Main Vulnerability Database SB2016050104

SB2016050104 - Fedora EPEL 7 update for botan

Published: May 1, 2016 Updated: April 24, 2025

Security Bulletin ID SB2016050104

Severity

Medium

Patch available

YES

Number of vulnerabilities 3

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2016-2849)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Botan before 1.10.13 and 1.11.x before 1.11.29 do not use a constant-time algorithm to perform a modular inverse on the signature nonce k, which might allow remote attackers to obtain ECDSA secret keys via a timing side-channel attack.

2) Information disclosure (CVE-ID: CVE-2015-7827)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Botan before 1.10.13 and 1.11.x before 1.11.22 make it easier for remote attackers to conduct million-message attacks by measuring time differences, related to decoding of PKCS#1 padding.

3) Input validation error (CVE-ID: CVE-2016-2850)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

Botan 1.11.x before 1.11.29 does not enforce TLS policy for (1) signature algorithms and (2) ECC curves, which allows remote attackers to conduct downgrade attacks via unspecified vectors.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-cd0af81454