Accepting request 357517 from home:stroeder:branches:devel:libraries:c_c++

update to 1.10.12 (somewhat a security update) OBS-URL: https://build.opensuse.org/request/show/357517 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/Botan?expand=0&rev=56
2016-02-03 12:16:12 +00:00
parent 47190eff56
commit d9be67b223
6 changed files with 35 additions and 15 deletions
--- a/Botan-1.10.10.tgz
+++ b/Botan-1.10.10.tgz
--- a/Botan-1.10.10.tgz.asc
+++ b/Botan-1.10.10.tgz.asc
@@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-Version: GnuPG v2
-
-iQEcBAABCgAGBQJVvvClAAoJEGIR6/Hvut+8DnIH/j5EW84EEcBKETvBQJqoPJt7
-Gsq4GKHDo75gBnWn2a2WGbbFIRuwjW4rpbUxxn6Nxazr87Hvg/RpRmd03/VYNvDO
-jai2oetGAbaV4e9kzSMI96jN6k3vpjtUqeY851PXnZxaILrx1iBqwppjVOZfIbNF
-hxzNgDgd1lA/dgfsh/BGr3MWDihNOxpICAbxmnXJU8bjiNT3RqebyOmins/Q6eVr
-Tl6D2CxeYV1QlxOOnd93PJW6RAJtgzw4kjUWIHB74DxhjtB06XV8jHQxlTRCEC/Q
-QDy2WlymjDQapyW6OzB0nRYCKtJQyQiZVCk4cIBq/8X3M4vjk7jErwqKvNPGcCU=
-=s4gl
-----END PGP SIGNATURE-----
--- a/Botan-1.10.12.tgz
+++ b/Botan-1.10.12.tgz
--- a/Botan-1.10.12.tgz.asc
+++ b/Botan-1.10.12.tgz.asc
@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iQEcBAABCAAGBQJWsbSyAAoJEGIR6/Hvut+8yZ8IAKZkFvG/j+nmWQPaoU0FKAJY
+q37r0gIOSkZ+K4Q3k8Gc5uEmVcobP52JlDJZeG6yYERwJdN1aO/LcUpqxDvF8SNk
+qrfsgItJ06SW+jLI9xS7abQGoVmfBEC5EcmqlPLLyJ4mPTR3XDDn6ITyN1i40Byr
+rVMdm0dOwPiFrVJNlSjEnv/sQEPf6nrXAhu6vhGsWk1u6BbZRhVTk+0QAI0Dz950
+MpRmIzEZAIAgvZpYGvvnULzfnNVwPswxw321Cp0JH368/sJjX2Mkp8yJ1wypGaMT
+3gqkhGsyNqQjKjv9DmE04N/l+P7SIMBGn4+BOS0sfEXhxdpRMrezoNx/E2rJ5AU=
+=tUsf
+-----END PGP SIGNATURE-----
--- a/Botan.changes
+++ b/Botan.changes
@@ -1,3 +1,23 @@
+-------------------------------------------------------------------
+Wed Feb  3 10:52:19 UTC 2016 - michael@stroeder.com
+
+- Update to 1.10.12
+
+- Version 1.10.12, 2016-02-03
+  * In 1.10.11, the check in PointGFp intended to check the affine y 
+    argument actually checked the affine x again. Reported by Remi Gacogne
+  * The CVE-2016-2195 overflow is not exploitable in 1.10.11 due to an 
+    additional check in the multiplication function itself which was also 
+    added in that release, so there are no security implications from the 
+    missed check. However to avoid confusion the change was pushed in a new 
+    release immediately.
+  * The 1.10.11 release notes incorrectly identified CVE-2016-2195 as 
+    CVE-2016-2915
+- Version 1.10.11, 2016-02-01
+  * Resolve heap overflow in ECC point decoding. CVE-2016-2195
+    Resolve infinite loop in modular square root algorithm. CVE-2016-2194
+    Correct BigInt::to_u32bit to not fail on integers of exactly 32 bits. GH #239
+
 -------------------------------------------------------------------
 Thu Dec 24 10:48:11 UTC 2015 - mpluskal@suse.com

--- a/Botan.spec
+++ b/Botan.spec
@@ -19,7 +19,7 @@
 %define version_suffix 1_10-1
 %define short_version 1.10
 Name:           Botan
-Version:        1.10.10
+Version:        1.10.12
 Release:        0
 Summary:        A C++ Crypto Library
 License:        BSD-2-Clause