rpms/botan2

Fork 0

[security][HIGH] botan2 2.19.5: CVE-2026-32877 require triage #1

New issue

Closed

opened 2026-05-25 20:44:35 +03:00 by sbelikov · 1 comment

sbelikov commented

2026-05-25 20:44:35 +03:00

Owner

CVE triage request / Запрос на разбор CVE

Package / Пакет

Package: botan2
Version: 2.19.5
EVR: 2.19.5-1
Category: -
Policy class: -
NiceOS policy class: -
Owner: -
Severity: HIGH
Max CVSS: 8.2
CVE count: 1
Included NiceOS statuses: needs_triage
Included match types: cpe-range

LLM recommendation / Рекомендация LLM

RU

Для пакета botan2 2.19.5 найдены CVE-кандидаты по данным NVD/CPE: CVE-2026-32877. Требуется triage security-team.

Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета.

Рекомендуемое действие: needs_triage

Подсказка по целевой версии: -

Проверки: Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета.

Риски: Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС.

EN

NVD/CPE candidate CVEs were found for botan2 2.19.5: CVE-2026-32877. Security-team triage is required.

Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required.

Recommended action: needs_triage

Target version hint: -

Tests: Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests.

Risks: An automatic NVD/CPE match is not the final NiceOS vulnerability verdict.

CVE candidates from NVD/CPE

CVE	Severity	CVSS	Match	Confidence	NiceOS status	Fixed in	Existing issue	Reason
CVE-2026-32877	HIGH	8.2	cpe-range	78	needs_triage			package version is inside version range

Descriptions

CVE-2026-32877

Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0, during SM2 decryption, the code that checked the authentication code value (C3) failed to check that the encoded value was of the expected length prior to comparison. An invalid ciphertext can cause a heap over-read of up to 31 bytes, resulting in a crash or potentially other undefined behavior. This issue has been patched in version 3.11.0.

Scanner integration / Интеграция со сканером

This issue was generated from niceos_cve_matches after the SPEC/Forgejo evidence pass.
After real creation, this script writes forgejo_issue_open rows into niceos_cve_evidence and marks the selected CVE rows as issue_open, so the next scanner/creator run does not duplicate the issue.

Maintainer checklist

Verify whether each CVE applies to the NiceOS build.
Compare NVD data with upstream/vendor advisory.
Set final NiceOS status: affected, fixed, not_affected, false_positive, deferred, or not_in_cloud_image.
If affected, decide update/backport strategy according to package policy class.
Run package-class-specific build, upgrade and regression tests.
Add/update niceos_cve_triage entry.
Create NICE-SA advisory if a security update is shipped.

Machine metadata

{
  "cves": [
    "CVE-2026-32877"
  ],
  "fingerprint": "df9fa9209a3dca0a9ef8",
  "generated_at": "2026-05-25T17:44:34Z",
  "match_ids": [
    1161
  ],
  "match_types": [
    "cpe-range"
  ],
  "package": "botan2",
  "prompt_version": "niceos_cve_issue_analysis_v2",
  "statuses": [
    "needs_triage"
  ],
  "tool": "niceos_cve_create_issues.py",
  "tool_version": "2.0",
  "version": "2.19.5"
}

# CVE triage request / Запрос на разбор CVE ## Package / Пакет - Package: `botan2` - Version: `2.19.5` - EVR: `2.19.5-1` - Category: `-` - Policy class: `-` - NiceOS policy class: `-` - Owner: `-` - Severity: `HIGH` - Max CVSS: `8.2` - CVE count: `1` - Included NiceOS statuses: `needs_triage` - Included match types: `cpe-range` ## LLM recommendation / Рекомендация LLM ### RU Для пакета botan2 2.19.5 найдены CVE-кандидаты по данным NVD/CPE: CVE-2026-32877. Требуется triage security-team. Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета. **Рекомендуемое действие:** `needs_triage` **Подсказка по целевой версии:** `-` **Проверки:** Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета. **Риски:** Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС. ### EN NVD/CPE candidate CVEs were found for botan2 2.19.5: CVE-2026-32877. Security-team triage is required. Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required. **Recommended action:** `needs_triage` **Target version hint:** `-` **Tests:** Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests. **Risks:** An automatic NVD/CPE match is not the final NiceOS vulnerability verdict. ## CVE candidates from NVD/CPE | CVE | Severity | CVSS | Match | Confidence | NiceOS status | Fixed in | Existing issue | Reason | |---|---|---:|---|---:|---|---|---|---| | CVE-2026-32877 | HIGH | 8.2 | cpe-range | 78 | needs_triage | | | package version is inside version range | ## Descriptions ### CVE-2026-32877 Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0, during SM2 decryption, the code that checked the authentication code value (C3) failed to check that the encoded value was of the expected length prior to comparison. An invalid ciphertext can cause a heap over-read of up to 31 bytes, resulting in a crash or potentially other undefined behavior. This issue has been patched in version 3.11.0. ## Scanner integration / Интеграция со сканером This issue was generated from `niceos_cve_matches` after the SPEC/Forgejo evidence pass. After real creation, this script writes `forgejo_issue_open` rows into `niceos_cve_evidence` and marks the selected CVE rows as `issue_open`, so the next scanner/creator run does not duplicate the issue. ## Maintainer checklist - [ ] Verify whether each CVE applies to the NiceOS build. - [ ] Compare NVD data with upstream/vendor advisory. - [ ] Set final NiceOS status: `affected`, `fixed`, `not_affected`, `false_positive`, `deferred`, or `not_in_cloud_image`. - [ ] If affected, decide update/backport strategy according to package policy class. - [ ] Run package-class-specific build, upgrade and regression tests. - [ ] Add/update `niceos_cve_triage` entry. - [ ] Create `NICE-SA` advisory if a security update is shipped. ## Machine metadata ```json { "cves": [ "CVE-2026-32877" ], "fingerprint": "df9fa9209a3dca0a9ef8", "generated_at": "2026-05-25T17:44:34Z", "match_ids": [ 1161 ], "match_types": [ "cpe-range" ], "package": "botan2", "prompt_version": "niceos_cve_issue_analysis_v2", "statuses": [ "needs_triage" ], "tool": "niceos_cve_create_issues.py", "tool_version": "2.0", "version": "2.19.5" } ```

sbelikov added the

labels

2026-05-25 20:44:35 +03:00

sbelikov commented

2026-05-26 01:10:52 +03:00

Author

Owner

CVE resolution / Закрытие CVE

EN

Resolved in NiceOS branch niceos-5.2.
Status: fixed.
Fixed in EVR: 2.19.5-2.
CVE: CVE-2026-32877.
Source: SPECS/botan2.spec.

RU

Исправлено в ветке НАЙС.ОС niceos-5.2.
Статус: fixed.
Исправлено в EVR: 2.19.5-2.
CVE: CVE-2026-32877.
Источник: SPECS/botan2.spec.

## CVE resolution / Закрытие CVE ### EN Resolved in NiceOS branch `niceos-5.2`. Status: `fixed`. Fixed in EVR: `2.19.5-2`. CVE: `CVE-2026-32877`. Source: `SPECS/botan2.spec`. ### RU Исправлено в ветке НАЙС.ОС `niceos-5.2`. Статус: `fixed`. Исправлено в EVR: `2.19.5-2`. CVE: `CVE-2026-32877`. Источник: `SPECS/botan2.spec`.

sbelikov closed this issue

2026-05-26 01:10:52 +03:00