[SECURITY] Fedora 26 Update: botan-1.10.17-1.fc26

-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2017-d4248ba346 2017-10-25 21:34:15.276555 -------------------------------------------------------------------------------- Name : botan Product : Fedora 26 Version : 1.10.17 Release : 1.fc26 URL : http://botan.randombit.net/ Summary : Crypto library written in C++ Description : Botan is a BSD-licensed crypto library written in C++. It provides a wide variety of basic cryptographic algorithms, X.509 certificates and CRLs, PKCS \#10 certificate requests, a filter/pipe message processing system, and a wide variety of other features, all written in portable C++. The API reference, tutorial, and examples may help impart the flavor of the library. -------------------------------------------------------------------------------- Update Information: #### Version 1.10.17, 2017-10-02 #### * Address a side channel affecting modular exponentiation. An attacker capable of a local or cross-VM cache analysis attack may be able to recover bits of secret exponents as used in RSA, DH, etc. (CVE-2017-14737) * Workaround a miscompilation bug in GCC 7 on x86-32 affecting GOST-34.11 hash function. [GH #1192](https://github.com/randombit/botan/issues/1192) [GH #1148](https://github.com/randombit/botan/issues/1148) [GH #882](https://github.com/randombit/botan/issues/882) * Add SecureVector::data() function which returns the start of the buffer. This makes it slightly simpler to support both 1.10 and 2.x APIs in the same codebase. * When compiled by a C++11 (or later) compiler, a template typedef of SecureVector, secure_vector, is added. In 2.x this class is a std::vector with a custom allocator, so has a somewhat different interface than SecureVector in 1.10. But this makes it slightly simpler to support both 1.10 and 2.x APIs in the same codebase. * Fix a bug that prevented `configure.py` from running under Python3 * Botan 1.10.x does not support the OpenSSL 1.1 API. Now the build will #error if OpenSSL 1.1 is detected. Avoid ���with-openssl if compiling against 1.1 or later. [GH #753](https://github.com/randombit/botan/issues/753) * Import patches from Debian adding basic support for building on aarch64, ppc64le, or1k, and mipsn32 platforms. #### Version 1.10.16, 2017-04-04 #### * Fix a bug in X509 DN string comparisons that could result in out of bound reads. This could result in information leakage, denial of service, or potentially incorrect certificate validation results. (CVE-2017-2801) * Avoid throwing during a destructor since this is undefined in C++11 and rarely a good idea. [GH #930](https://github.com/randombit/botan/issues/930) #### Version 1.10.15, 2017-01-12 #### * Fix a bug causing modular exponentiations done modulo even numbers to almost always be incorrect, unless the values were small. This bug is not known to affect any cryptographic operation in Botan. [GH #754](https://github.com/randombit/botan/issues/754) * Avoid use of C++11 std::to_string in some code added in 1.10.14 [GH #747](https://github.com/randombit/botan/issues/747) [GH #834](https://github.com/randombit/botan/issues/834) -------------------------------------------------------------------------------- References: [ 1 ] Bug #1441126 - CVE-2017-2801 botan: Incorrect comparison in X.509 DN strings https://bugzilla.redhat.com/show_bug.cgi?id=1441126 [ 2 ] Bug #1496368 - CVE-2017-14737 botan: cryptographic cache-based side channel in the RSA implementation https://bugzilla.redhat.com/show_bug.cgi?id=1496368 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade botan' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------