botan 1.0.16 and 2.1.0 fix a security bug in the X.509 parsing. From upstream: "Botan’s implementation of X.509 name comparisons had a flaw which could result in an out of bound memory read while processing a specially formed DN. This could potentially be exploited for information disclosure or denial of service, or result in incorrect validation results. Found independently by Aleksandar Nikolic of Cisco Talos, and OSS-Fuzz automated fuzzing infrastructure." A second vuln (CVE-2017-7252) has also been fixed in 2.1.0, but it only affects versions in portage that have never been unmasked, so it's not relevant.
Added, feel free to stabilize. Thanks!
@ Arches, please test and mark stable: =dev-libs/botan-1.10.16
amd64 stable
x86 stable
sparc stable
ppc64 stable
ppc stable
Arches, please finish stabilizing hppa Gentoo Security Padawan ChrisADR
hppa stable
(In reply to Aleksandr Wagner (Kivak) from bug#632104 comment#7) > @Maintainer(s): Please clean the vulnerable versions from tree. Done.
GLSA Vote: No