Bug 1227608 (CVE-2024-39312)

Summary: VUL-0: CVE-2024-39312: Botan: Improper certificate validation
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: kstreitova, thomas.leroy
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/413033/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-39312:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-07-10 08:37:36 UTC 
Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. A bug in the parsing of name constraint extensions in X.509 certificates meant that if the extension included both permitted subtrees and excluded subtrees, only the permitted subtree would be checked. If a certificate included a name which was permitted by the permitted subtree but also excluded by excluded subtree, it would be accepted. Fixed in versions 3.5.0 and 2.19.5.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-39312
https://www.cve.org/CVERecord?id=CVE-2024-39312
https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86
https://bugzilla.redhat.com/show_bug.cgi?id=2296352
Comment 1 OBSbugzilla Bot 2024-07-15 09:15:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1227608) was mentioned in
https://build.opensuse.org/request/show/1187488 Backports:SLE-15-SP5 / Botan
https://build.opensuse.org/request/show/1187501 Backports:SLE-15-SP6 / Botan
Comment 2 Marcus Meissner 2024-07-16 10:04:52 UTC 
openSUSE-SU-2024:0201-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1227238,1227607,1227608
CVE References: CVE-2024-34702,CVE-2024-34703,CVE-2024-39312
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    Botan-2.19.5-bp155.2.3.1