Patch Detail

HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2225272,
    "url": "http://patchwork.ozlabs.org/api/1.1/patches/2225272/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/buildroot/patch/20260420190748.181272-1-chakrabortyshubham66@gmail.com/",
    "project": {
        "id": 27,
        "url": "http://patchwork.ozlabs.org/api/1.1/projects/27/?format=api",
        "name": "Buildroot development",
        "link_name": "buildroot",
        "list_id": "buildroot.buildroot.org",
        "list_email": "buildroot@buildroot.org",
        "web_url": "",
        "scm_url": "",
        "webscm_url": ""
    },
    "msgid": "<20260420190748.181272-1-chakrabortyshubham66@gmail.com>",
    "date": "2026-04-20T19:07:47",
    "name": "[v2] package/botan: security bump to version 3.11.1",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "63deae250b63920962c4c88ac507a2d051399911",
    "submitter": {
        "id": 92564,
        "url": "http://patchwork.ozlabs.org/api/1.1/people/92564/?format=api",
        "name": "Shubham Chakraborty",
        "email": "chakrabortyshubham66@gmail.com"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/buildroot/patch/20260420190748.181272-1-chakrabortyshubham66@gmail.com/mbox/",
    "series": [
        {
            "id": 500666,
            "url": "http://patchwork.ozlabs.org/api/1.1/series/500666/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/buildroot/list/?series=500666",
            "date": "2026-04-20T19:07:47",
            "name": "[v2] package/botan: security bump to version 3.11.1",
            "version": 2,
            "mbox": "http://patchwork.ozlabs.org/series/500666/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/2225272/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2225272/checks/",
    "tags": {},
    "headers": {
        "Return-Path": "<buildroot-bounces@buildroot.org>",
        "X-Original-To": [
            "incoming-buildroot@patchwork.ozlabs.org",
            "buildroot@buildroot.org"
        ],
        "Delivered-To": [
            "patchwork-incoming-buildroot@legolas.ozlabs.org",
            "buildroot@buildroot.org"
        ],
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=Wu1khTX/;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"
        ],
        "Received": [
            "from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fzw545RSYz1yD4\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Tue, 21 Apr 2026 05:08:56 +1000 (AEST)",
            "from localhost (localhost [127.0.0.1])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id 9C944608E3;\n\tMon, 20 Apr 2026 19:08:54 +0000 (UTC)",
            "from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id bkI9Cyu-fWZT; Mon, 20 Apr 2026 19:08:53 +0000 (UTC)",
            "from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id 9BA72610F0;\n\tMon, 20 Apr 2026 19:08:53 +0000 (UTC)",
            "from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])\n by lists1.osuosl.org (Postfix) with ESMTP id DB610257\n for <buildroot@buildroot.org>; Mon, 20 Apr 2026 19:08:52 +0000 (UTC)",
            "from localhost (localhost [127.0.0.1])\n by smtp4.osuosl.org (Postfix) with ESMTP id C12AC4111F\n for <buildroot@buildroot.org>; Mon, 20 Apr 2026 19:08:52 +0000 (UTC)",
            "from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id 4Ng-PWq6gcu9 for <buildroot@buildroot.org>;\n Mon, 20 Apr 2026 19:08:51 +0000 (UTC)",
            "from mail-pg1-x532.google.com (mail-pg1-x532.google.com\n [IPv6:2607:f8b0:4864:20::532])\n by smtp4.osuosl.org (Postfix) with ESMTPS id B573141112\n for <buildroot@buildroot.org>; Mon, 20 Apr 2026 19:08:51 +0000 (UTC)",
            "by mail-pg1-x532.google.com with SMTP id\n 41be03b00d2f7-c7358a7a8d1so2057922a12.3\n for <buildroot@buildroot.org>; Mon, 20 Apr 2026 12:08:51 -0700 (PDT)",
            "from fedora ([2409:40e5:101d:f700:95:a358:be57:4a93])\n by smtp.gmail.com with ESMTPSA id\n d2e1a72fcca58-82f8e9819fesm11477375b3a.4.2026.04.20.12.08.45\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Mon, 20 Apr 2026 12:08:49 -0700 (PDT)"
        ],
        "X-Virus-Scanned": [
            "amavis at osuosl.org",
            "amavis at osuosl.org"
        ],
        "X-Comment": "SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ",
        "DKIM-Filter": [
            "OpenDKIM Filter v2.11.0 smtp3.osuosl.org 9BA72610F0",
            "OpenDKIM Filter v2.11.0 smtp4.osuosl.org B573141112"
        ],
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1776712133;\n\tbh=Sbi9MyL6j7ShqplXVfum+mMEUamIxgLaXDR7cE5EXlQ=;\n\th=From:To:Cc:Date:In-Reply-To:References:Subject:List-Id:\n\t List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:\n\t From;\n\tb=Wu1khTX/jIU2IXwTqLfXk5gUJVqHHJjTVMwFtzZiHdPe8ZJyUZv75EXpudaJwL8cY\n\t OwY/qU8EIEeSJLYdgWjGi8kjQEKThXAeokktbFwmeuIGT6atDtZHIprPD4l+PcejKt\n\t nyO04yptgXwUvrLe0V2Ku2BoOXd6IF6EE02a++Mjp1jRUNe2RXtqT5nFt9gShwgAMo\n\t Xz10zonqgez6jNLmJEInIqtsAtxu6tZpHHxAFQ37uEJ6i+s3RtNhFGyZJIVVI1GVAy\n\t 8gOLL8IE9bTTbTDYJjLriJFPBHHjXoRtcQtBeJG2TSCHBQtIceQSrv2YAfrggg84Gs\n\t uKMKlu6qTV74A==",
        "Received-SPF": "Pass (mailfrom) identity=mailfrom;\n client-ip=2607:f8b0:4864:20::532; helo=mail-pg1-x532.google.com;\n envelope-from=chakrabortyshubham66@gmail.com; receiver=<UNKNOWN>",
        "DMARC-Filter": "OpenDMARC Filter v1.4.2 smtp4.osuosl.org B573141112",
        "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776712130; x=1777316930;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=8ZVL7DpSsrdCAsCSUeZdAV6EtOhldJPWY4RdsPOY2HQ=;\n b=Kwohz3d4UOO0IQZT9sO9HIE7vNDKsNt7FE1+a3IPY8K+0Bf0iyzQtr+VdiXbs2esRl\n WQfc5aJ3Dc8mguPfQfCu7EaVSZyz1ZQcQGuNA4//8pHWDxioOqP+Vhmc2ClCBACa6imN\n 5ZCysDAwvn7tW+DI1dPtmHnfb/FGlW+NV+Ybd1PEQrnSpgsBPWIuPqM8+iSnxW70nz+K\n cTt+AuAf0jH6NO0g1G7Jwzp5s39K0PnzCNFdaeaneqmiHyiz0BV/NJ4F+YsxbO6Csw85\n Uc3+/wDhRd+eJd5jHn4SElsa6ecN6ImhJ7F3mwGaNvAHXuxFU3FYV8qk7gFHu+FYlTEO\n b2jg==",
        "X-Gm-Message-State": "AOJu0YzPjur4t+ZfPsFwXJDQSlfAEE1Hs+M6t8LNcyx9w3ETPH9d62Lc\n RqK67YnAjHMkpk9eys47Y6TsxBfb+KJnH4sXM/ciLhKWL3cdR6Z6hCz/l9MkKDS1",
        "X-Gm-Gg": "AeBDietieXmrhdVE23zGh9cNgZdnYJ9AyLHmpCGiOOEYM4lZs3WI7SQuaB0ifFl3kDz\n 7RQYgjjGt9zq7Ntr/g45P5gPwlq4Gb5KQZZRK1FP/T+P7WNUyOrNIbISE6aAVAnhnyTMnadFtrk\n LzgoNeT7MsubyNFpep21j3+cE9o3QdcGlLQkShbeaAIh0RVb2vTJVGg6oxuj36sLwiP7NDT/VFK\n 5IaWTRQTHvXU3EzpLWjt5uF2FWjobt6gR6XXgI9WZECWEWakDy47Kzi0nE8TNgxUvJ9AQSSRcoY\n APaqBxzCa8t4Y4FF7e76M65hiiBfwe94cmOkn45FocEsVTu4sEa/HD4nIGLoOiHIJz9SuCxZ1Lw\n GDdXGqUIOpg2QE103rfcC2ezRB/2bwBlPe9bT+rwzGkgXi4qq8/t0fMma+ZMeYifrAnK8eWkiPC\n jNaP9ZkkcpwbB8zQSY1SUU26lBH15EwZI72+zBLCQ/IQ==",
        "X-Received": "by 2002:a05:6a00:4186:b0:82f:280a:d888 with SMTP id\n d2e1a72fcca58-82f8c81d952mr16524769b3a.12.1776712130470;\n Mon, 20 Apr 2026 12:08:50 -0700 (PDT)",
        "From": "Shubham Chakraborty <chakrabortyshubham66@gmail.com>",
        "To": "buildroot@buildroot.org",
        "Cc": "Shubham Chakraborty <chakrabortyshubham66@gmail.com>",
        "Date": "Tue, 21 Apr 2026 00:37:47 +0530",
        "Message-ID": "<20260420190748.181272-1-chakrabortyshubham66@gmail.com>",
        "X-Mailer": "git-send-email 2.53.0",
        "In-Reply-To": "<20260420084407.37993-1-chakrabortyshubham66@gmail.com>",
        "References": "<20260420084407.37993-1-chakrabortyshubham66@gmail.com>",
        "MIME-Version": "1.0",
        "X-Mailman-Original-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1776712130; x=1777316930; darn=buildroot.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=8ZVL7DpSsrdCAsCSUeZdAV6EtOhldJPWY4RdsPOY2HQ=;\n b=GhL5UAGm3Dhd2lKcUZCT1wDCftjfyr9ggiLQz9LWL8/CihpsW0+KtJGhYT4yjeEko7\n ov1Jk4yoKVwsRY134sIwqxtdwCWytmhZKlBgqNeeRJGBV/7pqa56iyKx+Sqa4ZR2aR32\n TKjYSLJbW6PEODPKJ6ojUugKhRaYyqULrDtYc1XrHr3DgFAcF0ybEUYJbZQ59p5Fxkpi\n NcsX6efKtwr4sgI/VKo9IkXxOaGjoG5/18y3y8G00FpbSgenGPaUWjb7N97pdl5g5R9h\n nEwYmFEvvU0qx60NB+SDXGMBpuInW9PUs7+/aMUqNkkTJaE3+0cwPIhg+ZqZ5nxxVIg2\n rdEA==",
        "X-Mailman-Original-Authentication-Results": [
            "smtp4.osuosl.org;\n dmarc=pass (p=none dis=none)\n header.from=gmail.com",
            "smtp4.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=GhL5UAGm"
        ],
        "Subject": "[Buildroot] [PATCH v2] package/botan: security bump to version\n 3.11.1",
        "X-BeenThere": "buildroot@buildroot.org",
        "X-Mailman-Version": "2.1.30",
        "Precedence": "list",
        "List-Id": "Discussion and development of buildroot <buildroot.buildroot.org>",
        "List-Unsubscribe": "<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>",
        "List-Archive": "<http://lists.buildroot.org/pipermail/buildroot/>",
        "List-Post": "<mailto:buildroot@buildroot.org>",
        "List-Help": "<mailto:buildroot-request@buildroot.org?subject=help>",
        "List-Subscribe": "<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>",
        "Content-Type": "text/plain; charset=\"us-ascii\"",
        "Content-Transfer-Encoding": "7bit",
        "Errors-To": "buildroot-bounces@buildroot.org",
        "Sender": "\"buildroot\" <buildroot-bounces@buildroot.org>"
    },
    "content": "- Update BOTAN_VERSION to 3.11.1\n- Remove 0001-Add-more-value-barriers-to-avoid-compiler-induced-side-channels.patch\n  as it is already integrated upstream in this version.\n\nFixed in 3.11.1:\n- CVE-2026-35580: Resolve certificate verification bypass bug introduced\n  in 3.11.0 (GH #5500)\n- CVE-2026-35582: Resolve TLS 1.3 client authentication bypass (GH #5599)\n\nFixed in 3.11.0:\n- CVE-2026-32877: Fix a heap over-read during SM2 decryption (GH #5450)\n- CVE-2026-32883: Fix an OCSP response forgery vulnerability (GH #5449)\n- CVE-2026-32884: Fix a name constraints bypass for DNS names (GH #5448)\n\n- Remove the --disable-altivec configuration option as it has been removed\n  from the Botan build system in version 3.x\n- Optimize the --disable-neon logic using the yx pattern.\n  In Botan 3.x, the --disable-neon flag is specifically targeted at the\n  arm32 architecture. Furthermore, Buildroot's BR2_ARM_CPU_HAS_NEON\n  variable is only defined for 32-bit ARM, which previously caused a\n  false-positive --disable-neon flag to be passed on AArch64 builds\n- Update license.txt hash in botan.hash due to the copyright year update\n  to 2026\n\nhttps://botan.randombit.net/news.html#version-3-11-1-2026-03-31\n\nSigned-off-by: Shubham Chakraborty <chakrabortyshubham66@gmail.com>\n\n---\nv1 -> v2:\n  - Add \"security\" to the subject line.\n  - Mention CVEs fixed in 3.11.0 and 3.11.1 as requested by Bernd Kuhls.\n  - Optimize the NEON disable logic in botan.mk using the yx pattern.\n---\n ...avoid-compiler-induced-side-channels.patch | 65 -------------------\n package/botan/botan.hash                      |  4 +-\n package/botan/botan.mk                        | 11 +---\n 3 files changed, 4 insertions(+), 76 deletions(-)\n delete mode 100644 package/botan/0001-Add-more-value-barriers-to-avoid-compiler-induced-side-channels.patch",
    "diff": "diff --git a/package/botan/0001-Add-more-value-barriers-to-avoid-compiler-induced-side-channels.patch b/package/botan/0001-Add-more-value-barriers-to-avoid-compiler-induced-side-channels.patch\ndeleted file mode 100644\nindex 22f64be1b9..0000000000\n--- a/package/botan/0001-Add-more-value-barriers-to-avoid-compiler-induced-side-channels.patch\n+++ /dev/null\n@@ -1,65 +0,0 @@\n-From 53b0cfde580e86b03d0d27a488b6c134f662e957 Mon Sep 17 00:00:00 2001\n-From: Jack Lloyd <jack@randombit.net>\n-Date: Sat, 19 Oct 2024 07:43:18 -0400\n-Subject: [PATCH] Add more value barriers to avoid compiler induced side\n- channels\n-\n-The paper https://arxiv.org/pdf/2410.13489 claims that on specific\n-architectures Clang and GCC may introduce jumps here. The donna128\n-issues only affect 32-bit processors, which explains why we would not\n-see it in the x86-64 valgrind runs.\n-\n-The GHASH leak would seem to be generic but the authors only observed\n-it on RISC-V.\n-\n-CVE: CVE-2024-50382\n-CVE: CVE-2024-50383\n-Upstream: https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957\n-Signed-off-by: Thomas Perale <thomas.perale@mind.be>\n----\n- src/lib/utils/donna128.h      | 5 +++--\n- src/lib/utils/ghash/ghash.cpp | 2 +-\n- 2 files changed, 4 insertions(+), 3 deletions(-)\n-\n-diff --git a/src/lib/utils/donna128.h b/src/lib/utils/donna128.h\n-index 8212bd349e0..7adf54546df 100644\n---- a/src/lib/utils/donna128.h\n-+++ b/src/lib/utils/donna128.h\n-@@ -8,6 +8,7 @@\n- #ifndef BOTAN_CURVE25519_DONNA128_H_\n- #define BOTAN_CURVE25519_DONNA128_H_\n- \n-+#include <botan/internal/ct_utils.h>\n- #include <botan/internal/mul128.h>\n- #include <type_traits>\n- \n-@@ -73,14 +74,14 @@ class donna128 final {\n-          l += x.l;\n-          h += x.h;\n- \n--         const uint64_t carry = (l < x.l);\n-+         const uint64_t carry = CT::Mask<uint64_t>::is_lt(l, x.l).if_set_return(1);\n-          h += carry;\n-          return *this;\n-       }\n- \n-       constexpr donna128& operator+=(uint64_t x) {\n-          l += x;\n--         const uint64_t carry = (l < x);\n-+         const uint64_t carry = CT::Mask<uint64_t>::is_lt(l, x).if_set_return(1);\n-          h += carry;\n-          return *this;\n-       }\n-diff --git a/src/lib/utils/ghash/ghash.cpp b/src/lib/utils/ghash/ghash.cpp\n-index 8c3b1ed6c2a..61b28590002 100644\n---- a/src/lib/utils/ghash/ghash.cpp\n-+++ b/src/lib/utils/ghash/ghash.cpp\n-@@ -131,7 +131,7 @@ void GHASH::key_schedule(std::span<const uint8_t> key) {\n-          m_HM[4 * j + 2 * i + 1] = H1;\n- \n-          // GCM's bit ops are reversed so we carry out of the bottom\n--         const uint64_t carry = R * (H1 & 1);\n-+         const uint64_t carry = CT::Mask<uint64_t>::expand(H1 & 1).if_set_return(R);\n-          H1 = (H1 >> 1) | (H0 << 63);\n-          H0 = (H0 >> 1) ^ carry;\n-       }\ndiff --git a/package/botan/botan.hash b/package/botan/botan.hash\nindex d948271900..6b391c06a3 100644\n--- a/package/botan/botan.hash\n+++ b/package/botan/botan.hash\n@@ -1,4 +1,4 @@\n # From https://botan.randombit.net/releases/sha256sums.txt\n-sha256  67e8dae1ca2468d90de4e601c87d5f31ff492b38e8ab8bcbd02ddf7104ed8a9f  Botan-3.5.0.tar.xz\n+sha256  c1cd7152519f4188591fa4f6ddeb116bc1004491f5f3c58aa99b00582eb8a137  Botan-3.11.1.tar.xz\n # Locally computed\n-sha256  db9168bdccaaea26557094436652577cc9bf43164e8be078d88aef1342fe4fb6  license.txt\n+sha256  758ea6b4a65d5611bf79c24920f92473ef44bdde0b3b97fa578470a0ffc34f14  license.txt\ndiff --git a/package/botan/botan.mk b/package/botan/botan.mk\nindex 38948f0184..06f1ce2730 100644\n--- a/package/botan/botan.mk\n+++ b/package/botan/botan.mk\n@@ -4,16 +4,13 @@\n #\n ################################################################################\n \n-BOTAN_VERSION = 3.5.0\n+BOTAN_VERSION = 3.11.1\n BOTAN_SOURCE = Botan-$(BOTAN_VERSION).tar.xz\n BOTAN_SITE = http://botan.randombit.net/releases\n BOTAN_LICENSE = BSD-2-Clause\n BOTAN_LICENSE_FILES = license.txt\n BOTAN_CPE_ID_VALID = YES\n \n-# 0001-Add-more-value-barriers-to-avoid-compiler-induced-side-channels.patch\n-BOTAN_IGNORE_CVES += CVE-2024-50382 CVE-2024-50383\n-\n BOTAN_INSTALL_STAGING = YES\n \n BOTAN_DEPENDENCIES = host-python3\n@@ -91,11 +88,7 @@ BOTAN_DEPENDENCIES += zlib\n BOTAN_CONF_OPTS += --with-zlib\n endif\n \n-ifeq ($(BR2_POWERPC_CPU_HAS_ALTIVEC),)\n-BOTAN_CONF_OPTS += --disable-altivec\n-endif\n-\n-ifeq ($(BR2_ARM_CPU_HAS_NEON),)\n+ifeq ($(BR2_arm)x$(BR2_ARM_CPU_HAS_NEON),yx)\n BOTAN_CONF_OPTS += --disable-neon\n endif\n \n",
    "prefixes": [
        "v2"
    ]
}