aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--doc/news.rst26
-rw-r--r--doc/security.rst67
-rw-r--r--readme.rst9
3 files changed, 88 insertions, 14 deletions
diff --git a/doc/news.rst b/doc/news.rst
index 61df06d83..175f87630 100644
--- a/doc/news.rst
+++ b/doc/news.rst
@@ -1,15 +1,27 @@
Release Notes
========================================
-Version 1.11.22, Not Yet Released
+Version 1.11.22, 2015-10-26
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-* The routines for decoding PKCS #1 encryption and OAEP blocks have been
- rewritten to run without secret indexes or branches. These cryptographic
- operations are vulnerable to oracle attacks, including via side channels such
- as timing or cache-based analysis. In theory it would be possible to attack
- the previous implementations using such a side channel, which could allow
- an attacker to mount a plaintext recovery attack.
+* CVE-2015-7824: An information leak allowed padding oracle attacks against
+ TLS CBC decryption. Found in a review by Sirrix AG and 3curity GmbH.
+
+* CVE-2015-7825: Validating a malformed certificate chain could cause an
+ infinite loop. Found in a review by Sirrix AG and 3curity GmbH.
+
+* CVE-2015-7826: X.509 path validation violated RFC 6125 and would accept
+ certificates which should not validate under those rules. In particular botan
+ would accept wildcard certificates as matching in situations where it should
+ not (for example it would erronously accept '*.example.com' as a valid
+ wildcard for 'foo.bar.example.com')
+
+* CVE-2015-7827: The routines for decoding PKCS #1 encryption and OAEP blocks
+ have been rewritten to run without secret indexes or branches. These
+ cryptographic operations are vulnerable to oracle attacks, including via side
+ channels such as timing or cache-based analysis. In theory it would be
+ possible to attack the previous implementations using such a side channel,
+ which could allow an attacker to mount a plaintext recovery attack.
By writing the code such that it does not depend on secret inputs for branch
or memory indexes, such a side channel would be much less likely to exist.
diff --git a/doc/security.rst b/doc/security.rst
index 4b36fa717..192571829 100644
--- a/doc/security.rst
+++ b/doc/security.rst
@@ -19,7 +19,66 @@ Advisories
2015
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-* 2015-08-03 (CVE-2015-5726)
+* 2015-10-26 (CVE-2015-7824): Padding oracle attack on TLS
+
+ A padding oracle attack was possible against TLS CBC ciphersuites because if a
+ certain length check on the packet fields failed, a different alert type than
+ one used for message authentication failure would be returned to the sender.
+ This check triggering would leak information about the value of the padding
+ bytes and could be used to perform iterative decryption.
+
+ As with most such oracle attacks, the danger depends on the underlying
+ protocol - HTTP servers are particularly vulnerable. The current analysis
+ suggests that to exploit it an attacker would first have to guess several
+ bytes of plaintext, but again this is quite possible in many situations
+ including HTTP.
+
+ Found in a review by Sirrix AG and 3curity GmbH.
+
+ Introduced in 1.11.0, fixed in 1.11.22
+
+* 2015-10-26 (CVE-2015-7825): Infinite loop during certificate path validation
+
+ When evaluating a certificate path, if a loop in the certificate chain
+ was encountered (for instance where C1 certifies C2, which certifies C1)
+ an infinite loop would occur eventually resulting in memory exhaustion.
+ Found in a review by Sirrix AG and 3curity GmbH.
+
+ Introduced in 1.11.6, fixed in 1.11.22
+
+* 2015-10-26 (CVE-2015-7826): Acceptance of invalid certificate names
+
+ RFC 6125 specifies how to match a X.509v3 certificate against a DNS name
+ for application usage.
+
+ Otherwise valid certificates using wildcards would be accepted as matching
+ certain hostnames that should they should not according to RFC 6125. For
+ example a certificate issued for '*.example.com' should match
+ 'foo.example.com' but not 'example.com' or 'bar.foo.example.com'. Previously
+ Botan would accept such a certificate as valid for 'bar.foo.example.com'.
+
+ RFC 6125 also requires that when matching a X.509 certificate against a DNS
+ name, the CN entry is only compared if no subjectAlternativeName entry is
+ available. Previously X509_Certificate::matches_dns_name would always check
+ both names.
+
+ Found in a review by Sirrix AG and 3curity GmbH.
+
+ Introduced in 1.11.0, fixed in 1.11.22
+
+* 2015-10-26 (CVE-2015-7827): PKCS #1 v1.5 decoding was not constant time
+
+ During RSA decryption, how long decoding of PKCS #1 v1.5 padding took was
+ input dependent. If these differences could be measured by an attacker, it
+ could be used to mount a Bleichenbacher million-message attack. PKCS #1 v1.5
+ decoding has been rewritten to use a sequence of operations which do not
+ contain any input-dependent indexes or jumps. Notations for checking constant
+ time blocks with ctgrind (https://github.com/agl/ctgrind) were added to PKCS
+ #1 decoding among other areas. Found in a review by Sirrix AG and 3curity GmbH.
+
+ Fixed in 1.11.22. Affected all previous versions.
+
+* 2015-08-03 (CVE-2015-5726): Crash in BER decoder
The BER decoder would crash due to reading from offset 0 of an empty vector if
it encountered a BIT STRING which did not contain any data at all. This can be
@@ -28,7 +87,7 @@ Advisories
Fixed in 1.11.19 and 1.10.10, affected all previous versions of 1.10 and 1.11
-* 2015-08-03 (CVE-2015-5727)
+* 2015-08-03 (CVE-2015-5727): Excess memory allocation in BER decoder
The BER decoder would allocate a fairly arbitrary amount of memory in a length
field, even if there was no chance the read request would succeed. This might
@@ -39,7 +98,7 @@ Advisories
2014
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-* 2014-04-10 (CVE-2014-9742)
+* 2014-04-10 (CVE-2014-9742): Insufficient randomness in Miller-Rabin primality check
A bug in the Miller-Rabin primality test resulted in only a single random base
being used instead of a sequence of such bases. This increased the probability
@@ -48,4 +107,4 @@ Advisories
number being incorrectly classed as prime with a single base is around 2^-40.
Reported by Jeff Marrison.
- Fixed in 1.11.9 and 1.10.8, affected all versions since 1.8.3
+ Introduced in 1.8.3, fixed in 1.10.8 and 1.11.9
diff --git a/readme.rst b/readme.rst
index 24613faf7..6cf43deac 100644
--- a/readme.rst
+++ b/readme.rst
@@ -72,6 +72,9 @@ There is also a third party open source implementation of
Download
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+See the `change notes <http://botan.randombit.net/news.html>`_ and
+`security page <http://botan.randombit.net/security.html>`_
+
All releases are signed with a
`PGP key <http://botan.randombit.net/pgpkey.txt>`_::
@@ -100,9 +103,9 @@ later, Clang 3.4 and later, and MSVC 2013 are regularly tested.
A new development release is made on the first Monday of every month.
The latest development release is
-`1.11.21 <http://botan.randombit.net/releases/Botan-1.11.21.tgz>`_
-`(sig) <http://botan.randombit.net/releases/Botan-1.11.21.tgz.asc>`_
-released on 2015-10-11
+`1.11.22 <http://botan.randombit.net/releases/Botan-1.11.22.tgz>`_
+`(sig) <http://botan.randombit.net/releases/Botan-1.11.22.tgz.asc>`_
+released on 2015-10-26
Old Stable Series (1.10)
----------------------------------------