[Botan-announce] Botan 1.11.24 released with TLS security fix

Jack Lloyd lloyd at randombit.net
Wed Nov 4 14:58:35 EST 2015


Botan 1.11.24 has been released fixing a critical bug in TLS
authentication introduced in 1.11.23. Due to a missing check in
Credentials_Manager, a certificate which failed validation would not
be reported to the TLS layer. Thus effectively X.509 authentication is
bypassed in TLS in that release. All users of TLS should upgrade to
1.11.24 as soon as possible.

http://botan.randombit.net/releases/Botan-1.11.24.tgz
http://botan.randombit.net/releases/Botan-1.11.24.tgz.asc

Credits to Florent Le Coz who found the issue and reported it. GH #342

Also fixed in this release is an endian dependency in McEliece key
generation. And a change to the build has new flags for individually
controlling use of debug symbols, sanitizer, and coverage flags.

Best,
  Jack Lloyd


More information about the botan-announce mailing list