Nixpkgs security tracker

Untriaged

Permalink CVE-2026-32883

5.9 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): HIGH
Availability impact (A): NONE

created 2 weeks, 1 day ago

Botan: Missing OCSP Response Signature Verification Allows MitM Certificate Revocation Bypass

Botan is a C++ cryptography library. From version 3.0.0 to before version 3.11.0, during X509 path validation, OCSP responses were checked for an appropriate status code, but critically omitted verifying the signature of the OCSP response itself. This issue has been patched in version 3.11.0.

References

https://github.com/randombit/botan/security/advisories/GHSA-9j2j-hqmc-hf5x x_refsource_CONFIRM

Affected products

botan

==>= 3.0.0, < 3.11.0

Matching in nixpkgs

pkgs.botan2

Cryptographic algorithms library

pkgs.botan3

Cryptographic algorithms library

nixos-unstable 3.11.0
- nixpkgs-unstable 3.11.0
- nixos-unstable-small 3.11.0
nixos-25.11 3.10.0
- nixos-25.11-small 3.10.0
- nixpkgs-25.11-darwin 3.10.0

pkgs.botanEsdm

Cryptographic algorithms library

nixos-unstable 3.11.0
- nixpkgs-unstable 3.11.0
- nixos-unstable-small 3.11.0
nixos-25.11 3.10.0
- nixos-25.11-small 3.10.0
- nixpkgs-25.11-darwin 3.10.0

pkgs.emiluaPlugins.botan

Securely clears secrets from memory in Emilua

nixos-unstable 1.2.1
- nixpkgs-unstable 1.2.1
- nixos-unstable-small 1.2.1
nixos-25.11 1.2.1
- nixos-25.11-small 1.2.1
- nixpkgs-25.11-darwin 1.2.1

pkgs.python312Packages.botan3

Python Bindings for botan3 cryptography library

nixos-25.11 botan3-3.10.0
- nixos-25.11-small botan3-3.10.0
- nixpkgs-25.11-darwin botan3-3.10.0

pkgs.python313Packages.botan3

Python Bindings for botan3 cryptography library

nixos-unstable botan3-3.11.0
- nixpkgs-unstable botan3-3.11.0
- nixos-unstable-small botan3-3.11.0
nixos-25.11 botan3-3.10.0
- nixos-25.11-small botan3-3.10.0
- nixpkgs-25.11-darwin botan3-3.10.0

pkgs.python314Packages.botan3

Python Bindings for botan3 cryptography library

nixos-unstable botan3-3.11.0
- nixpkgs-unstable botan3-3.11.0
- nixos-unstable-small botan3-3.11.0

pkgs.haskellPackages.botan-low

Low-level Botan bindings

nixos-unstable 0.1.0.0
- nixpkgs-unstable 0.1.0.0
- nixos-unstable-small 0.1.0.0
nixos-25.11 0.0.2.0
- nixos-25.11-small 0.0.2.0
- nixpkgs-25.11-darwin 0.0.2.0

pkgs.haskellPackages.botan-bindings

Raw Botan bindings

nixos-unstable 0.2.0.0
- nixpkgs-unstable 0.2.0.0
- nixos-unstable-small 0.2.0.0
nixos-25.11 0.1.0.0
- nixos-25.11-small 0.1.0.0
- nixpkgs-25.11-darwin 0.1.0.0

pkgs.chickenPackages_5.chickenEggs.botan

Bindings to the Botan cryptographic library

Package maintainers

@7c6f434c Michael Raskin <7c6f434c@mail.ru>
@thillux Markus Theil <theil.markus@gmail.com>
@manipuladordedados Valter Nazianzeno <manipuladordedados@gmail.com>
@nikstur nikstur <nikstur@outlook.com>
@mikatammi Mika Tammi <mikatammi@gmail.com>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.botan2

pkgs.botan3

pkgs.botanEsdm

pkgs.emiluaPlugins.botan

pkgs.python312Packages.botan3

pkgs.python313Packages.botan3

pkgs.python314Packages.botan3

pkgs.haskellPackages.botan-low

pkgs.haskellPackages.botan-bindings

pkgs.chickenPackages_5.chickenEggs.botan

Package maintainers