Register | Log in

botan3

Choose email to subscribe with

general

source: botan3 (main)
version: 3.11.1+dfsg-2
maintainer: Laszlo Boszormenyi (GCS) (DMD)
arch: all any
std-ver: 4.7.2
VCS: unknown

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

stable: 3.7.1+dfsg-2
testing: 3.10.0+dfsg-2
unstable: 3.11.1+dfsg-2

versioned links

3.7.1+dfsg-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.10.0+dfsg-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.11.1+dfsg-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

botan
libbotan-3-11
libbotan-3-dev (1 bugs: 0, 1, 0, 0)
libbotan-3-doc
python3-botan

action needed

4 security issues in trixie high

There are 4 open security issues in trixie.

4 important issues:

CVE-2026-32877: Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0, during SM2 decryption, the code that checked the authentication code value (C3) failed to check that the encoded value was of the expected length prior to comparison. An invalid ciphertext can cause a heap over-read of up to 31 bytes, resulting in a crash or potentially other undefined behavior. This issue has been patched in version 3.11.0.
CVE-2026-32883: Botan is a C++ cryptography library. From version 3.0.0 to before version 3.11.0, during X509 path validation, OCSP responses were checked for an appropriate status code, but critically omitted verifying the signature of the OCSP response itself. This issue has been patched in version 3.11.0.
CVE-2026-32884: Botan is a C++ cryptography library. Prior to version 3.11.0, during processing of an X.509 certificate path using name constraints which restrict the set of allowable DNS names, if no subject alternative name is defined in the end-entity certificate Botan would check that the CN was allowed by the DNS name constraints, even though this check is technically not required by RFC 5280. However this check failed to account for the possibility of a mixed-case CN. Thus a certificate with CN=Sub.EVIL.COM and no subject alternative name would bypasses an excludedSubtrees constraint for evil.com because the comparison is case-sensitive. This issue has been patched in version 3.11.0.
CVE-2026-34582: Botan is a C++ cryptography library. Prior to version 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to be processed prior to the Finished message being received. A server which is attempting to enforce client authentication via certificates can by bypassed by a client which entirely omits Certificate, CertificateVerify, and the Finished message and instead sends application data records. This vulnerability is fixed in 3.11.1.

Created: 2026-04-03 Last update: 2026-04-09 11:31

4 security issues in forky high

There are 4 open security issues in forky.

4 important issues:

CVE-2026-32877: Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0, during SM2 decryption, the code that checked the authentication code value (C3) failed to check that the encoded value was of the expected length prior to comparison. An invalid ciphertext can cause a heap over-read of up to 31 bytes, resulting in a crash or potentially other undefined behavior. This issue has been patched in version 3.11.0.
CVE-2026-32883: Botan is a C++ cryptography library. From version 3.0.0 to before version 3.11.0, during X509 path validation, OCSP responses were checked for an appropriate status code, but critically omitted verifying the signature of the OCSP response itself. This issue has been patched in version 3.11.0.
CVE-2026-32884: Botan is a C++ cryptography library. Prior to version 3.11.0, during processing of an X.509 certificate path using name constraints which restrict the set of allowable DNS names, if no subject alternative name is defined in the end-entity certificate Botan would check that the CN was allowed by the DNS name constraints, even though this check is technically not required by RFC 5280. However this check failed to account for the possibility of a mixed-case CN. Thus a certificate with CN=Sub.EVIL.COM and no subject alternative name would bypasses an excludedSubtrees constraint for evil.com because the comparison is case-sensitive. This issue has been patched in version 3.11.0.
CVE-2026-34582: Botan is a C++ cryptography library. Prior to version 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to be processed prior to the Finished message being received. A server which is attempting to enforce client authentication via certificates can by bypassed by a client which entirely omits Certificate, CertificateVerify, and the Finished message and instead sends application data records. This vulnerability is fixed in 3.11.1.

Created: 2026-04-03 Last update: 2026-04-09 11:31

Depends on packages which need a new maintainer normal

The packages that botan3 depends on which need a new maintainer are:

trousers (#1125431)
- Depends: libtspi1 libtspi1 libtspi-dev
- Build-Depends: libtspi-dev

Created: 2026-01-14 Last update: 2026-04-11 09:30

lintian reports 3 warnings normal

Lintian reports 3 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-04-10 Last update: 2026-04-10 00:30

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.2).

Created: 2025-12-23 Last update: 2026-04-09 09:02

testing migrations

This package is part of the ongoing testing transition known as auto-botan3. Please avoid uploads unrelated to this transition, they would likely delay it and require supplementary work from the release managers. On the other hand, if your package has problems preventing it to migrate to testing, please fix them as soon as possible. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
excuses:
- Migration status for botan3 (3.10.0+dfsg-2 to 3.11.1+dfsg-2): Waiting for test results or another package, or too young (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ Too young, only 2 of 5 days old
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/b/botan3.html
- ∙ ∙ Reproduced on amd64
- ∙ ∙ Reproduced on arm64
- ∙ ∙ Reproduced on armhf
- ∙ ∙ Reproduced on i386
- ∙ ∙ Reproduced on ppc64el
- Not considered

news

[2026-04-09] Accepted botan3 3.11.1+dfsg-2 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2026-04-03] Accepted botan3 3.11.1+dfsg-1 (source) into experimental (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2026-03-22] Accepted botan3 3.11.0+dfsg-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Laszlo Boszormenyi)
[2025-12-06] botan3 3.10.0+dfsg-2 MIGRATED to testing (Debian testing watch)
[2025-11-30] Accepted botan3 3.10.0+dfsg-2 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2025-11-07] Accepted botan3 3.10.0+dfsg-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Laszlo Boszormenyi)
[2025-09-11] Accepted botan3 3.9.0+dfsg-2.1 (source) into experimental (Bastian Germann) (signed by: bage@debian.org)
[2025-08-20] Accepted botan3 3.9.0+dfsg-2 (source) into experimental (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2025-08-16] Accepted botan3 3.9.0+dfsg-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Laszlo Boszormenyi)
[2025-05-18] Accepted botan3 3.8.1+dfsg-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Laszlo Boszormenyi)
[2025-03-28] botan3 3.7.1+dfsg-2 MIGRATED to testing (Debian testing watch)
[2025-03-23] Accepted botan3 3.7.1+dfsg-2 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2025-03-07] Accepted botan3 3.7.1+dfsg-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Laszlo Boszormenyi)
[2024-11-14] Accepted botan3 3.6.1+dfsg-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Laszlo Boszormenyi)
[2024-07-15] Accepted botan3 3.5.0+dfsg-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Laszlo Boszormenyi)
[2024-04-13] Accepted botan3 3.4.0+dfsg-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Laszlo Boszormenyi)
[2024-02-24] Accepted botan3 3.3.0+dfsg-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Laszlo Boszormenyi)
[2024-01-01] Accepted botan3 3.2.0+dfsg-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Laszlo Boszormenyi)

bugs [bug history graph]

all: 2
RC: 0
I&N: 2
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 3)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.10.0+dfsg-2

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing