[Botan-announce] Botan 1.10.12 released

Jack Lloyd lloyd at randombit.net
Wed Feb 3 04:00:12 EST 2016


Remi Gacogne pointed out that the fix in 1.10.11 for CVE-2016-2195 was
not quite right; the check in PointGFp intended to check that x and y
were less than the prime instead checked x twice.

However, don't panic: the overflow cannot occur in 1.10.11 because of
an additional length check in the multiplication function itself which
was added at the same time. So I don't believe there are any security
implications to this missing check. Nonetheless to avoid confusion and
out of an abundance of caution I have released 1.10.12 which has the
correction.

SHA-256 affc3a79919577943f896e64d3e4a4dcc4970c5bf80cc98c7f3a3144745eac27

https://botan.randombit.net/releases/Botan-1.10.12.tgz
https://botan.randombit.net/releases/Botan-1.10.12.tgz.asc

Jack


More information about the botan-announce mailing list