SB2016051312 - Multiple vulnerabilities in Fedoraproject Fedora

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2016-2850)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

Botan 1.11.x before 1.11.29 does not enforce TLS policy for (1) signature algorithms and (2) ECC curves, which allows remote attackers to conduct downgrade attacks via unspecified vectors.

2) Information disclosure (CVE-ID: CVE-2016-2849)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Botan before 1.10.13 and 1.11.x before 1.11.29 do not use a constant-time algorithm to perform a modular inverse on the signature nonce k, which might allow remote attackers to obtain ECDSA secret keys via a timing side-channel attack.

3) Information disclosure (CVE-ID: CVE-2015-7827)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Botan before 1.10.13 and 1.11.x before 1.11.22 make it easier for remote attackers to conduct million-message attacks by measuring time differences, related to decoding of PKCS#1 padding.

Remediation

Install update from vendor's website.

References

• http://botan.randombit.net/security.html
• http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183669.html
• http://marc.info/?l=botan-devel&m=145852488622892&w=2
• https://security.gentoo.org/glsa/201701-23
• http://marc.info/?l=botan-devel&m=146185420505943&w=2
• http://www.debian.org/security/2016/dsa-3565