Nixpkgs security tracker
Botan has a TLS 1.3 certificate authentication bypass
Botan is a C++ cryptography library. Prior to version 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to be processed prior to the Finished message being received. A server which is attempting to enforce client authentication via certificates can by bypassed by a client which entirely omits Certificate, CertificateVerify, and the Finished message and instead sends application data records. This vulnerability is fixed in 3.11.1.
References
-
https://github.com/randombit/botan/security/advisories/GHSA-pxcj-9ppx-g86g x_refsource_CONFIRM
Affected products
- ==< 3.11.1
Matching in nixpkgs
pkgs.botan2
Cryptographic algorithms library
pkgs.botan3
Cryptographic algorithms library
pkgs.botanEsdm
Cryptographic algorithms library
pkgs.emiluaPlugins.botan
Securely clears secrets from memory in Emilua
pkgs.python312Packages.botan3
Python Bindings for botan3 cryptography library
-
nixos-25.11 botan3-3.10.0
- nixos-25.11-small botan3-3.10.0
- nixpkgs-25.11-darwin botan3-3.10.0
pkgs.python313Packages.botan3
Python Bindings for botan3 cryptography library
-
nixos-unstable botan3-3.11.0
- nixpkgs-unstable botan3-3.11.1
- nixos-unstable-small botan3-3.11.1
-
nixos-25.11 botan3-3.10.0
- nixos-25.11-small botan3-3.10.0
- nixpkgs-25.11-darwin botan3-3.10.0
pkgs.python314Packages.botan3
Python Bindings for botan3 cryptography library
-
nixos-unstable botan3-3.11.0
- nixpkgs-unstable botan3-3.11.1
- nixos-unstable-small botan3-3.11.1
pkgs.haskellPackages.botan-low
Low-level Botan bindings
pkgs.haskellPackages.botan-bindings
Raw Botan bindings
pkgs.chickenPackages_5.chickenEggs.botan
Bindings to the Botan cryptographic library
Package maintainers
-
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
-
@thillux Markus Theil <theil.markus@gmail.com>
-
@manipuladordedados Valter Nazianzeno <manipuladordedados@gmail.com>
-
@nikstur nikstur <nikstur@outlook.com>
-
@mikatammi Mika Tammi <mikatammi@gmail.com>