diff options
-rw-r--r-- | doc/news.rst | 4 | ||||
-rw-r--r-- | doc/security.rst | 14 | ||||
-rw-r--r-- | readme.rst | 10 |
3 files changed, 22 insertions, 6 deletions
diff --git a/doc/news.rst b/doc/news.rst index 58e4723d0..21a8ec108 100644 --- a/doc/news.rst +++ b/doc/news.rst @@ -1,9 +1,11 @@ Release Notes ======================================== -Version 1.11.33, Not Yet Released +Version 1.11.33, 2016-10-26 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +* Avoid side channel during OAEP decryption. (CVE-2016-8871) + * A countermeasure for the Lucky13 timing attack against CBC-based TLS ciphersuites has been added. (GH #675) diff --git a/doc/security.rst b/doc/security.rst index 4034a5878..1c0aea69f 100644 --- a/doc/security.rst +++ b/doc/security.rst @@ -19,6 +19,20 @@ Advisories 2016 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +* 2016-10-8871 (CVE-2016-8871) OAEP side channel + + A side channel in OAEP decoding could be used to distinguish RSA ciphertexts + that did or did not have a leading 0 byte. For an attacker capable of + precisely measuring the time taken for OAEP decoding, this could be used as an + oracle allowing decryption of arbitrary RSA ciphertexts. Remote exploitation + seems difficult as OAEP decoding is always paired with RSA decryption, which + takes substantially more (and variable) time, and so will tend to mask the + timing channel. This attack does seems well within reach of a local attacker + capable of a cache or branch predictor based side channel attack. Finding, + analysis, and patch by Juraj Somorovsky. + + Introduced in 1.11.29, fixed in 1.11.33 + * 2016-08-30 (CVE-2016-6878) Undefined behavior in Curve25519 On systems without a native 128-bit integer type, the Curve25519 code invoked diff --git a/readme.rst b/readme.rst index 6c8f3ac9c..e49a809d9 100644 --- a/readme.rst +++ b/readme.rst @@ -122,9 +122,9 @@ Versions 1.11 and later require a working C++11 compiler; GCC 4.8 and later, Clang 3.5 and later, and MSVC 2013/2015 are regularly tested. The latest development release is -`1.11.32 <http://botan.randombit.net/releases/Botan-1.11.32.tgz>`_ -`(sig) <http://botan.randombit.net/releases/Botan-1.11.32.tgz.asc>`_ -released on 2016-09-28 +`1.11.33 <http://botan.randombit.net/releases/Botan-1.11.33.tgz>`_ +`(sig) <http://botan.randombit.net/releases/Botan-1.11.33.tgz.asc>`_ +released on 2016-10-26 Old Stable Series (1.10) ---------------------------------------- @@ -199,7 +199,7 @@ Ciphers and cipher modes * Unauthenticated cipher modes CTR, CBC, XTS, CFB, OFB, and ECB * AES (including constant time SSSE3 and AES-NI versions) * AES candidates Serpent, Twofish, CAST-256 -* Stream ciphers Salsa20/XSalsa20, ChaCha20, and RC4 +* Stream ciphers Salsa20/XSalsa20, ChaCha20, SHAKE-128, and RC4 * DES, 3DES and DESX * Threefish-512, Noekeon, Blowfish, CAST-128, IDEA, XTEA * National/telecom block ciphers SEED, KASUMI, MISTY1, GOST 28147 @@ -209,7 +209,7 @@ Hash functions and MACs ---------------------------------------- * SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 -* SHA-3 winner Keccak-1600 +* SHA-3 (and Keccak-1600) * Skein-512, BLAKE2b * RIPEMD-160, Tiger, Whirlpool, GOST 34.11 * Authentication codes HMAC, CMAC, Poly1305, SipHash |