CVE-2024-39312

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-39312
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-39312.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-39312
Aliases
  • GHSA-jp24-56jm-gg86
Related
Published
2024-07-08T17:15:11Z
Modified
2024-10-09T11:46:39.647603Z
Summary
[none]
Details

Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. A bug in the parsing of name constraint extensions in X.509 certificates meant that if the extension included both permitted subtrees and excluded subtrees, only the permitted subtree would be checked. If a certificate included a name which was permitted by the permitted subtree but also excluded by excluded subtree, it would be accepted. Fixed in versions 3.5.0 and 2.19.5.

References

Affected packages

Alpine:v3.17 / botan

Package

Name
botan
Purl
pkg:apk/alpine/botan?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.19.5-r0

Affected versions

2.*

2.4.0-r0
2.4.0-r1
2.4.0-r2
2.5.0-r0
2.6.0-r0
2.7.0-r0
2.7.0-r1
2.7.0-r2
2.8.0-r0
2.9.0-r0
2.9.0-r1
2.11.0-r0
2.11.0-r1
2.11.0-r2
2.11.0-r3
2.11.0-r4
2.11.0-r5
2.11.0-r6
2.17.3-r0
2.17.3-r1
2.17.3-r2
2.18.1-r0
2.18.1-r1
2.18.1-r2
2.18.1-r3
2.18.1-r4
2.19.1-r0
2.19.1-r1
2.19.1-r2
2.19.1-r3
2.19.2-r0
2.19.2-r1
2.19.3-r0

Alpine:v3.18 / botan

Package

Name
botan
Purl
pkg:apk/alpine/botan?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.19.5-r0

Affected versions

2.*

2.4.0-r0
2.4.0-r1
2.4.0-r2
2.5.0-r0
2.6.0-r0
2.7.0-r0
2.7.0-r1
2.7.0-r2
2.8.0-r0
2.9.0-r0
2.9.0-r1
2.11.0-r0
2.11.0-r1
2.11.0-r2
2.11.0-r3
2.11.0-r4
2.11.0-r5
2.11.0-r6
2.17.3-r0
2.17.3-r1
2.17.3-r2
2.18.1-r0
2.18.1-r1
2.18.1-r2
2.18.1-r3
2.18.1-r4
2.19.1-r0
2.19.1-r1
2.19.1-r2
2.19.1-r3
2.19.2-r0
2.19.2-r1
2.19.3-r0
2.19.3-r1
2.19.3-r2
2.19.3-r3

Alpine:v3.19 / botan

Package

Name
botan
Purl
pkg:apk/alpine/botan?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.19.5-r0

Affected versions

2.*

2.4.0-r0
2.4.0-r1
2.4.0-r2
2.5.0-r0
2.6.0-r0
2.7.0-r0
2.7.0-r1
2.7.0-r2
2.8.0-r0
2.9.0-r0
2.9.0-r1
2.11.0-r0
2.11.0-r1
2.11.0-r2
2.11.0-r3
2.11.0-r4
2.11.0-r5
2.11.0-r6
2.17.3-r0
2.17.3-r1
2.17.3-r2
2.18.1-r0
2.18.1-r1
2.18.1-r2
2.18.1-r3
2.18.1-r4
2.19.1-r0
2.19.1-r1
2.19.1-r2
2.19.1-r3
2.19.2-r0
2.19.2-r1
2.19.3-r0
2.19.3-r1
2.19.3-r2
2.19.3-r3
2.19.3-r4
2.19.3-r5

Alpine:v3.20 / botan

Package

Name
botan
Purl
pkg:apk/alpine/botan?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.19.5-r0

Affected versions

2.*

2.4.0-r0
2.4.0-r1
2.4.0-r2
2.5.0-r0
2.6.0-r0
2.7.0-r0
2.7.0-r1
2.7.0-r2
2.8.0-r0
2.9.0-r0
2.9.0-r1
2.11.0-r0
2.11.0-r1
2.11.0-r2
2.11.0-r3
2.11.0-r4
2.11.0-r5
2.11.0-r6
2.17.3-r0
2.17.3-r1
2.17.3-r2
2.18.1-r0
2.18.1-r1
2.18.1-r2
2.18.1-r3
2.18.1-r4
2.19.1-r0
2.19.1-r1
2.19.1-r2
2.19.1-r3
2.19.2-r0
2.19.2-r1
2.19.3-r0
2.19.3-r1
2.19.3-r2
2.19.3-r3
2.19.3-r4
2.19.3-r5
2.19.3-r6
2.19.4-r0

Debian:11 / botan

Package

Name
botan
Purl
pkg:deb/debian/botan?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.17.3+dfsg-2
2.17.3+dfsg-3
2.18.1+dfsg-1
2.18.1+dfsg-2
2.18.1+dfsg-3
2.18.2+dfsg-1
2.19.1+dfsg-1
2.19.1+dfsg-2
2.19.1+dfsg-3
2.19.2+dfsg-1
2.19.3+dfsg-1
2.19.4+dfsg-1
2.19.5+dfsg-1
2.19.5+dfsg-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / botan

Package

Name
botan
Purl
pkg:deb/debian/botan?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.19.3+dfsg-1
2.19.4+dfsg-1
2.19.5+dfsg-1
2.19.5+dfsg-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / botan

Package

Name
botan
Purl
pkg:deb/debian/botan?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.19.5+dfsg-1

Affected versions

2.*

2.19.3+dfsg-1
2.19.4+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}