Security update for Botan SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:1351-1 Final 1 1 2017-05-18T22:25:13Z current 2017-05-18T22:25:13Z 2017-05-18T22:25:13Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for Botan This update for Botan fixes the following issues: - CVE-2015-7827: PKCS #1 v1.5 decoding was not constant time, it could be used to mount a Bleichenbacher million-message attack (bsc#968030) - CVE-2016-9132: While decoding BER length fields, an integer overflow could occur leading to a denial-of-service (bsc#1013209) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sdksp4-Botan-13119 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20171351-1/ Link for SUSE-SU-2017:1351-1 https://lists.suse.com/pipermail/sle-security-updates/2017-May/002900.html E-Mail link for SUSE-SU-2017:1351-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1013209 SUSE Bug 1013209 https://bugzilla.suse.com/968030 SUSE Bug 968030 https://www.suse.com/security/cve/CVE-2015-7827/ SUSE CVE CVE-2015-7827 page https://www.suse.com/security/cve/CVE-2016-9132/ SUSE CVE CVE-2016-9132 page SUSE Linux Enterprise Software Development Kit 11 SP4 libbotan-1_6_5-1.6.5-6.1 libbotan-devel-1.6.5-6.1 libbotan-1_6_5-1.6.5-6.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 libbotan-devel-1.6.5-6.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 Botan before 1.10.13 and 1.11.x before 1.11.22 make it easier for remote attackers to conduct million-message attacks by measuring time differences, related to decoding of PKCS#1 padding. CVE-2015-7827 SUSE Linux Enterprise Software Development Kit 11 SP4:libbotan-1_6_5-1.6.5-6.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libbotan-devel-1.6.5-6.1 moderate 2.6 AV:N/AC:H/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20171351-1/ https://www.suse.com/security/cve/CVE-2015-7827.html CVE-2015-7827 https://bugzilla.suse.com/968030 SUSE Bug 968030 In Botan 1.8.0 through 1.11.33, when decoding BER data an integer overflow could occur, which would cause an incorrect length field to be computed. Some API callers may use the returned (incorrect and attacker controlled) length field in a way which later causes memory corruption or other failure. CVE-2016-9132 SUSE Linux Enterprise Software Development Kit 11 SP4:libbotan-1_6_5-1.6.5-6.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libbotan-devel-1.6.5-6.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20171351-1/ https://www.suse.com/security/cve/CVE-2016-9132.html CVE-2016-9132 https://bugzilla.suse.com/1013209 SUSE Bug 1013209