Botan: Multiple vulnerabilities — GLSA 201701-23

Multiple vulnerabilities have been found in Botan, the worst of which might allow remote attackers to obtain ECDSA secret keys.

Affected Packages

dev-libs/botan on all architectures
Affected versions < 1.10.13
Unaffected versions >= 1.10.13

Background

Botan (Japanese for peony) is a cryptography library written in C++11.

Description

Multiple vulnerabilities have been discovered in Botan. Please review the CVE identifiers referenced below for details.

Impact

A remote attacker might obtain ECDSA secret keys via a timing side-channel attack or could possibly bypass TLS policy.

Workaround

There is no known workaround at this time.

Resolution

All Botan users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-libs/botan-1.10.13"
 

References

Release Date
January 11, 2017

Latest Revision
January 11, 2017: 1

Severity
normal

Exploitable
remote

Bugzilla entries