[Botan-announce] Botan 1.10.10 and 1.11.19

Jack Lloyd lloyd at randombit.net
Mon Aug 3 01:24:11 EDT 2015

Hi all,

Botan 1.10.10 and 1.11.19 have been released.

Both versions fix two crashes in the BER decoder. One could cause a
read at index 0 of an empty vector, which would cause a crash but does
not seem exploitable. The other would allow an attacker controlled
amount of memory to be allocated, which could cause a crash or other
denial of service condition. If your application consumes untrusted
ASN.1 data such as X.509 certificates or CRLs you should upgrade

Other changes in 1.11.19 include Android support and fixing
BigInt::to_u32bit which would fail if the value in question was
exactly 32 bits. Some x86 assembler, including the x86-32 versions of
SHA-1 and Serpent and the x86-64 version of SHA-1 were found to be
slower than the cooresponding C++ versions with modern compilers and
so were removed.

Download links are:



More information about the botan-announce mailing list