CVE-2024-39312

NameCVE-2024-39312
DescriptionBotan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. A bug in the parsing of name constraint extensions in X.509 certificates meant that if the extension included both permitted subtrees and excluded subtrees, only the permitted subtree would be checked. If a certificate included a name which was permitted by the permitted subtree but also excluded by excluded subtree, it would be accepted. Fixed in versions 3.5.0 and 2.19.5.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
botan (PTS)buster2.9.0-2vulnerable
bullseye2.17.3+dfsg-2vulnerable
bookworm2.19.3+dfsg-1vulnerable
sid, trixie2.19.5+dfsg-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
botansourcebuster(unfixed)end-of-life
botansource(unstable)2.19.5+dfsg-1

Notes

[bookworm] - botan <no-dsa> (Minor issue)
[bullseye] - botan <no-dsa> (Minor issue)
https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86
Search for package or bug name: Reporting problems