From ${URL} : The following issues were fixed in the 1.11.29 release of botan: (CVE-2016-2849): ECDSA side channel ECDSA (and DSA) signature algorithms perform a modular inverse on the signature nonce k. The modular inverse algorithm used had input dependent loops, and it is possible a side channel attack could recover sufficient information about the nonce to eventually recover the ECDSA secret key. Found by Sean Devlin. Introduced in 1.7.15, fixed in 1.11.29 2016-03-17 (CVE-2016-2850): Failure to enforce TLS policy TLS v1.2 allows negotiating which signature algorithms and hash functions each side is willing to accept. However received signatures were not actually checked against the specified policy. This had the effect of allowing a server to use an MD5 or SHA-1 signature, even though the default policy prohibits it. The same issue affected client cert authentication. The TLS client also failed to verify that the ECC curve the server chose to use was one which was acceptable by the client policy. Introduced in 1.11.0, fixed in 1.11.29 Reference: http://botan.randombit.net/security.html#id1 Upstream patches: https://github.com/randombit/botan/commit/bcf13fa153a11b3e0ad54e2af6962441cea3adf1 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
botan-1.11.29 in tree. Lots of changes, we will have to wait for a while before stabilize.
@ Maintainer(s): Can we please get an status update? The mask from 2013-09-13 is still place so it looks like no progress were made.
(In reply to Thomas Deutschmann from comment #2) > @ Maintainer(s): Can we please get an status update? The mask from > 2013-09-13 is still place so it looks like no progress were made. Question... Current Development Work (1.11) Old Stable Series (1.10) I do not entirely understand what is "old stable series". There is a release of 1.10.13 that fixes some of the CVEs, is this sufficient to make it stable? --- https://botan.randombit.net/news.html#version-1-10-13-2016-04-23 Version 1.10.13, 2016-04-23ΒΆ Use constant time modular inverse algorithm to avoid possible side channel attack against ECDSA (CVE-2016-2849) Use constant time PKCS #1 unpadding to avoid possible side channel attack against RSA decryption (CVE-2015-7827) Avoid a compilation problem in OpenSSL engine when ECDSA was disabled. Gentoo bug 542010 --- Otherwise we will stable the latest. Thanks!
@ Maintainer(s): For security it is enough to stabilize =dev-libs/botan-1.10.13. The v1.11 branch was never stable. But if you want we can stabilize =dev-libs/botan-1.11.33 but then you have to cleanup previous versions, so make sure that v1.11.x works for all consumers... Please let us know if you have decided how to proceed.
Ok, let's stabilize dev-libs/botan-1.10.13 Thanks!
amd64 stable
x86 stable
CVE-2016-2849 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2849): Botan before 1.10.13 and 1.11.x before 1.11.29 do not use a constant-time algorithm to perform a modular inverse on the signature nonce k, which might allow remote attackers to obtain ECDSA secret keys via a timing side-channel attack.
sparc stable
ppc stable
ppc64 stable
Stable for HPPA.
GLSA Vote: Yes The possibility that an attacker could recover the ECDSA secret key warrants a GLSA. New GLSA request filed. @ Maintainer(s): Please drop =dev-libs/botan-1.10.12!
(In reply to Thomas Deutschmann from comment #13) > @ Maintainer(s): Please drop =dev-libs/botan-1.10.12! Done.
@ Maintainer(s): Thank you!
This issue was resolved and addressed in GLSA 201701-23 at https://security.gentoo.org/glsa/201701-23 by GLSA coordinator Aaron Bauman (b-man).