Your message dated Sat, 16 Jun 2018 11:04:36 +0000
with message-id <[email protected]>
and subject line Bug#901619: fixed in botan 2.6.0-3
has caused the Debian Bug report #901619,
regarding botan: CVE-2018-12435: memory-cache side-channel attack on ECDSA
signatures
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
901619: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901619
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: botan
Version: 2.6.0-1
Severity: grave
Tags: patch security upstream
Justification: user security hole
Forwarded: https://github.com/randombit/botan/pull/1604
Hi,
The following vulnerability was published for botan.
CVE-2018-12435[0]:
| Botan 2.5.0 through 2.6.0 allows a memory-cache side-channel attack on
| ECDSA signatures, aka the Return Of the Hidden Number Problem or
| ROHNP, related to dsa/dsa.cpp, ec_group/ec_group.cpp, and
| ecdsa/ecdsa.cpp. To discover an ECDSA key, the attacker needs access
| to either the local machine or a different virtual machine on the same
| physical host.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-12435
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12435
[1] https://github.com/randombit/botan/pull/1604
[2]
https://github.com/randombit/botan/pull/1604/commits/48fc8df51d99f9d8ba251219367b3d629cc848e3
Please adjust the affected versions in the BTS as needed.
Note please that initially the CVE for libgcrypt was reused. But the
above one and used here is the right one.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: botan
Source-Version: 2.6.0-3
We believe that the bug you reported is fixed in the latest version of
botan, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated botan package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 16 Jun 2018 05:58:09 +0000
Source: botan
Binary: botan libbotan-2-5 libbotan-2-dev libbotan-2-doc python3-botan
Architecture: source amd64 all
Version: 2.6.0-3
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Description:
botan - multiplatform crypto library (2.x version)
libbotan-2-5 - multiplatform crypto library (2.x version)
libbotan-2-dev - multiplatform crypto library (2.x version)
libbotan-2-doc - multiplatform crypto library (2.x version)
python3-botan - multiplatform crypto library (2.x version), Python3 module
Closes: 901619
Changes:
botan (2.6.0-3) unstable; urgency=high
.
* Backport security related patches:
- CVE-2018-12435: memory-cache side-channel attack on ECDSA signatures
(closes: #901619),
- in ECC avoid using significant words to dispatch the mult algo.
* Update Standards-Version to 4.1.4 .
Checksums-Sha1:
407c1499edf633b008ce4a1a20515304a309cfe9 2047 botan_2.6.0-3.dsc
ef912d63d31273fb65f538d5cf1e7bb1fee1a9ef 8204 botan_2.6.0-3.debian.tar.xz
49a2001a5df1a0465ecb04222f25586e0a534d57 2272336 botan-dbgsym_2.6.0-3_amd64.deb
d84c33a474f4869de9f57a07fbb1d85d411a6540 10205 botan_2.6.0-3_amd64.buildinfo
4b750e38dafceb606dcb360abd7d93aacf4ed6ae 167216 botan_2.6.0-3_amd64.deb
6811968523cacb453568913ef1443e263cbf43eb 23581352
libbotan-2-5-dbgsym_2.6.0-3_amd64.deb
71e40c5b9f22e2b71d06c299f6db741995ec58f9 1449324 libbotan-2-5_2.6.0-3_amd64.deb
94f6781b5361a033628b0fe9455aa7f5d02af25a 2139188
libbotan-2-dev_2.6.0-3_amd64.deb
986e6fff5c449829d7b0dd4657da564b9e3cc550 364176 libbotan-2-doc_2.6.0-3_all.deb
3e08a2ac564b1ae993550003b5db3aa04265c84c 8348 python3-botan_2.6.0-3_amd64.deb
Checksums-Sha256:
071591b3546cc5e119809146a896c10d4880e381db0f2a3b413dc90247dbe602 2047
botan_2.6.0-3.dsc
8fe4f95071fac70cff26b00068c58da638b539713860bd08f24902f91ce98b5c 8204
botan_2.6.0-3.debian.tar.xz
39e329df91c49b54e9c72eba62789c42aaec52693090169ff4ed83f39a0a080e 2272336
botan-dbgsym_2.6.0-3_amd64.deb
6748a72e7df1b1876577d8757d8267a445d6138f920dbc78f5185f6a14cfd473 10205
botan_2.6.0-3_amd64.buildinfo
1b1ac65b10b036de3b2c70fe01db90b54d4d5bedecfe1cee26ba48fdf240ca8a 167216
botan_2.6.0-3_amd64.deb
a03b20f9f02d423f7ca4bdf38046b575f13b3d3ada7cf9a7e1108fd058c07c9a 23581352
libbotan-2-5-dbgsym_2.6.0-3_amd64.deb
a411d9a058fb7a9c06e9763eeec53888616003b687c342a9e7d025426161ff71 1449324
libbotan-2-5_2.6.0-3_amd64.deb
d5202cf48cbf0dff20aebc0a75250709779aeb2392f5c2819614cca99a5917d2 2139188
libbotan-2-dev_2.6.0-3_amd64.deb
b1522f3054bbe27a41c665eaff3707e4a824f9fc2cf5b0524ea31fd3b7d4ddef 364176
libbotan-2-doc_2.6.0-3_all.deb
787a255ed97f813cfd3fb87a67c043d18f3b339a5d7870caefe08ef2159162c3 8348
python3-botan_2.6.0-3_amd64.deb
Files:
d5401c5612f15e729ae3264852d7ff0d 2047 libs optional botan_2.6.0-3.dsc
d50f1e6ba56968af2f078eae4545a615 8204 libs optional botan_2.6.0-3.debian.tar.xz
33dff702347c2ca946f03ed5c0c672db 2272336 debug optional
botan-dbgsym_2.6.0-3_amd64.deb
f589b403bd505a73b4b0692442f49fd7 10205 libs optional
botan_2.6.0-3_amd64.buildinfo
a3e07ebdbbaa7c0a8a65c0e9f302878d 167216 libdevel optional
botan_2.6.0-3_amd64.deb
76d7a8571c19f3615a9fdf9b55177f16 23581352 debug optional
libbotan-2-5-dbgsym_2.6.0-3_amd64.deb
02e2f98320bc94763d99dd535aa8eb41 1449324 libs optional
libbotan-2-5_2.6.0-3_amd64.deb
5603c17d22a650351fa7aa5007a8e1c9 2139188 libdevel optional
libbotan-2-dev_2.6.0-3_amd64.deb
1dfe8a7a06e388a096205446e712e966 364176 doc optional
libbotan-2-doc_2.6.0-3_all.deb
f30c461c0d6669e85cb3ea8c09eb06fa 8348 python optional
python3-botan_2.6.0-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlsk6ZkACgkQ3OMQ54ZM
yL9OkQ//ZGAC198GiJ3so9UxfUKllM4m+oVifSpsys/tRDWts3zEPPBdlYoKjTQ/
7CLST/2Lw4/CBmrRMggdG4bZw6IigmV8cvQI/u/e7c/whrU8yBkGNf9QGXcCQ8/9
V9hSVIJ2/z/9H5yzCr5MEe+9EV1wUhvcAPuBQ/L8rpCpOAqNSujug5uBAiNZsy5Z
MJ9PoJQa3Usghyyo812BEXG8jfHZ1F9EGlf9Gf/d+Kg1UbsebaUJZCEBoeATn+mo
uqtHyH8fpdU8SIL4zmSTGVLhyy/+pJxQsAQcJx41kxO5hyMZ0wTLJsOGtf4uDZ2m
4KoqTZeECF9c7pSEMlHbn2HscxCfMJ09BRjcPyuJYVlDcxckm9oDnAA2UCqldpKR
xwAdwoZaUOhl1OZSl2r40coq17KWcz6di9BihMPsSS9G4QkRErDx4CVMsNZxwEG1
53KAooPB//M7lf+yts83W1j3k6sDCWWaGa7EKsEinTHwufQADaU18NTi5jEiF9a+
wRxlFLedDuvaQ9/bfplzopjiDgRc2fwfX2rnnqN01rV4ahheVo1slRVftqMGy8cd
4eJbL9jVHo1Yqshihha53PzP5k9Hl5A6LIItRnwD4GMpLyISWwIM1lH72YQIsPon
g9u36Mvi442tcPvXPdafWbRZ9Idr8yhxMhTsc0jyIwcZZSLmsIM=
=aZje
-----END PGP SIGNATURE-----
--- End Message ---
