Advisories » MGASA-2024-0297

Updated botan2 packages fix security vulnerability

Publication date: 13 Sep 2024
Modification date: 13 Sep 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-34703

Description

An attacker could present an ECDSA X.509 certificate using explicit
encoding where the parameters are very large.
When parsing, the parameter is checked to be prime, causing excessive
computation. This was patched in 2.19.4 and 3.3.0 to allow the prime
parameter of the elliptic curve to be at most 521 bits. No known
workarounds are available. Note that support for explicit encoding of
elliptic curve parameters is deprecated in Botan.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=33429
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QNLPSUOQTRVMV6WYZLISDVNWVFZEBQR5/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34703

SRPMS

9/core

• botan2-2.19.5-1.mga9