--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2017-d4248ba346
2017-10-25 21:34:15.276555
--------------------------------------------------------------------------------
Name : botan
Product : Fedora 26
Version : 1.10.17
Release : 1.fc26
URL :
http://botan.randombit.net/
Summary : Crypto library written in C++
Description :
Botan is a BSD-licensed crypto library written in C++. It provides a
wide variety of basic cryptographic algorithms, X.509 certificates and
CRLs, PKCS \#10 certificate requests, a filter/pipe message processing
system, and a wide variety of other features, all written in portable
C++. The API reference, tutorial, and examples may help impart the
flavor of the library.
--------------------------------------------------------------------------------
Update Information:
#### Version 1.10.17, 2017-10-02 #### * Address a side channel affecting
modular exponentiation. An attacker capable of a local or cross-VM cache
analysis attack may be able to recover bits of secret exponents as used in RSA,
DH, etc. (CVE-2017-14737) * Workaround a miscompilation bug in GCC 7 on x86-32
affecting GOST-34.11 hash function. [GH
#1192](https://github.com/randombit/botan/issues/1192) [GH
#1148](https://github.com/randombit/botan/issues/1148) [GH
#882](https://github.com/randombit/botan/issues/882) * Add SecureVector::data()
function which returns the start of the buffer. This makes it slightly simpler
to support both 1.10 and 2.x APIs in the same codebase. * When compiled by a
C++11 (or later) compiler, a template typedef of SecureVector, secure_vector, is
added. In 2.x this class is a std::vector with a custom allocator, so has a
somewhat different interface than SecureVector in 1.10. But this makes it
slightly simpler to support both 1.10 and 2.x APIs in the same codebase. * Fix a
bug that prevented `configure.py` from running under Python3 * Botan 1.10.x does
not support the OpenSSL 1.1 API. Now the build will #error if OpenSSL 1.1 is
detected. Avoid ���with-openssl if compiling against 1.1 or later. [GH
#753](https://github.com/randombit/botan/issues/753) * Import patches from
Debian adding basic support for building on aarch64, ppc64le, or1k, and mipsn32
platforms. #### Version 1.10.16, 2017-04-04 #### * Fix a bug in X509 DN string
comparisons that could result in out of bound reads. This could result in
information leakage, denial of service, or potentially incorrect certificate
validation results. (CVE-2017-2801) * Avoid throwing during a destructor since
this is undefined in C++11 and rarely a good idea. [GH
#930](https://github.com/randombit/botan/issues/930) #### Version 1.10.15,
2017-01-12 #### * Fix a bug causing modular exponentiations done modulo even
numbers to almost always be incorrect, unless the values were small. This bug is
not known to affect any cryptographic operation in Botan. [GH
#754](https://github.com/randombit/botan/issues/754) * Avoid use of C++11
std::to_string in some code added in 1.10.14 [GH
#747](https://github.com/randombit/botan/issues/747) [GH
#834](https://github.com/randombit/botan/issues/834)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1441126 - CVE-2017-2801 botan: Incorrect comparison in X.509 DN strings
https://bugzilla.redhat.com/show_bug.cgi?id=1441126
[ 2 ] Bug #1496368 - CVE-2017-14737 botan: cryptographic cache-based side channel in the
RSA implementation
https://bugzilla.redhat.com/show_bug.cgi?id=1496368
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade botan' at the command line.
For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------