Ubuntu
botan1.10 package

Change logs for botan1.10 source package in Trusty

  1. Trusty (14.04)
  2. Change log 
  • botan1.10 (1.10.5-1+deb7u1ubuntu0.14.04.1) trusty-security; urgency=medium

  * Security merge from Debian.

botan1.10 (1.10.5-1+deb7u1) wheezy-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * CVE-2014-9742: Fix insufficient randomness in Miller-Rabin primality check.
  * CVE-2015-5726: Fix crash in BER decoder.
  * CVE-2015-5727: Fix excess memory allocation in BER decoder.
  * CVE-2015-7827: Fix PKCS #1 v1.5 decoding was not constant time.
  * CVE-2016-2194: Fix infinite loop in modulur square root algorithm.
  * CVE-2016-2195: Fix Heap overflow on invalid ECC point.
  * CVE-2016-2849: Use constant time modular inverse algorithm to avoid
    possible side channel attack against ECDSA.

 -- Steve Beattie <email address hidden>  Sat, 20 Aug 2016 16:56:27 -0700
  • botan1.10 (1.10.5-1ubuntu1) trusty; urgency=medium

  * ppc64el-support.patch: Add powerpc64le support to the upstream build
    system and update ppc64/altivec support for power7+ and power8 CPUs.
  * arm64-support.patch: Add arm64 support to the upstream build system.
 -- Adam Conrad <email address hidden>   Sat, 15 Mar 2014 10:26:49 -0600
  • botan1.10 (1.10.5-1) unstable; urgency=low


  * Imported Upstream version 1.10.4
   + Avoid a conditional operation in the power mod implementations on if
     a nibble of the exponent was zero or not. This may help protect
     against certain forms of side channel attacks.
   + The SRP6 code was checking for invalid values as specified in RFC
     5054, specifically values equal to zero mod p. However SRP would
     accept negative A/B values, or ones larger than p, neither of which
     should occur in a normal run of the protocol. These values are now
     rejected. Credits to Timothy Prepscius for pointing out these values
     are not normally used and probably signal something fishy.
   + The return value of version_string is now a compile time constant
     string, so version information can be more easily extracted from
     binaries.
  * Imported Upstream version 1.10.5
   + A potential crash in the AES-NI implementation of the AES-192 key
     schedule (caused by misaligned loads) has been fixed.
   + A previously conditional operation in Montgomery multiplication and
     squaring is now always performed, removing a possible timing channel.
   + Use correct flags for creating a shared library on OS X under Clang.
   + Fix a compile time incompatibility with Visual C++ 2012.

 -- Ondřej Surý <email address hidden>  Mon, 04 Mar 2013 09:24:12 +0100