rpm package
opensuse/Botan&distro=openSUSE Leap 15.5
pkg:rpm/opensuse/Botan&distro=openSUSE%20Leap%2015.5
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-50383 | — | < 2.19.5-bp156.3.6.1 | 2.19.5-bp156.3.6.1 | Oct 23, 2024 | Botan before 3.6.0, when certain GCC versions are used, has a compiler-induced secret-dependent operation in lib/utils/donna128.h in donna128 (used in Chacha-Poly1305 and x25519). An addition can be skipped if a carry is not set. This was observed for GCC 11.3.0 with -O2 on MIPS, | ||
| CVE-2024-50382 | — | < 2.19.5-bp156.3.6.1 | 2.19.5-bp156.3.6.1 | Oct 23, 2024 | Botan before 3.6.0, when certain LLVM versions are used, has compiler-induced secret-dependent control flow in lib/utils/ghash/ghash.cpp in GHASH in AES-GCM. There is a branch instead of an XOR with carry. This was observed for Clang in LLVM 15 on RISC-V. | ||
| CVE-2024-34702 | Med | 5.3 | < 2.19.5-bp155.2.3.1 | 2.19.5-bp155.2.3.1 | Jul 8, 2024 | Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to 3.5.0 and 2.19.5, checking name constraints in X.509 certificates is quadratic in the number of names and | |
| CVE-2024-39312 | — | < 2.19.5-bp155.2.3.1 | 2.19.5-bp155.2.3.1 | Jul 8, 2024 | Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. A bug in the parsing of name constraint extensions in X.509 certificates meant that if the extension included both | ||
| CVE-2024-34703 | Hig | 7.5 | < 2.19.5-bp155.2.3.1 | 2.19.5-bp155.2.3.1 | Jun 30, 2024 | Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to versions 3.3.0 and 2.19.4, an attacker could present an ECDSA X.509 certificate using explicit encoding wh |
- CVE-2024-50383Oct 23, 2024affected < 2.19.5-bp156.3.6.1fixed 2.19.5-bp156.3.6.1
Botan before 3.6.0, when certain GCC versions are used, has a compiler-induced secret-dependent operation in lib/utils/donna128.h in donna128 (used in Chacha-Poly1305 and x25519). An addition can be skipped if a carry is not set. This was observed for GCC 11.3.0 with -O2 on MIPS,
- CVE-2024-50382Oct 23, 2024affected < 2.19.5-bp156.3.6.1fixed 2.19.5-bp156.3.6.1
Botan before 3.6.0, when certain LLVM versions are used, has compiler-induced secret-dependent control flow in lib/utils/ghash/ghash.cpp in GHASH in AES-GCM. There is a branch instead of an XOR with carry. This was observed for Clang in LLVM 15 on RISC-V.
- affected < 2.19.5-bp155.2.3.1fixed 2.19.5-bp155.2.3.1
Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to 3.5.0 and 2.19.5, checking name constraints in X.509 certificates is quadratic in the number of names and
- CVE-2024-39312Jul 8, 2024affected < 2.19.5-bp155.2.3.1fixed 2.19.5-bp155.2.3.1
Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. A bug in the parsing of name constraint extensions in X.509 certificates meant that if the extension included both
- affected < 2.19.5-bp155.2.3.1fixed 2.19.5-bp155.2.3.1
Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to versions 3.3.0 and 2.19.4, an attacker could present an ECDSA X.509 certificate using explicit encoding wh