Candidate: CVE-2017-2801
PublicDate: 2017-05-24 14:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2801
 https://github.com/randombit/botan/commit/c927101675e5f63fc0bdd93c5a4825adc54323b4 (1.10.16)
Description:
 A programming error exists in a way Randombit Botan cryptographic library
 version 2.0.1 implements x500 string comparisons which could lead to
 certificate verification issues and abuse. A specially crafted X509
 certificate would need to be delivered to the client or server application
 in order to trigger this vulnerability.
Ubuntu-Description:
 It was discovered that Botan did not properly manage x509 DN strings
 comparisons when provided with a specially crafted X509 certificate. An
 attacker could possibly use this issue to cause out of bound reads,
 resulting in information leakage, denial of service, or potentially
 incorrect certificate validation results.
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860072
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]

Patches_botan1.10:
upstream_botan1.10: released (1.10.16-1)
precise_botan1.10: ignored (reached end-of-life)
precise/esm_botan1.10: DNE (precise was needed)
trusty_botan1.10: ignored (reached end-of-life)
trusty/esm_botan1.10: DNE (trusty was needed)
vivid/stable-phone-overlay_botan1.10: DNE
vivid/ubuntu-core_botan1.10: DNE
xenial_botan1.10: ignored (end of standard support, was needed)
yakkety_botan1.10: ignored (reached end-of-life)
zesty_botan1.10: ignored (reached end-of-life)
artful_botan1.10: not-affected (1.10.16-1)
bionic_botan1.10: not-affected (1.10.16-1)
cosmic_botan1.10: not-affected (1.10.16-1)
disco_botan1.10: DNE
eoan_botan1.10: DNE
focal_botan1.10: DNE
groovy_botan1.10: DNE
hirsute_botan1.10: DNE
impish_botan1.10: DNE
jammy_botan1.10: DNE
devel_botan1.10: DNE