Final changes for 1.11.33 release1.11.33

3 files changed, 22 insertions, 6 deletions

diff --git a/doc/news.rst b/doc/news.rst
index 58e4723d0..21a8ec108 100644
--- a/doc/news.rst
+++ b/doc/news.rst
@@ -1,9 +1,11 @@
 Release Notes
 ========================================
 
-Version 1.11.33, Not Yet Released
+Version 1.11.33, 2016-10-26
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
+* Avoid side channel during OAEP decryption. (CVE-2016-8871)
+
 * A countermeasure for the Lucky13 timing attack against CBC-based TLS
   ciphersuites has been added. (GH #675)
 
diff --git a/doc/security.rst b/doc/security.rst
index 4034a5878..1c0aea69f 100644
--- a/doc/security.rst
+++ b/doc/security.rst
@@ -19,6 +19,20 @@ Advisories
 2016
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
+* 2016-10-8871 (CVE-2016-8871) OAEP side channel
+
+  A side channel in OAEP decoding could be used to distinguish RSA ciphertexts
+  that did or did not have a leading 0 byte. For an attacker capable of
+  precisely measuring the time taken for OAEP decoding, this could be used as an
+  oracle allowing decryption of arbitrary RSA ciphertexts. Remote exploitation
+  seems difficult as OAEP decoding is always paired with RSA decryption, which
+  takes substantially more (and variable) time, and so will tend to mask the
+  timing channel. This attack does seems well within reach of a local attacker
+  capable of a cache or branch predictor based side channel attack. Finding,
+  analysis, and patch by Juraj Somorovsky.
+
+  Introduced in 1.11.29, fixed in 1.11.33
+
 * 2016-08-30 (CVE-2016-6878) Undefined behavior in Curve25519
 
   On systems without a native 128-bit integer type, the Curve25519 code invoked
diff --git a/readme.rst b/readme.rst
index 6c8f3ac9c..e49a809d9 100644
--- a/readme.rst
+++ b/readme.rst
@@ -122,9 +122,9 @@ Versions 1.11 and later require a working C++11 compiler; GCC 4.8 and
 later, Clang 3.5 and later, and MSVC 2013/2015 are regularly tested.
 
 The latest development release is
-`1.11.32 <http://botan.randombit.net/releases/Botan-1.11.32.tgz>`_
-`(sig) <http://botan.randombit.net/releases/Botan-1.11.32.tgz.asc>`_
-released on 2016-09-28
+`1.11.33 <http://botan.randombit.net/releases/Botan-1.11.33.tgz>`_
+`(sig) <http://botan.randombit.net/releases/Botan-1.11.33.tgz.asc>`_
+released on 2016-10-26
 
 Old Stable Series (1.10)
 ----------------------------------------
@@ -199,7 +199,7 @@ Ciphers and cipher modes
 * Unauthenticated cipher modes CTR, CBC, XTS, CFB, OFB, and ECB
 * AES (including constant time SSSE3 and AES-NI versions)
 * AES candidates Serpent, Twofish, CAST-256
-* Stream ciphers Salsa20/XSalsa20, ChaCha20, and RC4
+* Stream ciphers Salsa20/XSalsa20, ChaCha20, SHAKE-128, and RC4
 * DES, 3DES and DESX
 * Threefish-512, Noekeon, Blowfish, CAST-128, IDEA, XTEA
 * National/telecom block ciphers SEED, KASUMI, MISTY1, GOST 28147
@@ -209,7 +209,7 @@ Hash functions and MACs
 ----------------------------------------
 
 * SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512
-* SHA-3 winner Keccak-1600
+* SHA-3 (and Keccak-1600)
 * Skein-512, BLAKE2b
 * RIPEMD-160, Tiger, Whirlpool, GOST 34.11
 * Authentication codes HMAC, CMAC, Poly1305, SipHash