Botan 2.6.0 has been released fixing CVE-2018-9860 (potential denial of service in TLS CBC decryption). 1.10.17 is not affected. 2.6.0 also fixes a miscompilation issue on x86(-64) which caused incorrect results when compiled by GCC 7.3 and certain flags such as -fno-plt. Sorry for the churn here, OSS-Fuzz found CVE 2 days after 2.5.0 release.
2.6.0 is not in the tree yet.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c0e35a7714db0e1d3ffa913e50b412ff1c1cb991 commit c0e35a7714db0e1d3ffa913e50b412ff1c1cb991 Author: Alon Bar-Lev <alonbl@gentoo.org> AuthorDate: 2018-04-10 18:54:28 +0000 Commit: Alon Bar-Lev <alonbl@gentoo.org> CommitDate: 2018-04-10 18:54:58 +0000 dev-libs/botan: version bump Bug: https://bugs.gentoo.org/652910 Package-Manager: Portage-2.3.24, Repoman-2.3.6 dev-libs/botan/Manifest | 1 + dev-libs/botan/botan-2.6.0.ebuild | 92 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 93 insertions(+)}
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=454c09bcc33443ca8de015e90b0983073753f88d commit 454c09bcc33443ca8de015e90b0983073753f88d Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-04-18 23:30:34 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-04-18 23:30:34 +0000 dev-libs/botan: amd64 stable wrt bug #652910 Bug: https://bugs.gentoo.org/652910 Package-Manager: Portage-2.3.29, Repoman-2.3.9 dev-libs/botan/botan-2.6.0.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
x86 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=41aa3fcbfc826ae86385b1053e3a57a9185a9360 commit 41aa3fcbfc826ae86385b1053e3a57a9185a9360 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-05-20 14:47:15 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-05-20 14:47:15 +0000 dev-libs/botan: stable 2.6.0 for ppc64, bug #652910 Bug: https://bugs.gentoo.org/652910 Package-Manager: Portage-2.3.38, Repoman-2.3.9 RepoMan-Options: --include-arches="ppc64" dev-libs/botan/botan-2.6.0.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
ppc stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=13e2cb1c2f57fee406c4852b1e2d0c5eca0e873f commit 13e2cb1c2f57fee406c4852b1e2d0c5eca0e873f Author: Alon Bar-Lev <alonbl@gentoo.org> AuthorDate: 2018-05-26 08:12:35 +0000 Commit: Alon Bar-Lev <alonbl@gentoo.org> CommitDate: 2018-05-26 08:13:39 +0000 dev-libs/botan: cleanup Bug: https://bugs.gentoo.org/652910 Package-Manager: Portage-2.3.24, Repoman-2.3.6 dev-libs/botan/Manifest | 1 - dev-libs/botan/botan-2.5.0.ebuild | 92 --------------------------------------- 2 files changed, 93 deletions(-)
GLSA Vote: No