[botan-devel] Botan 1.11.23 released with several security fixes

Jack Lloyd lloyd at randombit.net
Tue Oct 27 07:54:57 EDT 2015


Botan 1.11.23 has been released. It includes several security fixes
and applications using TLS or X.509 certificates should upgrade asap.


The security issues resolved in this release are:

CVE-2015-7824: An information leak allowed padding oracle attacks
against TLS CBC decryption. Depending on the underlying protocol and
application it could be possible to an attacker to decrypt plaintext
using iterative trials. This is most likely to affect HTTP servers
but other protocols are also at risk.

CVE-2015-7825: Validating a malformed certificate chain could cause an
infinite loop.

CVE-2015-7826: X509_Certificate::matches_dns_name would match against
wildcard certificates when it should not, for example it would
erronously accept `*.example.com' as a valid wildcard for

CVE-2015-7827: PKCS #1 message decoding was not constant time and could
be vulnerable to the million-message attack via a side channel. It has
been rewritten to be rigorously constant time.

All 4 CVEs were found in a security review by Sirrix AG and 3curity GmbH.
Many thanks to them for spending the time and resources on improving
the library. More about the impact of each is available with the
advisory text at https://botan.randombit.net/security.html

Additional changes in this release include:

- Adding more helper functions for const time operations plus support
  for using ctgrind (https://github.com/agl/ctgrind) to test that
  sections of code do not use secret inputs to decide branches or
  memory indexes. The testing relies on dynamic checking using
  valgrind. So far PKCS #1 decoding, OAEP decoding, Montgomery reduction,
  IDEA, and Curve25519 have been checked.

- Public key operations can now be used with specified providers by
  passing an additional parameter to the constructor of the PK
  operation. (This means it's actually possible to use the OpenSSL
  RSA/ECDSA operations, by passing "openssl" instead of "base").

- The OpenSSL RSA provider now supports signature creation and verification.

- The blinding code used for RSA, Diffie-Hellman, ElGamal and
  Rabin-Williams now periodically reinitializes the sequence of
  blinding values instead of always deriving the next value by
  squaring the previous ones. The reinitializion interval can be
  controlled by the build.h parameter BOTAN_BLINDING_REINIT_INTERVAL.

- A bug decoding DTLS client hellos prevented session resumption for suceeding.

- DL_Group now prohibits creating a group smaller than 1024 bits.

- Add System_RNG type

- New command line tools dl_group and prime

The last released version was 1.11.21. 1.11.22 was briefly released but
had a problem, so it was easiest to immediately bump the version to
1.11.23 and rerelease.


More information about the botan-devel mailing list