[USN-7586-1] Botan vulnerabilities

Sun, 22 Jun 2025 22:37:05 -0700 

==========================================================================
Ubuntu Security Notice USN-7586-1
June 23, 2025

botan vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in Botan.

Software Description:
- botan: C++ cryptography library

Details:

It was discovered that Botan could have compiler dependent operations
induced under certain circumstances. An attacker could possibly use this
issue to cause undefined behavior. (CVE-2024-50382, CVE-2024-50383)

Bing Shi discovered that Botan did not limit the size of certain inputs
when checking primality and name constraints. An attacker could possibly
use this issue to cause a denial of service. (CVE-2024-34702,
CVE-2024-34703)

It was discovered that Botan did not correctly handle conflicting name
constraints. An attacker could possibly use this issue to bypass
authentication. (CVE-2024-39312)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
  botan                           2.19.3+dfsg-1ubuntu2.1
  libbotan-2-19                   2.19.3+dfsg-1ubuntu2.1
  libbotan-2-dev                  2.19.3+dfsg-1ubuntu2.1
  python3-botan                   2.19.3+dfsg-1ubuntu2.1

Ubuntu 24.04 LTS
  botan                           2.19.3+dfsg-1ubuntu2+esm1
                                  Available with Ubuntu Pro
  libbotan-2-19                   2.19.3+dfsg-1ubuntu2+esm1
                                  Available with Ubuntu Pro
  libbotan-2-dev                  2.19.3+dfsg-1ubuntu2+esm1
                                  Available with Ubuntu Pro
  python3-botan                   2.19.3+dfsg-1ubuntu2+esm1
                                  Available with Ubuntu Pro

Ubuntu 22.04 LTS
  botan                           2.19.1+dfsg-2ubuntu1+esm1
                                  Available with Ubuntu Pro
  libbotan-2-19                   2.19.1+dfsg-2ubuntu1+esm1
                                  Available with Ubuntu Pro
  libbotan-2-dev                  2.19.1+dfsg-2ubuntu1+esm1
                                  Available with Ubuntu Pro
  python3-botan                   2.19.1+dfsg-2ubuntu1+esm1
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7586-1
  CVE-2024-34702, CVE-2024-34703, CVE-2024-39312, CVE-2024-50382,
  CVE-2024-50383

Package Information:
  https://launchpad.net/ubuntu/+source/botan/2.19.3+dfsg-1ubuntu2.1

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to