[Botan-announce] Botan 1.11.29 released

Jack Lloyd lloyd at randombit.net
Sun Mar 20 21:47:56 EDT 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Botan 1.11.29 has been released.

SHA-256 e604eca7f0a733f6ef23ddd9209d82589728a4befd48dff3532740130ebaeb94

https://botan.randombit.net/releases/Botan-1.11.29.tgz
https://botan.randombit.net/releases/Botan-1.11.29.tgz.asc

Several bugs with possible security implications have been resolved:

* There was a timing channel in DSA/ECDSA signature generation due to
  the use of modular inverse algorithm which had input dependent loops
  (found by Sean Devlin, CVE-2016-2849).

* The TLS v1.2 client did not verify that the hash algorithm or ECC
  curve that the server chose actually matched the preferences
  indicated by the TLS server (CVE-2016-2850).

* Reading an empty TLS record could cause a crash/abort when running
  under iterator debugging (but no other ill effect seems possible).
  Found by Juraj Somorovsky.

* The TLS server had a possible timing channel in checking the
  formatting of client encrypted RSA ciphertexts.

New features include

* Add support for X.509 name constraint extensions

* Add PK_Decryptor::decrypt_or_random which supports constant-time
  content checks on decrypted ciphertexts.

* Windows now supports the locking allocator via use of VirtualLock

* TLS can now be compiled without support for SRP

Features removed include

* Support for the TLS heartbeat and minimum fragment length extensions
  have been removed.

* Support for MD5 and SHA-224 signatures in TLS have been removed.

* Support for negotiating ECC groups under 256 bits for TLS has been removed

In other announcements randombit.net is now using the Let's Encrypt CA
instead of CACert, so all browsers should accept https connections the
site.

Jack
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJW71J/AAoJEHjpgENXEjtgWkcL+wZdRmX2Mqqco/EzbslsRUPg
MOUiuMJUePS6Na4xa4vTG2EvoXHjmNdnD7MFkCMumHtEi3tRTWAQ2B6K2pQClcTp
dnaXA6DSUKqU0AXz9d5aqSl8Zr5ZlwaSyw5Xta8FEniXM6jpTfECiIzD92agOVH7
M/VB0uiPmzsUUUyTWvEl9swJ+jCfT2lQbo0qmEKLOdItRdIaOX7jXTUMhr9mcTPc
SPX13gxyIV8nf2I5cFpOePmUNjjPliqsQpBxfh9SuA41KsVM5PDHXqVs421hjsrw
7C9R2ELMFki0U2cSApo7DjNHnwcrl6INID/oF0ZHmvkS/MGqbH0/dbJms74AfZ+7
1fZmF4OmX0AnCXJ1wxeU81MQJJ6cXsC/iiOda9L2n+wR+4BcG/sXgBTf0FmcheI8
sNiqM1u2iG9YsXNgENXFajvjSb3U9O7SXLRP06erhZjcRWhy1eDAYeadSF3+O/mQ
eYeH4VxpFjpr4z5EvEmymrvBzSwxTRVtThzCUO0MFw==
=shC+
-----END PGP SIGNATURE-----


More information about the botan-announce mailing list