NIXPKGS-2026-0877

GitHub issue published 2 months, 2 weeks ago

Permalink CVE-2026-32884

5.9 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): High (H)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): None (N)

updated 2 months, 2 weeks ago by @mweinelt Activity log

Created suggestion 2 months, 2 weeks ago
@mweinelt ignored
9 packages
- botan2
- botanEsdm
- emiluaPlugins.botan
- python312Packages.botan3
- python313Packages.botan3
- python314Packages.botan3
- haskellPackages.botan-low
- haskellPackages.botan-bindings
- chickenPackages_5.chickenEggs.botan
2 months, 2 weeks ago
@mweinelt accepted 2 months, 2 weeks ago
@mweinelt published on GitHub 2 months, 2 weeks ago

Botan: Case-Insensitive CN Values Bypass DNS excludedSubtrees Name Constraints (RFC 5280 Violation)

Botan is a C++ cryptography library. Prior to version 3.11.0, during processing of an X.509 certificate path using name constraints which restrict the set of allowable DNS names, if no subject alternative name is defined in the end-entity certificate Botan would check that the CN was allowed by the DNS name constraints, even though this check is technically not required by RFC 5280. However this check failed to account for the possibility of a mixed-case CN. Thus a certificate with CN=Sub.EVIL.COM and no subject alternative name would bypasses an excludedSubtrees constraint for evil.com because the comparison is case-sensitive. This issue has been patched in version 3.11.0.

References

https://github.com/randombit/botan/security/advisories/GHSA-7c3g-7763-ggj5 x_refsource_CONFIRM

Affected products

botan

==< 3.11.0

Matching in nixpkgs

pkgs.botan3

Cryptographic algorithms library

nixos-unstable 3.11.0
- nixpkgs-unstable 3.11.0
- nixos-unstable-small 3.11.0

Ignored packages (9)

pkgs.botan2

None

pkgs.botanEsdm

Cryptographic algorithms library

nixos-unstable 3.11.0
- nixpkgs-unstable 3.11.0
- nixos-unstable-small 3.11.0

pkgs.emiluaPlugins.botan

Securely clears secrets from memory in Emilua

nixos-unstable 1.2.1
- nixpkgs-unstable 1.2.1
- nixos-unstable-small 1.2.1

pkgs.python312Packages.botan3

None

pkgs.python313Packages.botan3

Python Bindings for botan3 cryptography library

nixos-unstable botan3-3.11.0
- nixpkgs-unstable botan3-3.11.0
- nixos-unstable-small botan3-3.11.0

pkgs.python314Packages.botan3

Python Bindings for botan3 cryptography library

nixos-unstable botan3-3.11.0
- nixpkgs-unstable botan3-3.11.0
- nixos-unstable-small botan3-3.11.0

pkgs.haskellPackages.botan-low

Low-level Botan bindings

nixos-unstable 0.1.0.0
- nixpkgs-unstable 0.1.0.0
- nixos-unstable-small 0.1.0.0

pkgs.haskellPackages.botan-bindings

Raw Botan bindings

nixos-unstable 0.2.0.0
- nixpkgs-unstable 0.2.0.0
- nixos-unstable-small 0.2.0.0

pkgs.chickenPackages_5.chickenEggs.botan

None

Package maintainers

@nikstur nikstur <nikstur@outlook.com>
@thillux Markus Theil <theil.markus@gmail.com>
@7c6f434c Michael Raskin <7c6f434c@mail.ru>

https://github.com/randombit/botan/security/advisories/GHSA-7c3g-7763-ggj5

Nixpkgs security tracker

Details of issue NIXPKGS-2026-0877

References

Affected products

Matching in nixpkgs

pkgs.botan3

pkgs.botan2

pkgs.botanEsdm

pkgs.emiluaPlugins.botan

pkgs.python312Packages.botan3

pkgs.python313Packages.botan3

pkgs.python314Packages.botan3

pkgs.haskellPackages.botan-low

pkgs.haskellPackages.botan-bindings

pkgs.chickenPackages_5.chickenEggs.botan

Package maintainers