Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

All statuses
Filter by:
With package: botanEsdm

Found 4 matching suggestions

View:
Compact
Detailed
Untriaged
Permalink CVE-2026-34582
created 1 week ago
Botan has a TLS 1.3 certificate authentication bypass

Botan is a C++ cryptography library. Prior to version 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to be processed prior to the Finished message being received. A server which is attempting to enforce client authentication via certificates can by bypassed by a client which entirely omits Certificate, CertificateVerify, and the Finished message and instead sends application data records. This vulnerability is fixed in 3.11.1.

Affected products

botan
  • ==< 3.11.1

Matching in nixpkgs

pkgs.botan2

Cryptographic algorithms library

Package maintainers

Untriaged
Permalink CVE-2026-34580
created 1 week ago
Botan has a certificate authentication bypass due to trust anchor confusion

Botan is a C++ cryptography library. In 3.11.0, the function Certificate_Store::certificate_known had a misleading name; it would return true if any certificate in the store had a DN (and subject key identifier, if set) matching that of the argument. It did not check that the cert it found and the cert it was passed were actually the same certificate. In 3.11.0 an extension of path validation logic was made which assumed that certificate_known only returned true if the certificates were in fact identical. The impact is that if an end entity certificate is presented, and its DN (and subject key identifier, if set) match that of any trusted root, the end entity certificate is accepted immediately as if it itself were a trusted root. , This vulnerability is fixed in 3.11.1.

Affected products

botan
  • ==>= 3.11.0, < 3.11.1

Matching in nixpkgs

pkgs.botan2

Cryptographic algorithms library

Package maintainers

Untriaged
Permalink CVE-2026-32883
5.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 2 weeks, 1 day ago
Botan: Missing OCSP Response Signature Verification Allows MitM Certificate Revocation Bypass

Botan is a C++ cryptography library. From version 3.0.0 to before version 3.11.0, during X509 path validation, OCSP responses were checked for an appropriate status code, but critically omitted verifying the signature of the OCSP response itself. This issue has been patched in version 3.11.0.

Affected products

botan
  • ==>= 3.0.0, < 3.11.0

Matching in nixpkgs

pkgs.botan2

Cryptographic algorithms library

Package maintainers

Untriaged
Permalink CVE-2024-34703
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 2 months, 2 weeks ago
Botan Vulnerable to Denial of Service Due to Overly Large Elliptic Curve Parameters

Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to versions 3.3.0 and 2.19.4, an attacker could present an ECDSA X.509 certificate using explicit encoding where the parameters are very large. The proof of concept used a 16Kbit prime for this purpose. When parsing, the parameter is checked to be prime, causing excessive computation. This was patched in 2.19.4 and 3.3.0 to allow the prime parameter of the elliptic curve to be at most 521 bits. No known workarounds are available. Note that support for explicit encoding of elliptic curve parameters is deprecated in Botan.

References

Affected products

botan
  • ==< 2.19.4
  • <2.19.4
  • <3.3.1
  • ==>= 3.3.0, < 3.3.0
  • ==>= 3.0.0-alpha0, < 3.3.0

Matching in nixpkgs

pkgs.botan2

Cryptographic algorithms library

Package maintainers