diff options
-rw-r--r-- | doc/news.rst | 26 | ||||
-rw-r--r-- | doc/security.rst | 67 | ||||
-rw-r--r-- | readme.rst | 9 |
3 files changed, 88 insertions, 14 deletions
diff --git a/doc/news.rst b/doc/news.rst index 61df06d83..175f87630 100644 --- a/doc/news.rst +++ b/doc/news.rst @@ -1,15 +1,27 @@ Release Notes ======================================== -Version 1.11.22, Not Yet Released +Version 1.11.22, 2015-10-26 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -* The routines for decoding PKCS #1 encryption and OAEP blocks have been - rewritten to run without secret indexes or branches. These cryptographic - operations are vulnerable to oracle attacks, including via side channels such - as timing or cache-based analysis. In theory it would be possible to attack - the previous implementations using such a side channel, which could allow - an attacker to mount a plaintext recovery attack. +* CVE-2015-7824: An information leak allowed padding oracle attacks against + TLS CBC decryption. Found in a review by Sirrix AG and 3curity GmbH. + +* CVE-2015-7825: Validating a malformed certificate chain could cause an + infinite loop. Found in a review by Sirrix AG and 3curity GmbH. + +* CVE-2015-7826: X.509 path validation violated RFC 6125 and would accept + certificates which should not validate under those rules. In particular botan + would accept wildcard certificates as matching in situations where it should + not (for example it would erronously accept '*.example.com' as a valid + wildcard for 'foo.bar.example.com') + +* CVE-2015-7827: The routines for decoding PKCS #1 encryption and OAEP blocks + have been rewritten to run without secret indexes or branches. These + cryptographic operations are vulnerable to oracle attacks, including via side + channels such as timing or cache-based analysis. In theory it would be + possible to attack the previous implementations using such a side channel, + which could allow an attacker to mount a plaintext recovery attack. By writing the code such that it does not depend on secret inputs for branch or memory indexes, such a side channel would be much less likely to exist. diff --git a/doc/security.rst b/doc/security.rst index 4b36fa717..192571829 100644 --- a/doc/security.rst +++ b/doc/security.rst @@ -19,7 +19,66 @@ Advisories 2015 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -* 2015-08-03 (CVE-2015-5726) +* 2015-10-26 (CVE-2015-7824): Padding oracle attack on TLS + + A padding oracle attack was possible against TLS CBC ciphersuites because if a + certain length check on the packet fields failed, a different alert type than + one used for message authentication failure would be returned to the sender. + This check triggering would leak information about the value of the padding + bytes and could be used to perform iterative decryption. + + As with most such oracle attacks, the danger depends on the underlying + protocol - HTTP servers are particularly vulnerable. The current analysis + suggests that to exploit it an attacker would first have to guess several + bytes of plaintext, but again this is quite possible in many situations + including HTTP. + + Found in a review by Sirrix AG and 3curity GmbH. + + Introduced in 1.11.0, fixed in 1.11.22 + +* 2015-10-26 (CVE-2015-7825): Infinite loop during certificate path validation + + When evaluating a certificate path, if a loop in the certificate chain + was encountered (for instance where C1 certifies C2, which certifies C1) + an infinite loop would occur eventually resulting in memory exhaustion. + Found in a review by Sirrix AG and 3curity GmbH. + + Introduced in 1.11.6, fixed in 1.11.22 + +* 2015-10-26 (CVE-2015-7826): Acceptance of invalid certificate names + + RFC 6125 specifies how to match a X.509v3 certificate against a DNS name + for application usage. + + Otherwise valid certificates using wildcards would be accepted as matching + certain hostnames that should they should not according to RFC 6125. For + example a certificate issued for '*.example.com' should match + 'foo.example.com' but not 'example.com' or 'bar.foo.example.com'. Previously + Botan would accept such a certificate as valid for 'bar.foo.example.com'. + + RFC 6125 also requires that when matching a X.509 certificate against a DNS + name, the CN entry is only compared if no subjectAlternativeName entry is + available. Previously X509_Certificate::matches_dns_name would always check + both names. + + Found in a review by Sirrix AG and 3curity GmbH. + + Introduced in 1.11.0, fixed in 1.11.22 + +* 2015-10-26 (CVE-2015-7827): PKCS #1 v1.5 decoding was not constant time + + During RSA decryption, how long decoding of PKCS #1 v1.5 padding took was + input dependent. If these differences could be measured by an attacker, it + could be used to mount a Bleichenbacher million-message attack. PKCS #1 v1.5 + decoding has been rewritten to use a sequence of operations which do not + contain any input-dependent indexes or jumps. Notations for checking constant + time blocks with ctgrind (https://github.com/agl/ctgrind) were added to PKCS + #1 decoding among other areas. Found in a review by Sirrix AG and 3curity GmbH. + + Fixed in 1.11.22. Affected all previous versions. + +* 2015-08-03 (CVE-2015-5726): Crash in BER decoder The BER decoder would crash due to reading from offset 0 of an empty vector if it encountered a BIT STRING which did not contain any data at all. This can be @@ -28,7 +87,7 @@ Advisories Fixed in 1.11.19 and 1.10.10, affected all previous versions of 1.10 and 1.11 -* 2015-08-03 (CVE-2015-5727) +* 2015-08-03 (CVE-2015-5727): Excess memory allocation in BER decoder The BER decoder would allocate a fairly arbitrary amount of memory in a length field, even if there was no chance the read request would succeed. This might @@ -39,7 +98,7 @@ Advisories 2014 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -* 2014-04-10 (CVE-2014-9742) +* 2014-04-10 (CVE-2014-9742): Insufficient randomness in Miller-Rabin primality check A bug in the Miller-Rabin primality test resulted in only a single random base being used instead of a sequence of such bases. This increased the probability @@ -48,4 +107,4 @@ Advisories number being incorrectly classed as prime with a single base is around 2^-40. Reported by Jeff Marrison. - Fixed in 1.11.9 and 1.10.8, affected all versions since 1.8.3 + Introduced in 1.8.3, fixed in 1.10.8 and 1.11.9 diff --git a/readme.rst b/readme.rst index 24613faf7..6cf43deac 100644 --- a/readme.rst +++ b/readme.rst @@ -72,6 +72,9 @@ There is also a third party open source implementation of Download ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +See the `change notes <http://botan.randombit.net/news.html>`_ and +`security page <http://botan.randombit.net/security.html>`_ + All releases are signed with a `PGP key <http://botan.randombit.net/pgpkey.txt>`_:: @@ -100,9 +103,9 @@ later, Clang 3.4 and later, and MSVC 2013 are regularly tested. A new development release is made on the first Monday of every month. The latest development release is -`1.11.21 <http://botan.randombit.net/releases/Botan-1.11.21.tgz>`_ -`(sig) <http://botan.randombit.net/releases/Botan-1.11.21.tgz.asc>`_ -released on 2015-10-11 +`1.11.22 <http://botan.randombit.net/releases/Botan-1.11.22.tgz>`_ +`(sig) <http://botan.randombit.net/releases/Botan-1.11.22.tgz.asc>`_ +released on 2015-10-26 Old Stable Series (1.10) ---------------------------------------- |