Security update for Botan SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:0201-1 Final 1 1 2024-07-16T06:28:15Z current 2024-07-16T06:28:15Z 2024-07-16T06:28:15Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for Botan This update for Botan fixes the following issues: Update to 2.19.5: * Fix multiple Denial of service attacks due to X.509 cert processing: * CVE-2024-34702 - boo#1227238 * CVE-2024-34703 - boo#1227607 * CVE-2024-39312 - boo#1227608 * Fix a crash in OCB * Fix a test failure in compression with certain versions of zlib * Fix some iterator debugging errors in TLS CBC decryption. * Avoid a miscompilation in ARIA when using XCode 14 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2024-201 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6IOSLFSD2TJGWL4XB37VIQSVW7SPG2IP/ E-Mail link for openSUSE-SU-2024:0201-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1227238 SUSE Bug 1227238 https://bugzilla.suse.com/1227607 SUSE Bug 1227607 https://bugzilla.suse.com/1227608 SUSE Bug 1227608 https://www.suse.com/security/cve/CVE-2024-34702/ SUSE CVE CVE-2024-34702 page https://www.suse.com/security/cve/CVE-2024-34703/ SUSE CVE CVE-2024-34703 page https://www.suse.com/security/cve/CVE-2024-39312/ SUSE CVE CVE-2024-39312 page SUSE Package Hub 15 SP5 openSUSE Leap 15.5 Botan-2.19.5-bp155.2.3.1 Botan-doc-2.19.5-bp155.2.3.1 libbotan-2-19-2.19.5-bp155.2.3.1 libbotan-2-19-32bit-2.19.5-bp155.2.3.1 libbotan-2-19-64bit-2.19.5-bp155.2.3.1 libbotan-devel-2.19.5-bp155.2.3.1 libbotan-devel-32bit-2.19.5-bp155.2.3.1 libbotan-devel-64bit-2.19.5-bp155.2.3.1 python3-botan-2.19.5-bp155.2.3.1 Botan-2.19.5-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 Botan-doc-2.19.5-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 libbotan-2-19-2.19.5-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 libbotan-2-19-32bit-2.19.5-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 libbotan-2-19-64bit-2.19.5-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 libbotan-devel-2.19.5-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 libbotan-devel-32bit-2.19.5-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 libbotan-devel-64bit-2.19.5-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 python3-botan-2.19.5-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 Botan-2.19.5-bp155.2.3.1 as a component of openSUSE Leap 15.5 Botan-doc-2.19.5-bp155.2.3.1 as a component of openSUSE Leap 15.5 libbotan-2-19-2.19.5-bp155.2.3.1 as a component of openSUSE Leap 15.5 libbotan-2-19-32bit-2.19.5-bp155.2.3.1 as a component of openSUSE Leap 15.5 libbotan-2-19-64bit-2.19.5-bp155.2.3.1 as a component of openSUSE Leap 15.5 libbotan-devel-2.19.5-bp155.2.3.1 as a component of openSUSE Leap 15.5 libbotan-devel-32bit-2.19.5-bp155.2.3.1 as a component of openSUSE Leap 15.5 libbotan-devel-64bit-2.19.5-bp155.2.3.1 as a component of openSUSE Leap 15.5 python3-botan-2.19.5-bp155.2.3.1 as a component of openSUSE Leap 15.5 Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to 3.5.0 and 2.19.5, checking name constraints in X.509 certificates is quadratic in the number of names and name constraints. An attacker who presented a certificate chain which contained a very large number of names in the SubjectAlternativeName, signed by a CA certificate which contained a large number of name constraints, could cause a denial of service. The problem has been addressed in Botan 3.5.0 and a partial backport has also been applied and is included in Botan 2.19.5. CVE-2024-34702 SUSE Package Hub 15 SP5:Botan-2.19.5-bp155.2.3.1 SUSE Package Hub 15 SP5:Botan-doc-2.19.5-bp155.2.3.1 SUSE Package Hub 15 SP5:libbotan-2-19-2.19.5-bp155.2.3.1 SUSE Package Hub 15 SP5:libbotan-2-19-32bit-2.19.5-bp155.2.3.1 SUSE Package Hub 15 SP5:libbotan-2-19-64bit-2.19.5-bp155.2.3.1 SUSE Package Hub 15 SP5:libbotan-devel-2.19.5-bp155.2.3.1 SUSE Package Hub 15 SP5:libbotan-devel-32bit-2.19.5-bp155.2.3.1 SUSE Package Hub 15 SP5:libbotan-devel-64bit-2.19.5-bp155.2.3.1 SUSE Package Hub 15 SP5:python3-botan-2.19.5-bp155.2.3.1 openSUSE Leap 15.5:Botan-2.19.5-bp155.2.3.1 openSUSE Leap 15.5:Botan-doc-2.19.5-bp155.2.3.1 openSUSE Leap 15.5:libbotan-2-19-2.19.5-bp155.2.3.1 openSUSE Leap 15.5:libbotan-2-19-32bit-2.19.5-bp155.2.3.1 openSUSE Leap 15.5:libbotan-2-19-64bit-2.19.5-bp155.2.3.1 openSUSE Leap 15.5:libbotan-devel-2.19.5-bp155.2.3.1 openSUSE Leap 15.5:libbotan-devel-32bit-2.19.5-bp155.2.3.1 openSUSE Leap 15.5:libbotan-devel-64bit-2.19.5-bp155.2.3.1 openSUSE Leap 15.5:python3-botan-2.19.5-bp155.2.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6IOSLFSD2TJGWL4XB37VIQSVW7SPG2IP/ https://www.suse.com/security/cve/CVE-2024-34702.html CVE-2024-34702 https://bugzilla.suse.com/1227607 SUSE Bug 1227607 Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to versions 3.3.0 and 2.19.4, an attacker could present an ECDSA X.509 certificate using explicit encoding where the parameters are very large. The proof of concept used a 16Kbit prime for this purpose. When parsing, the parameter is checked to be prime, causing excessive computation. This was patched in 2.19.4 and 3.3.0 to allow the prime parameter of the elliptic curve to be at most 521 bits. No known workarounds are available. Note that support for explicit encoding of elliptic curve parameters is deprecated in Botan. CVE-2024-34703 SUSE Package Hub 15 SP5:Botan-2.19.5-bp155.2.3.1 SUSE Package Hub 15 SP5:Botan-doc-2.19.5-bp155.2.3.1 SUSE Package Hub 15 SP5:libbotan-2-19-2.19.5-bp155.2.3.1 SUSE Package Hub 15 SP5:libbotan-2-19-32bit-2.19.5-bp155.2.3.1 SUSE Package Hub 15 SP5:libbotan-2-19-64bit-2.19.5-bp155.2.3.1 SUSE Package Hub 15 SP5:libbotan-devel-2.19.5-bp155.2.3.1 SUSE Package Hub 15 SP5:libbotan-devel-32bit-2.19.5-bp155.2.3.1 SUSE Package Hub 15 SP5:libbotan-devel-64bit-2.19.5-bp155.2.3.1 SUSE Package Hub 15 SP5:python3-botan-2.19.5-bp155.2.3.1 openSUSE Leap 15.5:Botan-2.19.5-bp155.2.3.1 openSUSE Leap 15.5:Botan-doc-2.19.5-bp155.2.3.1 openSUSE Leap 15.5:libbotan-2-19-2.19.5-bp155.2.3.1 openSUSE Leap 15.5:libbotan-2-19-32bit-2.19.5-bp155.2.3.1 openSUSE Leap 15.5:libbotan-2-19-64bit-2.19.5-bp155.2.3.1 openSUSE Leap 15.5:libbotan-devel-2.19.5-bp155.2.3.1 openSUSE Leap 15.5:libbotan-devel-32bit-2.19.5-bp155.2.3.1 openSUSE Leap 15.5:libbotan-devel-64bit-2.19.5-bp155.2.3.1 openSUSE Leap 15.5:python3-botan-2.19.5-bp155.2.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6IOSLFSD2TJGWL4XB37VIQSVW7SPG2IP/ https://www.suse.com/security/cve/CVE-2024-34703.html CVE-2024-34703 https://bugzilla.suse.com/1227238 SUSE Bug 1227238 Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. A bug in the parsing of name constraint extensions in X.509 certificates meant that if the extension included both permitted subtrees and excluded subtrees, only the permitted subtree would be checked. If a certificate included a name which was permitted by the permitted subtree but also excluded by excluded subtree, it would be accepted. Fixed in versions 3.5.0 and 2.19.5. CVE-2024-39312 SUSE Package Hub 15 SP5:Botan-2.19.5-bp155.2.3.1 SUSE Package Hub 15 SP5:Botan-doc-2.19.5-bp155.2.3.1 SUSE Package Hub 15 SP5:libbotan-2-19-2.19.5-bp155.2.3.1 SUSE Package Hub 15 SP5:libbotan-2-19-32bit-2.19.5-bp155.2.3.1 SUSE Package Hub 15 SP5:libbotan-2-19-64bit-2.19.5-bp155.2.3.1 SUSE Package Hub 15 SP5:libbotan-devel-2.19.5-bp155.2.3.1 SUSE Package Hub 15 SP5:libbotan-devel-32bit-2.19.5-bp155.2.3.1 SUSE Package Hub 15 SP5:libbotan-devel-64bit-2.19.5-bp155.2.3.1 SUSE Package Hub 15 SP5:python3-botan-2.19.5-bp155.2.3.1 openSUSE Leap 15.5:Botan-2.19.5-bp155.2.3.1 openSUSE Leap 15.5:Botan-doc-2.19.5-bp155.2.3.1 openSUSE Leap 15.5:libbotan-2-19-2.19.5-bp155.2.3.1 openSUSE Leap 15.5:libbotan-2-19-32bit-2.19.5-bp155.2.3.1 openSUSE Leap 15.5:libbotan-2-19-64bit-2.19.5-bp155.2.3.1 openSUSE Leap 15.5:libbotan-devel-2.19.5-bp155.2.3.1 openSUSE Leap 15.5:libbotan-devel-32bit-2.19.5-bp155.2.3.1 openSUSE Leap 15.5:libbotan-devel-64bit-2.19.5-bp155.2.3.1 openSUSE Leap 15.5:python3-botan-2.19.5-bp155.2.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6IOSLFSD2TJGWL4XB37VIQSVW7SPG2IP/ https://www.suse.com/security/cve/CVE-2024-39312.html CVE-2024-39312 https://bugzilla.suse.com/1227608 SUSE Bug 1227608