aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--doc/news.rst4
-rw-r--r--doc/security.rst14
-rw-r--r--readme.rst10
3 files changed, 22 insertions, 6 deletions
diff --git a/doc/news.rst b/doc/news.rst
index 58e4723d0..21a8ec108 100644
--- a/doc/news.rst
+++ b/doc/news.rst
@@ -1,9 +1,11 @@
Release Notes
========================================
-Version 1.11.33, Not Yet Released
+Version 1.11.33, 2016-10-26
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+* Avoid side channel during OAEP decryption. (CVE-2016-8871)
+
* A countermeasure for the Lucky13 timing attack against CBC-based TLS
ciphersuites has been added. (GH #675)
diff --git a/doc/security.rst b/doc/security.rst
index 4034a5878..1c0aea69f 100644
--- a/doc/security.rst
+++ b/doc/security.rst
@@ -19,6 +19,20 @@ Advisories
2016
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+* 2016-10-8871 (CVE-2016-8871) OAEP side channel
+
+ A side channel in OAEP decoding could be used to distinguish RSA ciphertexts
+ that did or did not have a leading 0 byte. For an attacker capable of
+ precisely measuring the time taken for OAEP decoding, this could be used as an
+ oracle allowing decryption of arbitrary RSA ciphertexts. Remote exploitation
+ seems difficult as OAEP decoding is always paired with RSA decryption, which
+ takes substantially more (and variable) time, and so will tend to mask the
+ timing channel. This attack does seems well within reach of a local attacker
+ capable of a cache or branch predictor based side channel attack. Finding,
+ analysis, and patch by Juraj Somorovsky.
+
+ Introduced in 1.11.29, fixed in 1.11.33
+
* 2016-08-30 (CVE-2016-6878) Undefined behavior in Curve25519
On systems without a native 128-bit integer type, the Curve25519 code invoked
diff --git a/readme.rst b/readme.rst
index 6c8f3ac9c..e49a809d9 100644
--- a/readme.rst
+++ b/readme.rst
@@ -122,9 +122,9 @@ Versions 1.11 and later require a working C++11 compiler; GCC 4.8 and
later, Clang 3.5 and later, and MSVC 2013/2015 are regularly tested.
The latest development release is
-`1.11.32 <http://botan.randombit.net/releases/Botan-1.11.32.tgz>`_
-`(sig) <http://botan.randombit.net/releases/Botan-1.11.32.tgz.asc>`_
-released on 2016-09-28
+`1.11.33 <http://botan.randombit.net/releases/Botan-1.11.33.tgz>`_
+`(sig) <http://botan.randombit.net/releases/Botan-1.11.33.tgz.asc>`_
+released on 2016-10-26
Old Stable Series (1.10)
----------------------------------------
@@ -199,7 +199,7 @@ Ciphers and cipher modes
* Unauthenticated cipher modes CTR, CBC, XTS, CFB, OFB, and ECB
* AES (including constant time SSSE3 and AES-NI versions)
* AES candidates Serpent, Twofish, CAST-256
-* Stream ciphers Salsa20/XSalsa20, ChaCha20, and RC4
+* Stream ciphers Salsa20/XSalsa20, ChaCha20, SHAKE-128, and RC4
* DES, 3DES and DESX
* Threefish-512, Noekeon, Blowfish, CAST-128, IDEA, XTEA
* National/telecom block ciphers SEED, KASUMI, MISTY1, GOST 28147
@@ -209,7 +209,7 @@ Hash functions and MACs
----------------------------------------
* SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512
-* SHA-3 winner Keccak-1600
+* SHA-3 (and Keccak-1600)
* Skein-512, BLAKE2b
* RIPEMD-160, Tiger, Whirlpool, GOST 34.11
* Authentication codes HMAC, CMAC, Poly1305, SipHash