Stay Secure with the Latest Linux Advisories

security advisorygentooremote access

Gentoo GLSA-201701-23 Normal: Botan Multiple Issues Affecting ECDSA Keys

Multiple vulnerabilities have been found in Botan, the worst of which might allow remote attackers to obtain ECDSA secret keys.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201701-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Botan: Multiple vulnerabilities Date: January 11, 2017 Bugs: #581324 ID: 201701-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= Multiple vulnerabilities have been found in Botan, the worst of which might allow remote attackers to obtain ECDSA secret keys. Background ========= Botan (Japanese for peony) is a cryptography library written in C++11. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/botan < 1.10.13 > = 1.10.13 Description ========== Multiple vulnerabilities have been discovered in Botan. Please review the CVE identifiers referenced below for details. Impact ===== A remote attacker might obtain ECDSA secret keys via a timing side-channel attack or could possibly bypass TLS policy. Workaround ========= There is no known workaround at this time. Resolution ========= All Botan users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =dev-libs/botan-1.10.13" References ========= [ 1 ] CVE-2016-2849 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2849 [ 2 ] CVE-2016-2850 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2850 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo SecurityWebsite: https://security.gentoo.org/glsa/201701-23 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to This email address is being protected from spambots. You need JavaScript enabled to view it. or alternatively, you may file a bug at https://bugs.gentoo.org. License ====== Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5/ . Numerous security flaws in Botan could enable distant adversaries to access ECDSA private keys. It is advised to proceed with an update for enhanced protection.. Botan Vulnerabilities,Gentoo Security Update,Remote Attacker Access. . LinuxSecurity.com Team

Jan 11, 2017 Gentoo