1.11.22 release1.11.22

1 files changed, 63 insertions, 4 deletions

diff --git a/doc/security.rst b/doc/security.rst
index 4b36fa717..192571829 100644
--- a/doc/security.rst
+++ b/doc/security.rst
@@ -19,7 +19,66 @@ Advisories
 2015
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-* 2015-08-03 (CVE-2015-5726)
+* 2015-10-26 (CVE-2015-7824): Padding oracle attack on TLS
+
+  A padding oracle attack was possible against TLS CBC ciphersuites because if a
+  certain length check on the packet fields failed, a different alert type than
+  one used for message authentication failure would be returned to the sender.
+  This check triggering would leak information about the value of the padding
+  bytes and could be used to perform iterative decryption.
+
+  As with most such oracle attacks, the danger depends on the underlying
+  protocol - HTTP servers are particularly vulnerable. The current analysis
+  suggests that to exploit it an attacker would first have to guess several
+  bytes of plaintext, but again this is quite possible in many situations
+  including HTTP.
+
+  Found in a review by Sirrix AG and 3curity GmbH.
+
+  Introduced in 1.11.0, fixed in 1.11.22
+
+* 2015-10-26 (CVE-2015-7825): Infinite loop during certificate path validation
+
+  When evaluating a certificate path, if a loop in the certificate chain
+  was encountered (for instance where C1 certifies C2, which certifies C1)
+  an infinite loop would occur eventually resulting in memory exhaustion.
+  Found in a review by Sirrix AG and 3curity GmbH.
+
+  Introduced in 1.11.6, fixed in 1.11.22
+
+* 2015-10-26 (CVE-2015-7826): Acceptance of invalid certificate names
+
+  RFC 6125 specifies how to match a X.509v3 certificate against a DNS name
+  for application usage.
+
+  Otherwise valid certificates using wildcards would be accepted as matching
+  certain hostnames that should they should not according to RFC 6125. For
+  example a certificate issued for '*.example.com' should match
+  'foo.example.com' but not 'example.com' or 'bar.foo.example.com'. Previously
+  Botan would accept such a certificate as valid for 'bar.foo.example.com'.
+
+  RFC 6125 also requires that when matching a X.509 certificate against a DNS
+  name, the CN entry is only compared if no subjectAlternativeName entry is
+  available. Previously X509_Certificate::matches_dns_name would always check
+  both names.
+
+  Found in a review by Sirrix AG and 3curity GmbH.
+
+  Introduced in 1.11.0, fixed in 1.11.22
+
+* 2015-10-26 (CVE-2015-7827): PKCS #1 v1.5 decoding was not constant time
+
+  During RSA decryption, how long decoding of PKCS #1 v1.5 padding took was
+  input dependent. If these differences could be measured by an attacker, it
+  could be used to mount a Bleichenbacher million-message attack. PKCS #1 v1.5
+  decoding has been rewritten to use a sequence of operations which do not
+  contain any input-dependent indexes or jumps. Notations for checking constant
+  time blocks with ctgrind (https://github.com/agl/ctgrind) were added to PKCS
+  #1 decoding among other areas. Found in a review by Sirrix AG and 3curity GmbH.
+
+  Fixed in 1.11.22. Affected all previous versions.
+
+* 2015-08-03 (CVE-2015-5726): Crash in BER decoder
 
   The BER decoder would crash due to reading from offset 0 of an empty vector if
   it encountered a BIT STRING which did not contain any data at all. This can be
@@ -28,7 +87,7 @@ Advisories
 
   Fixed in 1.11.19 and 1.10.10, affected all previous versions of 1.10 and 1.11
 
-* 2015-08-03 (CVE-2015-5727)
+* 2015-08-03 (CVE-2015-5727): Excess memory allocation in BER decoder
 
   The BER decoder would allocate a fairly arbitrary amount of memory in a length
   field, even if there was no chance the read request would succeed.  This might
@@ -39,7 +98,7 @@ Advisories
 2014
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-* 2014-04-10 (CVE-2014-9742)
+* 2014-04-10 (CVE-2014-9742): Insufficient randomness in Miller-Rabin primality check
 
   A bug in the Miller-Rabin primality test resulted in only a single random base
   being used instead of a sequence of such bases. This increased the probability
@@ -48,4 +107,4 @@ Advisories
   number being incorrectly classed as prime with a single base is around 2^-40.
   Reported by Jeff Marrison.
 
-  Fixed in 1.11.9 and 1.10.8, affected all versions since 1.8.3
+  Introduced in 1.8.3, fixed in 1.10.8 and 1.11.9