[Botan-announce] Botan 1.11.23 released with several security fixes
lloyd at randombit.net
Tue Oct 27 07:54:57 EDT 2015
Botan 1.11.23 has been released. It includes several security fixes
and applications using TLS or X.509 certificates should upgrade asap.
The security issues resolved in this release are:
CVE-2015-7824: An information leak allowed padding oracle attacks
against TLS CBC decryption. Depending on the underlying protocol and
application it could be possible to an attacker to decrypt plaintext
using iterative trials. This is most likely to affect HTTP servers
but other protocols are also at risk.
CVE-2015-7825: Validating a malformed certificate chain could cause an
CVE-2015-7826: X509_Certificate::matches_dns_name would match against
wildcard certificates when it should not, for example it would
erronously accept `*.example.com' as a valid wildcard for
CVE-2015-7827: PKCS #1 message decoding was not constant time and could
be vulnerable to the million-message attack via a side channel. It has
been rewritten to be rigorously constant time.
All 4 CVEs were found in a security review by Sirrix AG and 3curity GmbH.
Many thanks to them for spending the time and resources on improving
the library. More about the impact of each is available with the
advisory text at https://botan.randombit.net/security.html
Additional changes in this release include:
- Adding more helper functions for const time operations plus support
for using ctgrind (https://github.com/agl/ctgrind) to test that
sections of code do not use secret inputs to decide branches or
memory indexes. The testing relies on dynamic checking using
valgrind. So far PKCS #1 decoding, OAEP decoding, Montgomery reduction,
IDEA, and Curve25519 have been checked.
- Public key operations can now be used with specified providers by
passing an additional parameter to the constructor of the PK
operation. (This means it's actually possible to use the OpenSSL
RSA/ECDSA operations, by passing "openssl" instead of "base").
- The OpenSSL RSA provider now supports signature creation and verification.
- The blinding code used for RSA, Diffie-Hellman, ElGamal and
Rabin-Williams now periodically reinitializes the sequence of
blinding values instead of always deriving the next value by
squaring the previous ones. The reinitializion interval can be
controlled by the build.h parameter BOTAN_BLINDING_REINIT_INTERVAL.
- A bug decoding DTLS client hellos prevented session resumption for suceeding.
- DL_Group now prohibits creating a group smaller than 1024 bits.
- Add System_RNG type
- New command line tools dl_group and prime
The last released version was 1.11.21. 1.11.22 was briefly released but
had a problem, so it was easiest to immediately bump the version to
1.11.23 and rerelease.
More information about the botan-announce