Bugzilla – Bug 1205509
VUL-0: CVE-2022-43705: Botan: OCSP response falsification
Last modified: 2022-11-23 14:25:51 UTC
rh#2143417 Botan 2.19.2 and older failed to verify that an authorized responder certificate embedded in an OCSP response is authorized by the issuing CA. As a result, any valid signature by an embedded certificate passed the check and was allowed to make claims about the revocation status of certificates of any CA. References: https://bugzilla.redhat.com/show_bug.cgi?id=2143417 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-43705
Relevant for: - openSUSE:Backports:SLE-12:Update 1.10.9 - openSUSE:Backports:SLE-15-SP3 2.10.0 - openSUSE:Backports:SLE-15-SP4 2.18.2 - openSUSE:Backports:SLE-15-SP5 2.19.2 - openSUSE:Factory 2.19.2
Hi Carlos! Is relevant for SUSE:SLE-12:Update in SLE?
(In reply to Jason Sikes from comment #2) > Hi Carlos! > > Is relevant for SUSE:SLE-12:Update in SLE? Is *this* relevant for SUSE:SLE-12:Update in SLE? (sigh) I should proofread my stuff.
(In reply to Jason Sikes from comment #3) > (In reply to Jason Sikes from comment #2) > > Hi Carlos! > > > > Is relevant for SUSE:SLE-12:Update in SLE? > > Is *this* relevant for SUSE:SLE-12:Update in SLE? > > (sigh) I should proofread my stuff. Right, I missed it: https://smelt.suse.de/maintained/?q=Botan
(In reply to Carlos López from comment #4) > (In reply to Jason Sikes from comment #3) > > (In reply to Jason Sikes from comment #2) > > > Hi Carlos! > > > > > > Is relevant for SUSE:SLE-12:Update in SLE? > > > > Is *this* relevant for SUSE:SLE-12:Update in SLE? > > > > (sigh) I should proofread my stuff. > > Right, I missed it: > https://smelt.suse.de/maintained/?q=Botan Thank you! And now that I have looked at it, I can see that OCSP support was added to Botan-1.11.0. So SLE-12:Update and openSUSE:Backports:SLE-12:Update are not affected.
I submitted updates to Botan-2.19.3 in Factory and Backports:SLE-15-SP5. I also wrote patches for openSUSE:Backports:SLE-15-SP3 and openSUSE:Backports:SLE-15-SP4, but I'm waiting for one of my teammates to validate it. It's an unusual patch.
Created submissions: > | CODESTREAM | VERSION | SOLUTION | STATUS | > |-------------------------------+---------+-------------------+-------------------------------------| > | SUSE:SLE-12:Update | 1.10.9 | | Not Affected: OCSP was added 1.11.0 | > | openSUSE:Backports:SLE-15-SP3 | 2.10.0 | Added two patches | created request id 1037178 | > | openSUSE:Backports:SLE-15-SP4 | 2.18.2 | Added two patches | created request id 1037177 | > | openSUSE:Backports:SLE-15-SP5 | 2.19.2 | Update to 2.19.3 | created request id 1036535 | > | openSUSE:Factory | 2.19.2 | Update to 2.19.3 | created request id 1036530 | Assigning to Security-Team.
This is an autogenerated message for OBS integration: This bug (1205509) was mentioned in https://build.opensuse.org/request/show/1037177 Backports:SLE-15-SP4 / Botan https://build.opensuse.org/request/show/1037178 Backports:SLE-15-SP3 / Botan
openSUSE-SU-2022:10210-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1205509 CVE References: CVE-2022-43705 JIRA References: Sources used: openSUSE Backports SLE-15-SP3 (src): Botan-2.10.0-bp153.3.3.1
openSUSE-SU-2022:10211-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1205509 CVE References: CVE-2022-43705 JIRA References: Sources used: openSUSE Backports SLE-15-SP4 (src): Botan-2.18.2-bp154.2.3.1