This was the result of mishandling a syntactically valid empty BIT STRING appearing in the onlySomeReasons element of a IssuingDistributionPoint CRL extension.

This panic is reachable prior to a CRL's signature being verified.

Applications that do not use CRLs are not affected.

Thank you to @tynus3 for the report.