[Botan-announce] Botan 2.1.0 and 1.10.16 released
jack at randombit.net
Tue Apr 4 21:34:06 EDT 2017
Botan 2.1.0 and 1.10.16 have been released.
Both releases resolve a security issue in X509 DN comparisons which might result
in information leakage or incorrect certificate validation results. For 1.10.16
this is the only major change. This is CVE-2017-2801, found and reported
independently by both Cisco Talos team and OSS-Fuzz. Thanks to both
organizations for their support of open source security.
Botan 2.1.0 also resolves a bug in bcrypt introduced in 1.11.0 which caused
passwords between 56 and 72 characters in length to be incorrectly truncated.
Thanks to Solar Designer for pointing this problem out. (CVE-2017-7252)
There are many other changes in 2.1.0 reflecting the 3 months in development
since 2.0. These include numerous additions to the C API, the ability to search
for certificates by the DN hash, improved ECC side channel mitigations, improved
support for ARM systems (including NEON support), cycles/byte estimates in the
output of `botan speed`, and improvements for OpenBSD. Consult the release notes
for the full details.
SHA-256 460f2d7205aed113f898df4947b1f66ccf8d080eec7dac229ef0b754c9ad6294 Botan-2.1.0.tgz
SHA-256 6c5472401d06527e87adcb53dd270f3c9b1fb688703b04dd7a7cfb86289efe52 Botan-1.10.16.tgz
More information about the botan-announce