Arch Linux Security Advisory ASA-201603-22 ========================================== Severity: High Date : 2016-03-24 CVE-ID : CVE-2016-2849 CVE-2016-2850 Package : botan Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package botan before version 1.11.29-1 is vulnerable to multiple issues. Resolution ========== Upgrade to 1.11.29-1. # pacman -Syu "botan>=1.11.29-1" The problem has been fixed upstream in version 1.11.29. Workaround ========== None. Description =========== - CVE-2016-2849 (ECDSA side channel): ECDSA (and DSA) signature algorithms perform a modular inverse on the signature nonce k. The modular inverse algorithm used had input dependent loops, and it is possible a side channel attack could recover sufficient information about the nonce to eventually recover the ECDSA secret key. Found by Sean Devlin. - CVE-2016-2850 (Failure to enforce TLS policy): TLS v1.2 allows negotiating which signature algorithms and hash functions each side is willing to accept. However received signatures were not actually checked against the specified policy. This had the effect of allowing a server to use an MD5 or SHA-1 signature, even though the default policy prohibits it. The same issue affected client cert authentication. The TLS client also failed to verify that the ECC curve the server chose to use was one which was acceptable by the client policy. Impact ====== A remote attacker might be able to recover an ECDSA secret key by using a side channel attack. A remote attacker can downgrade the TLS signatures and hash functions to vulnerable algorithms like MD5 or SHA-1 even if they are explicitely prohibited. References ========== http://botan.randombit.net/security.html#id1 https://access.redhat.com/security/cve/CVE-2016-2849 https://access.redhat.com/security/cve/CVE-2016-2850