881529 – (CVE-2022-43705) <dev-libs/botan-2.19.3: OCSP response falsification

Bug 881529 (CVE-2022-43705) - <dev-libs/botan-2.19.3: OCSP response falsification

Summary: <dev-libs/botan-2.19.3: OCSP response falsification

Status:	IN_PROGRESS

Alias:	CVE-2022-43705

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://github.com/randombit/botan/se...
Whiteboard:	A4 [glsa? cleanup]
Keywords:

Depends on:	885509
Blocks:
	Show dependency tree

Reported:	2022-11-16 17:24 UTC by John Helmert III
Modified:	2022-12-13 21:51 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-11-16 17:24:35 UTC

"Botan 2.19.3 has been released today fixing a security issue when
verifying OCSP responses. It is possible for a malicious responder to
falsify a OCSP response - notably this vulnerability also affects
stapled OCSP responses in TLS."

Comment 1 Larry the Git Cow gentoo-dev

2022-11-17 01:06:03 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9841574e46260f409c25aea7c4b7a95bc1aad1d4

commit 9841574e46260f409c25aea7c4b7a95bc1aad1d4
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-11-17 01:01:46 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-11-17 01:01:46 +0000

    dev-libs/botan: add 2.19.3
    
    Bug: https://bugs.gentoo.org/881529
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/botan/Manifest            |   2 +
 dev-libs/botan/botan-2.19.3.ebuild | 180 +++++++++++++++++++++++++++++++++++++
 2 files changed, 182 insertions(+)