Debian Bug report logs -
#918732
botan: CVE-2018-20187: Side channel during ECC key generation
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#918732; Package src:botan.
(Tue, 08 Jan 2019 20:45:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Tue, 08 Jan 2019 20:45:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: botan
Version: 2.8.0-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/randombit/botan/pull/1792
Hi,
The following vulnerability was published for botan.
CVE-2018-20187[0]:
Timing side channel during ECC key generation could leak information...
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-20187
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20187
[1] https://github.com/randombit/botan/pull/1792
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Sat, 12 Jan 2019 23:03:46 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 12 Jan 2019 23:03:46 GMT) (full text, mbox, link).
Message #10 received at 918732-close@bugs.debian.org (full text, mbox, reply):
Source: botan
Source-Version: 2.9.0-1
We believe that the bug you reported is fixed in the latest version of
botan, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 918732@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated botan package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 12 Jan 2019 13:16:11 +0000
Source: botan
Binary: botan libbotan-2-9 libbotan-2-dev libbotan-2-doc python3-botan
Architecture: source amd64 all
Version: 2.9.0-1
Distribution: experimental
Urgency: medium
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
botan - multiplatform crypto library (2.x version)
libbotan-2-9 - multiplatform crypto library (2.x version)
libbotan-2-dev - multiplatform crypto library (2.x version)
libbotan-2-doc - multiplatform crypto library (2.x version)
python3-botan - multiplatform crypto library (2.x version), Python3 module
Closes: 918732
Changes:
botan (2.9.0-1) experimental; urgency=medium
.
* New upstream release.
* Fix CVE-2018-20187: address a side channel during ECC key generation,
which used an unblinded Montgomery ladder (closes: #918732).
* Library transition from libbotan-2-8 to libbotan-2-9 .
Checksums-Sha1:
374ed795fb87861d1a0a1ce33d795dbf1d0814a0 2047 botan_2.9.0-1.dsc
bc5c1f7b46bb1b5a518dd41f15c9ebaee0c2b87e 7279226 botan_2.9.0.orig.tar.gz
44c439d2bfcb6345b9d2dad79c1154f6be8cecc7 5860 botan_2.9.0-1.debian.tar.xz
26d8e4fb15563d67d1e1662ea3f265a0af5a448f 4005992 botan-dbgsym_2.9.0-1_amd64.deb
add52c86a6f328696df0b82f9a619ea39ad7c739 10190 botan_2.9.0-1_amd64.buildinfo
b41afe6a152a831733c881e98a34cbb325b0dc34 196720 botan_2.9.0-1_amd64.deb
82eb01a1c2a74d65e3a4c380f4d6e6cfed4ac635 36546676 libbotan-2-9-dbgsym_2.9.0-1_amd64.deb
2fb92059b5502b48b34e2052a6eaca31ae2a5370 1556220 libbotan-2-9_2.9.0-1_amd64.deb
9a4025e7673f4c88ab6fc8259820cab56b0519cc 2362312 libbotan-2-dev_2.9.0-1_amd64.deb
68c66e745edcb8a76bafa769264031b5882eecee 409576 libbotan-2-doc_2.9.0-1_all.deb
05d658d6410fc82208610b50ba52d06eaea8f221 13052 python3-botan_2.9.0-1_amd64.deb
Checksums-Sha256:
a20ca628a11893daaae0eb80846d42c339708fb64936d4c434354500746f9a20 2047 botan_2.9.0-1.dsc
5cd344bf92e69caa60a5d9464b5743229a90e879afe9d72bb8f2f43d28c70b68 7279226 botan_2.9.0.orig.tar.gz
176c9a7610998e9263f29249f0a8bd0ff87fc4b9a05006162e1731617267a325 5860 botan_2.9.0-1.debian.tar.xz
3345ab5d22c4a5861cd1a3dcf3c6f3538b224f2bf95cc8190f1b593984c92020 4005992 botan-dbgsym_2.9.0-1_amd64.deb
6478eb3a4e54b9e17fd85e3a3a467e94f1fb835805fef83573a97f0abbd4c432 10190 botan_2.9.0-1_amd64.buildinfo
efcfe6ca55d00258461cdce70fe4dd5f3ce7c66346159bed59103c6524e73490 196720 botan_2.9.0-1_amd64.deb
270437088f04ea3eba93e24f3f1babdf88fc251c9744e7c3694bb113dfebc218 36546676 libbotan-2-9-dbgsym_2.9.0-1_amd64.deb
297359270fbf4585a61f51898107b9a690fae6824d8634c42d545e822e92566c 1556220 libbotan-2-9_2.9.0-1_amd64.deb
8cd7b659fe0a7f07db693a048cef18a0d6aa71c5380ab4645f659d364788d570 2362312 libbotan-2-dev_2.9.0-1_amd64.deb
97b340313ae6b3689c62dbbfb854590a54cb2162aba8debdf94313c85e050a08 409576 libbotan-2-doc_2.9.0-1_all.deb
5357256198fbe854be6ae46a5666e8a330c0316e6a9ce4e237b3263ffe675438 13052 python3-botan_2.9.0-1_amd64.deb
Files:
c20253c690efd6a9fae7f1efbde000a6 2047 libs optional botan_2.9.0-1.dsc
eeb121ef1a17352243449b9e62233e0e 7279226 libs optional botan_2.9.0.orig.tar.gz
c2b8c8e8b6895bd650fc322002613363 5860 libs optional botan_2.9.0-1.debian.tar.xz
b5cffa2ad19f4e5421178a0bdb071b11 4005992 debug optional botan-dbgsym_2.9.0-1_amd64.deb
1262439b5d40ccf7582b3db04305a8cc 10190 libs optional botan_2.9.0-1_amd64.buildinfo
ea36f46dee1c57bffd84766a6af5a558 196720 libdevel optional botan_2.9.0-1_amd64.deb
6a3a9d535213d1008afbeb1740761fbe 36546676 debug optional libbotan-2-9-dbgsym_2.9.0-1_amd64.deb
dbe8eba68f15f4540a6b76f3db1238b5 1556220 libs optional libbotan-2-9_2.9.0-1_amd64.deb
d3b1dd50a02c1d776b4d53d0737bb048 2362312 libdevel optional libbotan-2-dev_2.9.0-1_amd64.deb
2d6e6753081e8aa491bab66c0e1d0020 409576 doc optional libbotan-2-doc_2.9.0-1_all.deb
904bb00ee66cbad7c77a07ac5b300452 13052 python optional python3-botan_2.9.0-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlw6IqQACgkQ3OMQ54ZM
yL/7mw//dQwa35QXfmhEH9mR+76Qn0PyfDegjRZZqg037YKOb5ExLNPjB1bacGzc
Vqxf9IFBYvJ1m0vDYvSfcC4a+MANR/jjcmZDWIHcK3+FOeNq8aBshoeRQZpDNqij
GOqFXV6PhIIuKSlgNVfJ3FuDZFvSy3VdhzIiPjqVnlkjDaGnesSkC4FP5sFcXsEG
in6dqz8vUZ9eH2nJMTbcEWzolgoBNuISL/XIDEnW7ugU5Ur5jKR3143bRxrHD7N9
uqfUR5qWKk5HSW0u7i7McxJbchuTIwj1WB5UEuqScPzzJB8rzKX78qeHBhwhv+Kp
OAdvtTnitPeTGtHq88OZIdObQuHejfX05dN+RLXX112a3jrhDSDFgTLtrcP1HkRl
iW5OmNV/AyHwdNWUqBnYnAzrvwtsg30WRqW16x5FtG3PQFNoKpZEfWrA6p/FFA99
muA/AnvgOooF+X8yr9u664eHoPfBR9pjEQKEup34p/dRvgM0ROKHiUarLpPcPm/Q
ozRM8aMSFyXh6zWp6SL/CTv1fCBOoQB/MSBXAb+cMrUM9MtjtK+rvS7PNI8WNFQo
uV75a4TL6oNuCscwokGYb9ytkbcNnAeZl05U1kLMEYJHj3EgLpFethSTYXB0labx
2Fjx86s7FqzZjg6ubrKjicN/2TASxmD6s5ZJWw7829x+6gI3rs0=
=TPFw
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 10 Feb 2019 07:28:56 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:57:09 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon