Name | CVE-2017-2801 |
Description | A programming error exists in a way Randombit Botan cryptographic library version 2.0.1 implements x500 string comparisons which could lead to certificate verification issues and abuse. A specially crafted X509 certificate would need to be delivered to the client or server application in order to trigger this vulnerability. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-915-1, DSA-3939-1 |
Debian Bugs | 860072 |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
botan1.10 (PTS) | jessie, jessie (lts) | 1.10.8-2+deb8u2 | fixed |
| stretch (security), stretch (lts), stretch | 1.10.17-1+deb9u1 | fixed |
The information below is based on the following data on fixed versions.
Notes
https://github.com/randombit/botan/commit/c927101675e5f63fc0bdd93c5a4825adc54323b4 (1.10.16)
Bug introduced in 1.6.0 or earlier, fixed in 2.1.0 and 1.10.16