[Botan-announce] Botan 1.11.33 released
jack at randombit.net
Wed Oct 26 10:04:44 EDT 2016
-----BEGIN PGP SIGNED MESSAGE-----
I'm pleased to announce Botan 1.11.33 has been released.
Security bugs fixed:
* Avoid OAEP side channel (CVE-2016-8871)
* Add countermeasure for Lucky13 attack to TLS CBC decryption
Both are side channels that potentially have serious impact (recovery of
plaintext), but are currently thought to be unlikely to be exploitable by a
remote attacker in most circumstances. Nevertheless upgrading asap is advised if
your application uses either OAEP or TLS CBC ciphersuites.
Other bugs fixed:
* Fix entropy source selection bug on Windows, which caused the CryptoAPI
entropy source to be not available under its normal name "win32_cryptoapi" but
instead "dev_random". No security impact.
* Previously system_rng required read-write access to /dev/urandom, in order to
allow reseeding of the system PRNG if requested by the application. It now
backs down to read-only access, if read-write access is prohibited by AppArmor
profile or equivalent.
* All TLS CBC ciphersuites can now be removed by disabling `tls_cbc` module.
This effectively disables all support for TLS v1.0 and v1.1
* Internal cleanups to the object lookup code eliminates most global locks and
all use of static initializers. There should not be any user-visible changes
as a result of this (if you notice any problems, file a bug).
New features added:
* Add X25519-based key exchange to TLS
* Add Certificate_Store_In_SQL which supports storing certs, keys, and
revocation information in a SQL database. Subclass Certificate_Store_In_SQLite
specializes with support for SQLite3 databases.
* Add support for FIPS 202 SHA-3
* Add a SHAKE-128 based stream cipher
* Add support for BoringSSL variant of NewHope
* Add support for TLS Supported Point Format Extension, and ability to
send compressed points during a TLS handshake.
* Add support for building the library as part of the IncludeOS unikernel.
This included making filesystem and threading support optional.
* Added ISA annotations so that with GCC (all supported versions) and Clang
(since 3.7) it is no longer required to compile amalgamation files with any
ISA enabling flags like ``-maes``.
Plus many and varied documentation and build improvements.
Huge thanks to eveyone who contributed to this release, especially Kai
Michaelis, Simon Warta, Juraj Somorovsky, and René Korthaus.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the botan-announce