ZLint v3.6.7
15 views
Skip to first unread message
chris
Jul 19, 2025, 12:14:45 PMJul 19
to ZLint Announcements
# ZLint v3.6.7
The ZMap team is happy to share ZLint v3.6.7 (https://github.com/zmap/zlint/releases/tag/v3.6.7).
Thank you to everyone who contributes to ZLint!
## New Lints
* `e_qcstatem_pds_must_have_https_only`, Checks that a QC Statement of the type id-etsi-qcs-QcPDS contains a URL that uses the https scheme.
* `e_server_cert_valid_time_longer_than_100_days`, TLS server certificates issued on or after on or after March 15, 2027 00:00 GMT/UTC must not have a validity period greater than 100 days.
* `e_server_cert_valid_time_longer_than_200_days`, TLS server certificates issued on or after on or after March 15, 2026 00:00 GMT/UTC must not have a validity period greater than 200 days.
* `e_server_cert_valid_time_longer_than_47_days`, TLS server certificates issued on or after on or after March 15, 2029 00:00 GMT/UTC must not have a validity period greater than 47 days.
* `w_server_cert_valid_time_longer_than_199_days`, TLS server certificates issued on or after on or after March 15, 2026 00:00 GMT/UTC should not have a validity period greater than 199 days.
* `w_server_cert_valid_time_longer_than_46_days`, TLS server certificates issued on or after on or after March 15, 2029 00:00 GMT/UTC should not have a validity period greater than 46 days.
* `w_server_cert_valid_time_longer_than_99_days`, TLS server certificates issued on or after on or after March 15, 2027 00:00 GMT/UTC should not have a validity period greater than 99 days.
* `e_legacy_generation_deprecated`, S/MIME Subscriber Certificates SHALL NOT be issued using the Legacy Generation profiles.
* `e_invalid_individual_identity`, Non-legacy IV and SV certificates... SHALL include either subject:givenName and/or subject:surname, or the subject:pseudonym.
* `e_ca_multiple_reserved_policy_oids`, The CA MUST include exactly one Reserved Certificate Policy Identifier.
* `e_missing_crl_distrib_point`, Checks for the CDP extension in non-Short-lived Subscriber Certificates lacking an OCSP pointer.
* `e_crl_revocation_date_too_early`, The revocation time of each revoked certificate should not before the publication date of RFC 2459.
* `e_crl_extensions_validity`, Checks that only allowed extensions are present in a CRL and that their criticality is set correctly.
* `e_crl_no_duplicate_extensions`, The CRL must not include duplicate extensions.
* `e_crl_revocation_time_after_this_update`, All revocation times for revoked certificates must be on or before the thisUpdate field of the CRL.
* `e_crl_number_out_of_range`, The CRL number must be greater than or equal to 0 and less than 2^159.
* `e_ca_aia_non_http_url`, Within the AIA extension of CA certificates, accessLocations must contain HTTP URLs.
## Bug Fixes
* `e_mp_ecdsa_pub_key_encoding_correct` is now aware of P-521 algorithm identifiers.
* `w_sub_ca_aia_does_not_contain_issuing_ca_url` is now ineffective as of CABF/BRs 2.0.0.
## Security
* Upgraded golang.org/x/net from 0.37.0 to 0.38.0 to address CVE-2025-22872
## Misc
* Refactor of time utility functions.
* Upgraded Go version from 1.23.0 to 1.24.0.
* Upgraded golangci-lint from 1.62.0 to 1.62.8 to fix CICD compatibility breakages.
## Changelog
* 7ede4d5 set IneffectiveDate for w_sub_ca_aia_does_not_contain_issuing_ca_url (#972)
* 4b2f3ab Upgrade Golang and tooling to fix the linter (#971)
* 91dfcc0 Add lint to check for HTTP URLs in the AIA extension of Subordinate CA certificates (#968)
* 341615f Add lint to check CRL Number range (#964)
* ee3ab84 Add lint to check that revoked certificates in a CRL has revocation time before or equal to thisUpdate. (#965)
* 09caaf7 Add lint to check for duplicate extensions in CRLs. (#963)
* 7ba4cea Add CRL lint to check CRL extensions and their validity (#962)
* 0747c42 Add CRL lint to check revocation time in revoked certificates (#961)
* fff6f82 Add lint to check for the CDP extension to be present in non-Short-lived Subscriber Certificates lacking an OCSP pointer (#966)
* 71f17a7 Add lint to check for multiple Reserved Policy Identifiers in Subordinate CA certificates (#959)
* 8696d6c Add lint to check for mandatory individual identity subject attributes in non-legacy IV and SV S/MIME certificates (#958)
* 28c4390 Please add lint to check for deprecated "legacy generation" S/MIME policy OIDs (#957)
* 0efbae8 Sc081 update (#955)
* 82294d2 Update Mozilla SPKI and SignatureAlgorithm encoding lints (#950)
* 4c12143 util: gtld_map autopull updates for 2025-05-17T01:50:26 UTC (#954)
* c730a76 SC081 shorter validities (#952)
* e835b93 util: gtld_map autopull updates for 2025-04-30T04:21:20 UTC (#948)
* f605149 qcstatem pds must have https only (#935)
* d1fdcb8 util: gtld_map autopull updates for 2025-04-24T03:28:02 UTC (#945)
* a790035 build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#946)
**Full Changelog**:https://github.com/zmap/zlint/compare/v3.6.6...v3.6.7
The ZMap team is happy to share ZLint v3.6.7 (https://github.com/zmap/zlint/releases/tag/v3.6.7).
Thank you to everyone who contributes to ZLint!
## New Lints
* `e_qcstatem_pds_must_have_https_only`, Checks that a QC Statement of the type id-etsi-qcs-QcPDS contains a URL that uses the https scheme.
* `e_server_cert_valid_time_longer_than_100_days`, TLS server certificates issued on or after on or after March 15, 2027 00:00 GMT/UTC must not have a validity period greater than 100 days.
* `e_server_cert_valid_time_longer_than_200_days`, TLS server certificates issued on or after on or after March 15, 2026 00:00 GMT/UTC must not have a validity period greater than 200 days.
* `e_server_cert_valid_time_longer_than_47_days`, TLS server certificates issued on or after on or after March 15, 2029 00:00 GMT/UTC must not have a validity period greater than 47 days.
* `w_server_cert_valid_time_longer_than_199_days`, TLS server certificates issued on or after on or after March 15, 2026 00:00 GMT/UTC should not have a validity period greater than 199 days.
* `w_server_cert_valid_time_longer_than_46_days`, TLS server certificates issued on or after on or after March 15, 2029 00:00 GMT/UTC should not have a validity period greater than 46 days.
* `w_server_cert_valid_time_longer_than_99_days`, TLS server certificates issued on or after on or after March 15, 2027 00:00 GMT/UTC should not have a validity period greater than 99 days.
* `e_legacy_generation_deprecated`, S/MIME Subscriber Certificates SHALL NOT be issued using the Legacy Generation profiles.
* `e_invalid_individual_identity`, Non-legacy IV and SV certificates... SHALL include either subject:givenName and/or subject:surname, or the subject:pseudonym.
* `e_ca_multiple_reserved_policy_oids`, The CA MUST include exactly one Reserved Certificate Policy Identifier.
* `e_missing_crl_distrib_point`, Checks for the CDP extension in non-Short-lived Subscriber Certificates lacking an OCSP pointer.
* `e_crl_revocation_date_too_early`, The revocation time of each revoked certificate should not before the publication date of RFC 2459.
* `e_crl_extensions_validity`, Checks that only allowed extensions are present in a CRL and that their criticality is set correctly.
* `e_crl_no_duplicate_extensions`, The CRL must not include duplicate extensions.
* `e_crl_revocation_time_after_this_update`, All revocation times for revoked certificates must be on or before the thisUpdate field of the CRL.
* `e_crl_number_out_of_range`, The CRL number must be greater than or equal to 0 and less than 2^159.
* `e_ca_aia_non_http_url`, Within the AIA extension of CA certificates, accessLocations must contain HTTP URLs.
## Bug Fixes
* `e_mp_ecdsa_pub_key_encoding_correct` is now aware of P-521 algorithm identifiers.
* `w_sub_ca_aia_does_not_contain_issuing_ca_url` is now ineffective as of CABF/BRs 2.0.0.
## Security
* Upgraded golang.org/x/net from 0.37.0 to 0.38.0 to address CVE-2025-22872
## Misc
* Refactor of time utility functions.
* Upgraded Go version from 1.23.0 to 1.24.0.
* Upgraded golangci-lint from 1.62.0 to 1.62.8 to fix CICD compatibility breakages.
## Changelog
* 7ede4d5 set IneffectiveDate for w_sub_ca_aia_does_not_contain_issuing_ca_url (#972)
* 4b2f3ab Upgrade Golang and tooling to fix the linter (#971)
* 91dfcc0 Add lint to check for HTTP URLs in the AIA extension of Subordinate CA certificates (#968)
* 341615f Add lint to check CRL Number range (#964)
* ee3ab84 Add lint to check that revoked certificates in a CRL has revocation time before or equal to thisUpdate. (#965)
* 09caaf7 Add lint to check for duplicate extensions in CRLs. (#963)
* 7ba4cea Add CRL lint to check CRL extensions and their validity (#962)
* 0747c42 Add CRL lint to check revocation time in revoked certificates (#961)
* fff6f82 Add lint to check for the CDP extension to be present in non-Short-lived Subscriber Certificates lacking an OCSP pointer (#966)
* 71f17a7 Add lint to check for multiple Reserved Policy Identifiers in Subordinate CA certificates (#959)
* 8696d6c Add lint to check for mandatory individual identity subject attributes in non-legacy IV and SV S/MIME certificates (#958)
* 28c4390 Please add lint to check for deprecated "legacy generation" S/MIME policy OIDs (#957)
* 0efbae8 Sc081 update (#955)
* 82294d2 Update Mozilla SPKI and SignatureAlgorithm encoding lints (#950)
* 4c12143 util: gtld_map autopull updates for 2025-05-17T01:50:26 UTC (#954)
* c730a76 SC081 shorter validities (#952)
* e835b93 util: gtld_map autopull updates for 2025-04-30T04:21:20 UTC (#948)
* f605149 qcstatem pds must have https only (#935)
* d1fdcb8 util: gtld_map autopull updates for 2025-04-24T03:28:02 UTC (#945)
* a790035 build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#946)
**Full Changelog**:https://github.com/zmap/zlint/compare/v3.6.6...v3.6.7
Reply all
Reply to author
Forward
0 new messages