ArchLinux: 201603-22: botan: multiple issues
Summary
- CVE-2016-2849 (ECDSA side channel):
ECDSA (and DSA) signature algorithms perform a modular inverse on the
signature nonce k. The modular inverse algorithm used had input
dependent loops, and it is possible a side channel attack could recover
sufficient information about the nonce to eventually recover the ECDSA
secret key. Found by Sean Devlin.
- CVE-2016-2850 (Failure to enforce TLS policy):
TLS v1.2 allows negotiating which signature algorithms and hash
functions each side is willing to accept. However received signatures
were not actually checked against the specified policy. This had the
effect of allowing a server to use an MD5 or SHA-1 signature, even
though the default policy prohibits it. The same issue affected client
cert authentication.
The TLS client also failed to verify that the ECC curve the server chose
to use was one which was acceptable by the client policy.
Resolution
Upgrade to 1.11.29-1.
# pacman -Syu "botan>=1.11.29-1"
The problem has been fixed upstream in version 1.11.29.
References
https://botan.randombit.net/security.html https://access.redhat.com/security/cve/CVE-2016-2849 https://access.redhat.com/security/cve/CVE-2016-2850
Workaround
None.