CVE-2024-34702

Name
CVE-2024-34702
Description
Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to 3.5.0 and 2.19.5, checking name constraints in X.509 certificates is quadratic in the number of names and name constraints. An attacker who presented a certificate chain which contained a very large number of names in the SubjectAlternativeName, signed by a CA certificate which contained a large number of name constraints, could cause a denial of service. The problem has been addressed in Botan 3.5.0 and a partial backport has also been applied and is included in Botan 2.19.5.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
CONFIRM https://github.com/randombit/botan/security/advisories/GHSA-5gg9-hqpr-r58j
MISC https://github.com/randombit/botan/pull/4034
MISC https://github.com/randombit/botan/pull/4045
MISC https://github.com/randombit/botan/pull/4047
MISC https://github.com/randombit/botan/pull/4052
MISC https://github.com/randombit/botan/pull/4186
MISC https://github.com/randombit/botan/pull/4187
MISC https://github.com/randombit/botan/commit/21dccc8fef18c165ba3301d850ac61521f85637e
MISC https://github.com/randombit/botan/commit/39535f13c322f56aa3da2f44b2b6abb8619a82ac
MISC https://github.com/randombit/botan/commit/477822a2d10f02d8ba46c9d8a5132f25843f5cc1
MISC https://github.com/randombit/botan/commit/7606d70d3a2ac7114476ec2651ca0243c4536fdf
MISC https://github.com/randombit/botan/commit/c3264821b9f6286ee4e6e3e06826f6b7177e6d41
MISC https://github.com/randombit/botan/commit/ff704b12e6fa351aaedd07bffdc91722e84586b8

Match rules

CPE URI Source package Min version Max version
botan >= 0 < 2.19.5
botan >= 3.0.0 < 3.5.0
cpe:2.3:a:randombit:botan:*:*:*:*:*:*:*:* botan >= 3.0.0 < 3.5.0
cpe:2.3:a:randombit:botan:*:*:*:*:*:*:*:* botan >= 0 < 2.19.5

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
botan edge-main 2.19.4-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
botan 3.20-main 2.19.4-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
botan 3.19-main 2.19.3-r5 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
botan 3.18-main 2.19.3-r3 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
botan 3.17-main 2.19.3-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable