DEBIAN-CVE-2026-32883

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2026-32883
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-32883.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-32883
Upstream
Published
2026-03-30T21:17:09.933Z
Modified
2026-04-14T05:01:23.703099Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

Botan is a C++ cryptography library. From version 3.0.0 to before version 3.11.0, during X509 path validation, OCSP responses were checked for an appropriate status code, but critically omitted verifying the signature of the OCSP response itself. This issue has been patched in version 3.11.0.

References

Affected packages

Debian:13 / botan3

Package

Name
botan3
Purl
pkg:deb/debian/botan3?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*
3.7.1+dfsg-2
3.8.1+dfsg-1
3.9.0+dfsg-1
3.9.0+dfsg-2
3.9.0+dfsg-2.1
3.10.0+dfsg-1
3.10.0+dfsg-2
3.11.0+dfsg-1
3.11.1+dfsg-1
3.11.1+dfsg-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-32883.json"

Debian:14 / botan3

Package

Name
botan3
Purl
pkg:deb/debian/botan3?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.11.0+dfsg-2

Affected versions

3.*
3.7.1+dfsg-2
3.8.1+dfsg-1
3.9.0+dfsg-1
3.9.0+dfsg-2
3.9.0+dfsg-2.1
3.10.0+dfsg-1
3.10.0+dfsg-2
3.11.0+dfsg-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-32883.json"