[arch-security] [ASA-201710-17] botan: information disclosure
anthraxx at archlinux.org
Fri Oct 13 07:58:30 UTC 2017
Arch Linux Security Advisory ASA-201710-17
Date : 2017-10-12
CVE-ID : CVE-2017-14737
Package : botan
Type : information disclosure
Remote : No
Link : https://security.archlinux.org/AVG-416
The package botan before version 2.3.0-1 is vulnerable to information
Upgrade to 2.3.0-1.
# pacman -Syu "botan>=2.3.0-1"
The problem has been fixed upstream in version 2.3.0.
A cryptographic cache-based side channel in the RSA implementation in
Botan before 1.10.17, and 1.11.x and 2.x before 2.3.0, allows a local
attacker to recover information about RSA secret keys, as demonstrated
by CacheD. This occurs because an array is indexed with bits derived
from a secret key.
A local attacker is able to use a cache-based side channel attack to
recover information about RSA secret keys.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 866 bytes
Desc: OpenPGP digital signature
More information about the arch-security