SB2016050102 - Fedora 23 update for botan

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2016050102

SB2016050102 - Fedora 23 update for botan

Published: May 1, 2016 Updated: April 24, 2025

Security Bulletin ID SB2016050102
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2016-2849)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Botan before 1.10.13 and 1.11.x before 1.11.29 do not use a constant-time algorithm to perform a modular inverse on the signature nonce k, which might allow remote attackers to obtain ECDSA secret keys via a timing side-channel attack.


2) Information disclosure (CVE-ID: CVE-2015-7827)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Botan before 1.10.13 and 1.11.x before 1.11.22 make it easier for remote attackers to conduct million-message attacks by measuring time differences, related to decoding of PKCS#1 padding.


3) Input validation error (CVE-ID: CVE-2016-2850)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

Botan 1.11.x before 1.11.29 does not enforce TLS policy for (1) signature algorithms and (2) ECC curves, which allows remote attackers to conduct downgrade attacks via unspecified vectors.


Remediation

Install update from vendor's website.

References