Skip to content

v3.6.7

Choose a tag to compare

View all tags
@github-actions github-actions released this 19 Jul 16:09
· 48 commits to master since this release
v3.6.7
This tag was signed with the committer’s verified signature. The key has expired.
christopher-henderson Christopher Henderson
GPG key ID: 2632D36B664B36BC
Expired
Verified
Learn about vigilant mode.
7ede4d5
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

ZLint v3.6.7

The ZMap team is happy to share ZLint v3.6.7.

Thank you to everyone who contributes to ZLint!

New Lints

  • e_qcstatem_pds_must_have_https_only, Checks that a QC Statement of the type id-etsi-qcs-QcPDS contains a URL that uses the https scheme.
  • e_server_cert_valid_time_longer_than_100_days, TLS server certificates issued on or after on or after March 15, 2027 00:00 GMT/UTC must not have a validity period greater than 100 days.
  • e_server_cert_valid_time_longer_than_200_days, TLS server certificates issued on or after on or after March 15, 2026 00:00 GMT/UTC must not have a validity period greater than 200 days.
  • e_server_cert_valid_time_longer_than_47_days, TLS server certificates issued on or after on or after March 15, 2029 00:00 GMT/UTC must not have a validity period greater than 47 days.
  • w_server_cert_valid_time_longer_than_199_days, TLS server certificates issued on or after on or after March 15, 2026 00:00 GMT/UTC should not have a validity period greater than 199 days.
  • w_server_cert_valid_time_longer_than_46_days, TLS server certificates issued on or after on or after March 15, 2029 00:00 GMT/UTC should not have a validity period greater than 46 days.
  • w_server_cert_valid_time_longer_than_99_days, TLS server certificates issued on or after on or after March 15, 2027 00:00 GMT/UTC should not have a validity period greater than 99 days.
  • e_legacy_generation_deprecated, S/MIME Subscriber Certificates SHALL NOT be issued using the Legacy Generation profiles.
  • e_invalid_individual_identity, Non-legacy IV and SV certificates... SHALL include either subject:givenName and/or subject:surname, or the subject:pseudonym.
  • e_ca_multiple_reserved_policy_oids, The CA MUST include exactly one Reserved Certificate Policy Identifier.
  • e_missing_crl_distrib_point, Checks for the CDP extension in non-Short-lived Subscriber Certificates lacking an OCSP pointer.
  • e_crl_revocation_date_too_early, The revocation time of each revoked certificate should not before the publication date of RFC 2459.
  • e_crl_extensions_validity, Checks that only allowed extensions are present in a CRL and that their criticality is set correctly.
  • e_crl_no_duplicate_extensions, The CRL must not include duplicate extensions.
  • e_crl_revocation_time_after_this_update, All revocation times for revoked certificates must be on or before the thisUpdate field of the CRL.
  • e_crl_number_out_of_range, The CRL number must be greater than or equal to 0 and less than 2^159.
  • e_ca_aia_non_http_url, Within the AIA extension of CA certificates, accessLocations must contain HTTP URLs.

Bug Fixes

  • e_mp_ecdsa_pub_key_encoding_correct is now aware of P-521 algorithm identifiers.
  • w_sub_ca_aia_does_not_contain_issuing_ca_url is now ineffective as of CABF/BRs 2.0.0.

Security

  • Upgraded golang.org/x/net from 0.37.0 to 0.38.0 to address CVE-2025-22872

Misc

  • Refactor of time utility functions.
  • Upgraded Go version from 1.23.0 to 1.24.0.
  • Upgraded golangci-lint from 1.62.0 to 1.62.8 to fix CICD compatibility breakages.

Changelog

  • 7ede4d5 set IneffectiveDate for w_sub_ca_aia_does_not_contain_issuing_ca_url (#972)
  • 4b2f3ab Upgrade Golang and tooling to fix the linter (#971)
  • 91dfcc0 Add lint to check for HTTP URLs in the AIA extension of Subordinate CA certificates (#968)
  • 341615f Add lint to check CRL Number range (#964)
  • ee3ab84 Add lint to check that revoked certificates in a CRL has revocation time before or equal to thisUpdate. (#965)
  • 09caaf7 Add lint to check for duplicate extensions in CRLs. (#963)
  • 7ba4cea Add CRL lint to check CRL extensions and their validity (#962)
  • 0747c42 Add CRL lint to check revocation time in revoked certificates (#961)
  • fff6f82 Add lint to check for the CDP extension to be present in non-Short-lived Subscriber Certificates lacking an OCSP pointer (#966)
  • 71f17a7 Add lint to check for multiple Reserved Policy Identifiers in Subordinate CA certificates (#959)
  • 8696d6c Add lint to check for mandatory individual identity subject attributes in non-legacy IV and SV S/MIME certificates (#958)
  • 28c4390 Please add lint to check for deprecated "legacy generation" S/MIME policy OIDs (#957)
  • 0efbae8 Sc081 update (#955)
  • 82294d2 Update Mozilla SPKI and SignatureAlgorithm encoding lints (#950)
  • 4c12143 util: gtld_map autopull updates for 2025-05-17T01:50:26 UTC (#954)
  • c730a76 SC081 shorter validities (#952)
  • e835b93 util: gtld_map autopull updates for 2025-04-30T04:21:20 UTC (#948)
  • f605149 qcstatem pds must have https only (#935)
  • d1fdcb8 util: gtld_map autopull updates for 2025-04-24T03:28:02 UTC (#945)
  • a790035 build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#946)

Full Changelog:v3.6.6...v3.6.7

Assets 7
Loading