Botan 2.5.0 through 2.6.0 allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP, related to dsa/dsa.cpp, ec_group/ec_group.cpp, and ecdsa/ecdsa.cpp. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. Gentoo Security Scout Florian Schuhmacher
solution proposed - see bug #661660
Please stabilize =dev-libs/botan-2.7.0
x86 stable
amd64 stable
ppc stable
ppc64 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1949d3c964706770f7353f9ac0fab632b5d2f28c commit 1949d3c964706770f7353f9ac0fab632b5d2f28c Author: Alon Bar-Lev <alonbl@gentoo.org> AuthorDate: 2018-09-01 18:20:35 +0000 Commit: Alon Bar-Lev <alonbl@gentoo.org> CommitDate: 2018-09-01 19:01:32 +0000 dev-libs/botan: clenaup old Bug: https://bugs.gentoo.org/show_bug.cgi?id=658334 Package-Manager: Portage-2.3.40, Repoman-2.3.9 dev-libs/botan/Manifest | 1 - dev-libs/botan/botan-2.6.0.ebuild | 92 --------------------------------------- 2 files changed, 93 deletions(-)
To be clear on the status of this bug: vulnerable versions (2.5.x) are clear from the tree.
All clear in tree Arches and Maintainer(s), Thank you for your work. Closing noglsa.