[Botan-announce] Botan 1.11.33 released

Jack Lloyd jack at randombit.net
Wed Oct 26 10:04:44 EDT 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


I'm pleased to announce Botan 1.11.33 has been released.

https://botan.randombit.net/releases/Botan-1.11.33.tgz
https://botan.randombit.net/releases/Botan-1.11.33.tgz.asc
SHA-256 d65f95399dc5710aea90d682d65e554fed4571115f1382416e9142370a47e949

Security bugs fixed:

* Avoid OAEP side channel (CVE-2016-8871)
* Add countermeasure for Lucky13 attack to TLS CBC decryption

Both are side channels that potentially have serious impact (recovery of
plaintext), but are currently thought to be unlikely to be exploitable by a
remote attacker in most circumstances. Nevertheless upgrading asap is advised if
your application uses either OAEP or TLS CBC ciphersuites.

Other bugs fixed:

* Fix entropy source selection bug on Windows, which caused the CryptoAPI
  entropy source to be not available under its normal name "win32_cryptoapi" but
  instead "dev_random". No security impact.

* Previously system_rng required read-write access to /dev/urandom, in order to
  allow reseeding of the system PRNG if requested by the application. It now
  backs down to read-only access, if read-write access is prohibited by AppArmor
  profile or equivalent.

Internal cleanups:

* All TLS CBC ciphersuites can now be removed by disabling `tls_cbc` module.
  This effectively disables all support for TLS v1.0 and v1.1

* Internal cleanups to the object lookup code eliminates most global locks and
  all use of static initializers. There should not be any user-visible changes
  as a result of this (if you notice any problems, file a bug).

New features added:

* Add X25519-based key exchange to TLS

* Add Certificate_Store_In_SQL which supports storing certs, keys, and
  revocation information in a SQL database. Subclass Certificate_Store_In_SQLite
  specializes with support for SQLite3 databases.

* Add support for FIPS 202 SHA-3

* Add a SHAKE-128 based stream cipher

* Add support for BoringSSL variant of NewHope

* Add support for TLS Supported Point Format Extension, and ability to
  send compressed points during a TLS handshake.

* Add support for building the library as part of the IncludeOS unikernel.
  This included making filesystem and threading support optional.

* Added ISA annotations so that with GCC (all supported versions) and Clang
  (since 3.7) it is no longer required to compile amalgamation files with any
  ISA enabling flags like ``-maes``.

Plus many and varied documentation and build improvements.

Huge thanks to eveyone who contributed to this release, especially Kai
Michaelis, Simon Warta, Juraj Somorovsky, and René Korthaus.

Best,
  Jack
-----BEGIN PGP SIGNATURE-----

iQGcBAEBCAAGBQJYELd/AAoJEHjpgENXEjtgmBkMAI8zTQPh+xKTF66mQEziNDa9
jkXtGs66P4s+7101nM0NHJ5/zYHJjSw7MHMmlnZp+G2wXQCXw1kTseUOHMvWyDVT
7VCEdMrJYToKo2FcbMYNr5b+g6JV8hxNhJsA4SMlLuIfhDA8ozQHpZKRjBHAgmur
/UvXEiG8msN60EX9kTQokhYKJiZjMZdpLeHqXHHndVyFCoTxP2slc5zqQKfUg3I7
9eKzMKir+pl17nFvSEB7AMTaIQ/2y6J4kkQweSClc6X0YruA1UT3PvQyh6Kjp0xE
kMRozAOE3cUBquV1E6J/umZalcxaB9rXmayoHiX2lx8AeDNql1WydNgnQSxDndDe
GUZPY4pj+fl1EHfDM0o+PtRafmfdDRsjxaidcGL0CmWNHO28Q/ipyc8HuEGkFzdc
vO4qiFsFYqwf2KL6IHPCqs9y0B2B3GGy8NG2dRY8HMAnAj1jrsqITiu9G8hA7DJE
Cb9MwO99KMU6FHb6EyGvPXKdVpaB8abJhfW7R5IzUA==
=A7fn
-----END PGP SIGNATURE-----


More information about the botan-announce mailing list