Bug 31176 - botan2 new security issue CVE-2022-43705
Summary: botan2 new security issue CVE-2022-43705
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-11-23 20:56 CET by David Walser
Modified: 2022-11-27 21:53 CET (History)
5 users (show)

See Also:
Source RPM: botan2-2.17.3-2.1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-11-23 20:56:47 CET 
openSUSE has issued an advisory today (November 23):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BTCNO3M6FEDJQGUUPVOQE3OWQZIUMQ3A/

The issue is fixed upstream in 2.19.3.
David Walser 2022-11-23 20:57:14 CET

Status comment: (none) => Fixed upstream in 2.19.3

Comment 1 Lewis Smith 2022-11-23 21:12:31 CET 
Yet another which falls in your court, Stig (although not officially your package). You have already put version 2.19.3 in Cauldron (and earlier updates).

Assignee: bugsquad => smelror

Comment 2 Stig-Ørjan Smelror 2022-11-23 23:38:33 CET 
Advisory
========
This update for Botan fixes CVE-2022-43705.

CVE-2022-43705: Fixed validation of embedded certificates was when checking OCSP responses


References
==========
https://www.suse.com/security/cve/CVE-2022-43705.html


Files
=====

Uploaded to core/updates_testing

python3-botan2-2.17.3-2.2.mga8
botan2-2.17.3-2.2.mga8
lib64botan2-devel-2.17.3-2.2.mga8
lib64botan2_17-2.17.3-2.2.mga8
botan2-doc-2.17.3-2.2.mga8

from botan2-2.17.3-2.2.mga8.src.rpm

Assignee: smelror => qa-bugs

David Walser 2022-11-23 23:39:54 CET

CC: (none) => smelror
Status comment: Fixed upstream in 2.19.3 => (none)

Comment 3 Herman Viaene 2022-11-24 16:56:41 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues
ref bug 29659 Comment 5 for testing
$ botan --help
Usage: botan <cmd> <cmd-options>
All commands support --verbose --help --output= --error-output= --rng-type= --drbg-seed=

Available commands:

Encoders/Decoders:
   asn1print          Decode and print file with ASN.1 Basic Encoding Rules (BER)
   base32_dec         Decode Base32 encoded file
etc.....

$ echo "Test File" > testbotan.txt
[tester8@mach7 Documents]$ botan base64_enc testbotan.txt > testbotancrypt.txt
[tester8@mach7 Documents]$ cat testbotancrypt.txt
VGVzdCBGaWxlCg==
$ botan base64_dec testbotancrypt.txt
Test File
[tester8@mach7 Documents]$ python3
Python 3.8.14 (default, Oct  4 2022, 06:27:18) 
[GCC 10.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import botan2
>>> tester = botan2.RandomNumberGenerator()
>>> tested = tester.get(10)
>>> print ("Random number is {}".format(tested))
Random number is b'\xc0\x1aX:\xd3\x8cE`=\x16'
>>> quit()
$ lynx /usr/share/doc/botan-2.17.3/handbook/index.html
I can navigate the pages
Looks OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2022-11-24 21:41:57 CET 
Validating. Advisory in comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-11-27 18:42:03 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2022-11-27 21:53:31 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0445.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.