Sourced from github.com/zmap/zlint/v3's releases.

v3.6.0

ZLint v3.6.0

The ZMap team is happy to share ZLint v3.6.0.

Thank you to everyone who contributes to ZLint!

Breaking Changes:

No breaking changes were made in this release.

Deprecation Warning:

This is primarily a deprecation warning for the library usages of ZLint.

The lint.Lint has been deprecated in favor of the categorical interfaces - CertificateLint and RevocationListLint.

It is advised to refrain from implementing news lints that target the lint.Lint interface as this interface will be removed entirely in a future release.

When implementing a lint for a x509 certificate, library usages should favor implementing the CertificateLint interface. Similarly, when implementing a lint for a CRL, the RevocationListLint interface should be used.

Security Patches

A patch was applied to the test certificate generation script which addresses CVE-2023-48795 (Severity Score: 5.9). This script never went online and as such never triggered the vulnerability.

Bug Fixes

• Corrected an issue in e_registration_scheme_id_matches_subject_country wherein LEI and INT certificates were being incorrectly checked.

New Lints:

Work has begun on the implementation of CABF/BR SMIME lints. For a complete list of lints being tracked please see zmap/zlint#712

• SMIME certificates SHALL have cRLDistributionPoints (7.1.2.3.b)
• Strict and Multipurpose SMIME certificate AIA fields: OCSP Responder "When provided, every accessMethod SHALL have the URI scheme HTTP." (7.1.2.3.c.1)
• Strict and Multipurpose SMIME certificate AIA fields: caIssuers "When provided, every accessMethod SHALL have the URI scheme HTTP." (7.1.2.3.c.1)
• Key usage, RSA certs, strict policies: prevent all key usages other than digitalSignature, nonRepudiation, keyEncipherment (7.1.2.3.e)
• Key usage, RSA certs, multipurpose/legacy policies: prevent all key usages other than digitalSignature, nonRepudiation, keyEncipherment and dataEncipherment (7.1.2.3.e)
• Key usage, EC certs, all: prevent all key usages other than digitalSignature, nonRepudiation, keyAgreement, encipherOnly, decipherOnly (7.1.2.3.e)
• Key usage, EC certs, all: encipherOnly/decipherOnly are permitted only when keyAgreement is set (7.1.2.3.e)
• Key usage, Edwards certs, keys defined on curve 25519: Bit positions SHALL be set for digitalSignature and MAY be set for nonRepudiation (7.1.2.3.e)
• Extended key usage, strict: emailProtection SHALL be present. Other values SHALL NOT BE PRESENT (7.1.2.3.f)
• Extended key usage, multipurpose/legacy: emailProtection SHALL be present. Other values MAY be present (7.1.2.3.f)
• subjectAlternativeName, all: SHALL be present (7.1.2.3.h)
• subjectAlternativeName, all: SHOULD NOT be marked critical unless subject field is empty (7.1.2.3.h)
• Adobe Extensions, strict: is Prohibited (7.1.2.3.m)
• subject:emailAddress, all: if present, the subject:emailAddress SHALL contain a single Mailbox Address. (7.1.4.2.2.h)
• subject DN attributes for mailbox-validated profile (7.1.4.2.3)

Changelog

• be8dd6a Limit e_registration_scheme_id_matches_subject_country to no longer apply to LEI or INT organizationIdentifiers (#781)
• dfb985b build(deps): bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /v3 (#784)
• 832a1ea build(deps): bump golang.org/x/crypto in /v3/cmd/genTestCerts (#785)
• d4e2de0 Fix goreleaser deprecation (#783)
• f830602 Added IsSMIMEBRCertificate in checkApplies where missing (#780)

... (truncated)

• be8dd6a Limit e_registration_scheme_id_matches_subject_country to no longer apply to ...
• dfb985b build(deps): bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /v3 (#784)
• 832a1ea build(deps): bump golang.org/x/crypto in /v3/cmd/genTestCerts (#785)
• d4e2de0 Fix goreleaser deprecation (#783)
• f830602 Added IsSMIMEBRCertificate in checkApplies where missing (#780)
• c1aacb0 golangci-lint update and fixes (#782)
• f90a51e util: gtld_map autopull updates for 2023-12-16T12:21:31 UTC (#778)
• 45de880 refactor of SMIME aia contains (#777)
• bc2c0fd CABF SMIME BR Appendix A.1 - countryName matches registration scheme id (#768)
• 7f6ef92 Metalint for checking against the deprecaetd lint.RegisterLint function (#775)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)