NIXPKGS-2026-0881

GitHub issue published on

Permalink CVE-2026-32883

5.9 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): HIGH
Availability impact (A): NONE

updated 1 month ago by @mweinelt Activity log

Created suggestion 1 month ago
@mweinelt ignored
9 packages
- botan2
- botanEsdm
- emiluaPlugins.botan
- python312Packages.botan3
- python313Packages.botan3
- python314Packages.botan3
- haskellPackages.botan-low
- haskellPackages.botan-bindings
- chickenPackages_5.chickenEggs.botan
1 month ago
@mweinelt accepted 1 month ago
@mweinelt published on GitHub 1 month ago

Botan: Missing OCSP Response Signature Verification Allows MitM Certificate Revocation Bypass

Botan is a C++ cryptography library. From version 3.0.0 to before version 3.11.0, during X509 path validation, OCSP responses were checked for an appropriate status code, but critically omitted verifying the signature of the OCSP response itself. This issue has been patched in version 3.11.0.

References

https://github.com/randombit/botan/security/advisories/GHSA-9j2j-hqmc-hf5x x_refsource_CONFIRM

Affected products

botan

==>= 3.0.0, < 3.11.0

Matching in nixpkgs

pkgs.botan3

Cryptographic algorithms library

nixos-unstable 3.11.0
- nixpkgs-unstable 3.11.0
- nixos-unstable-small 3.11.0
nixos-25.11 3.10.0
- nixos-25.11-small 3.10.0
- nixpkgs-25.11-darwin 3.10.0

Ignored packages (9)

pkgs.botan2

Cryptographic algorithms library

pkgs.botanEsdm

Cryptographic algorithms library

nixos-unstable 3.11.0
- nixpkgs-unstable 3.11.0
- nixos-unstable-small 3.11.0
nixos-25.11 3.10.0
- nixos-25.11-small 3.10.0
- nixpkgs-25.11-darwin 3.10.0

pkgs.emiluaPlugins.botan

Securely clears secrets from memory in Emilua

nixos-unstable 1.2.1
- nixpkgs-unstable 1.2.1
- nixos-unstable-small 1.2.1
nixos-25.11 1.2.1
- nixos-25.11-small 1.2.1
- nixpkgs-25.11-darwin 1.2.1

pkgs.python312Packages.botan3

Python Bindings for botan3 cryptography library

nixos-25.11 botan3-3.10.0
- nixos-25.11-small botan3-3.10.0
- nixpkgs-25.11-darwin botan3-3.10.0

pkgs.python313Packages.botan3

Python Bindings for botan3 cryptography library

nixos-unstable botan3-3.11.0
- nixpkgs-unstable botan3-3.11.0
- nixos-unstable-small botan3-3.11.0
nixos-25.11 botan3-3.10.0
- nixos-25.11-small botan3-3.10.0
- nixpkgs-25.11-darwin botan3-3.10.0

pkgs.python314Packages.botan3

Python Bindings for botan3 cryptography library

nixos-unstable botan3-3.11.0
- nixpkgs-unstable botan3-3.11.0
- nixos-unstable-small botan3-3.11.0

pkgs.haskellPackages.botan-low

Low-level Botan bindings

nixos-unstable 0.1.0.0
- nixpkgs-unstable 0.1.0.0
- nixos-unstable-small 0.1.0.0
nixos-25.11 0.0.2.0
- nixos-25.11-small 0.0.2.0
- nixpkgs-25.11-darwin 0.0.2.0

pkgs.haskellPackages.botan-bindings

Raw Botan bindings

nixos-unstable 0.2.0.0
- nixpkgs-unstable 0.2.0.0
- nixos-unstable-small 0.2.0.0
nixos-25.11 0.1.0.0
- nixos-25.11-small 0.1.0.0
- nixpkgs-25.11-darwin 0.1.0.0

pkgs.chickenPackages_5.chickenEggs.botan

Bindings to the Botan cryptographic library

Package maintainers

@7c6f434c Michael Raskin <7c6f434c@mail.ru>
@thillux Markus Theil <theil.markus@gmail.com>

https://github.com/randombit/botan/security/advisories/GHSA-9j2j-hqmc-hf5x

Nixpkgs security tracker

Details of issue NIXPKGS-2026-0881

References

Affected products

Matching in nixpkgs

pkgs.botan3

pkgs.botan2

pkgs.botanEsdm

pkgs.emiluaPlugins.botan

pkgs.python312Packages.botan3

pkgs.python313Packages.botan3

pkgs.python314Packages.botan3

pkgs.haskellPackages.botan-low

pkgs.haskellPackages.botan-bindings

pkgs.chickenPackages_5.chickenEggs.botan

Package maintainers