{"id":"MGASA-2024-0297","summary":"Updated botan2 packages fix security vulnerability","details":"An attacker could present an ECDSA X.509 certificate using explicit\nencoding where the parameters are very large.\nWhen parsing, the parameter is checked to be prime, causing excessive\ncomputation. This was patched in 2.19.4 and 3.3.0 to allow the prime\nparameter of the elliptic curve to be at most 521 bits. No known\nworkarounds are available. Note that support for explicit encoding of\nelliptic curve parameters is deprecated in Botan.\n","modified":"2026-02-04T04:04:46.114077Z","published":"2024-09-13T17:15:41Z","related":["CVE-2024-34703"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2024-0297.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=33429"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QNLPSUOQTRVMV6WYZLISDVNWVFZEBQR5/"}],"affected":[{"package":{"name":"botan2","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/botan2?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.19.5-1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2024-0297.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}