From 775d045da9318fcf9db9dd5a5eadbe901434a2959c19fb738043f1364bc9f14c Mon Sep 17 00:00:00 2001 From: Philipp Thomas Date: Wed, 28 Dec 2016 12:34:03 +0000 Subject: [PATCH] - Update to 1.10.14 * Fix integer overflow during BER decoding, found by Falko Strenzke. This bug is not thought to be directly exploitable but upgrading ASAP is advised. (CVE-2016-9132) * Fix two cases where (in error situations) an exception would be thrown from a destructor, causing a call to std::terminate. * When RC4 is disabled in the build, also prevent it from being included in the OpenSSL provider. (GH #638) * Use constant time modular inverse algorithm to avoid possible side channel attack against ECDSA (CVE-2016-2849) * Use constant time PKCS #1 unpadding to avoid possible side channel attack against RSA decryption (CVE-2015-7827) * Avoid a compilation problem in OpenSSL engine when ECDSA was disabled. Gentoo bug 542010 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/Botan?expand=0&rev=62 --- Botan-1.10.13.tgz | 3 --- Botan-1.10.13.tgz.asc | 11 ----------- Botan-1.10.14.tgz | 3 +++ Botan-1.10.14.tgz.asc | 11 +++++++++++ Botan.changes | 21 ++++++++++++++++++--- Botan.spec | 2 +- dont-set-mach-value.diff | 14 +++++++++----- 7 files changed, 42 insertions(+), 23 deletions(-) delete mode 100644 Botan-1.10.13.tgz delete mode 100644 Botan-1.10.13.tgz.asc create mode 100644 Botan-1.10.14.tgz create mode 100644 Botan-1.10.14.tgz.asc diff --git a/Botan-1.10.13.tgz b/Botan-1.10.13.tgz deleted file mode 100644 index fe4dc3f..0000000 --- a/Botan-1.10.13.tgz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:23ec973d4b4a4fe04f490d409e08ac5638afe3aa09acd7f520daaff38ba19b90 -size 2710181 diff --git a/Botan-1.10.13.tgz.asc b/Botan-1.10.13.tgz.asc deleted file mode 100644 index fe3982b..0000000 --- a/Botan-1.10.13.tgz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v2 - -iQEcBAABCAAGBQJXIhwhAAoJEGIR6/Hvut+8crwH/jkm5Nr0xM+Sqmi11nS5lRcr -iRw+qB5LxPPunmwQ1uoMe2B7ZowXNtu30bZD3D0dL5TY/ngXx91yvTznteqlXIry -Qo3zfUlNc9EXFUpUniYi0ek+04Fyqy4sWI+gUrGjY6EWEI6lchacR9gt5R8NyOSl -mTe5efp062O09vjwae4FwUdyOsCfxeMmNKZXIHxhjW17xCSg3b3gQKsyTPxuIyz/ -qDoaXetbfgcvc+mGx+SRNVbtG5LQi4+4asP6STAy9ZCvYBMh0EBrWelaxJv2lEXi -oLcwbXBrdoFSosVbvIp46FxKwWFluAq2uvniCMvQ1VfYJVTyWglaiHNVlhhxY3M= -=F/Hg ------END PGP SIGNATURE----- diff --git a/Botan-1.10.14.tgz b/Botan-1.10.14.tgz new file mode 100644 index 0000000..3dfd944 --- /dev/null +++ b/Botan-1.10.14.tgz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:10ed0b394db165733ac9557d8656356b7e9744d38c61c2b9c44cba6d84ff4c1c +size 2710757 diff --git a/Botan-1.10.14.tgz.asc b/Botan-1.10.14.tgz.asc new file mode 100644 index 0000000..60b4cee --- /dev/null +++ b/Botan-1.10.14.tgz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEYh2vZBHhhRxM+aLhYhHr8e+637wFAlg8DKMACgkQYhHr8e+6 +37xl/gf+OoUkiVu7Mi+UvOozBoQ8k9KPrj+afhTPlSgpXJHLhrtm7k1JMyGFzYJf +PwEUEI2POI5SQ6sEX++MhN09XYQDle3LWEwsgBmZh0aoIr+3aYHNKgH6U3FjLT6t +B0gk7RWygEDbm8NGdxqWducHrFdLR/MVSuYjuX4zgOjR0Nr69pimdjAGc1r4KH/3 +EHrSnSFeMMWqfN0CShQg30gp00et4P7rWo4NLNXVigkVif0TvQ4dAVejWr8UWkKN +OId+XTfngj7ynpQnkBfUZ7O9N+ybbaiLaKaEbn1xN5WwFIqYt8DeUcX3RjOT11eF +XbMK5bJDzcpE2+crlXodw8B6KkqY7A== +=e8ta +-----END PGP SIGNATURE----- diff --git a/Botan.changes b/Botan.changes index c89cf1b..bff31e7 100644 --- a/Botan.changes +++ b/Botan.changes @@ -1,10 +1,25 @@ +------------------------------------------------------------------- +Wed Dec 28 12:02:11 CET 2016 - pth@suse.de + +- Update to 1.10.14 + * Fix integer overflow during BER decoding, found by Falko Strenzke. + This bug is not thought to be directly exploitable but upgrading ASAP + is advised. (CVE-2016-9132) + * Fix two cases where (in error situations) an exception would be + thrown from a destructor, causing a call to std::terminate. + * When RC4 is disabled in the build, also prevent it from being + included in the OpenSSL provider. (GH #638) + ------------------------------------------------------------------- Sun Nov 13 01:32:18 UTC 2016 - netsroth@opensuse.org - Update to 1.10.13 - * Use constant time modular inverse algorithm to avoid possible side channel attack against ECDSA (CVE-2016-2849) - * Use constant time PKCS #1 unpadding to avoid possible side channel attack against RSA decryption (CVE-2015-7827) - * Avoid a compilation problem in OpenSSL engine when ECDSA was disabled. Gentoo bug 542010 + * Use constant time modular inverse algorithm to avoid possible side + channel attack against ECDSA (CVE-2016-2849) + * Use constant time PKCS #1 unpadding to avoid possible side channel + attack against RSA decryption (CVE-2015-7827) + * Avoid a compilation problem in OpenSSL engine when ECDSA was + disabled. Gentoo bug 542010 ------------------------------------------------------------------- Fri May 13 07:31:21 UTC 2016 - faure@kde.org diff --git a/Botan.spec b/Botan.spec index ef0d1c4..77f7727 100644 --- a/Botan.spec +++ b/Botan.spec @@ -19,7 +19,7 @@ %define version_suffix 1_10-1 %define short_version 1.10 Name: Botan -Version: 1.10.13 +Version: 1.10.14 Release: 0 Summary: A C++ Crypto Library License: BSD-2-Clause diff --git a/dont-set-mach-value.diff b/dont-set-mach-value.diff index 7fca58f..258c975 100644 --- a/dont-set-mach-value.diff +++ b/dont-set-mach-value.diff @@ -1,8 +1,12 @@ -diff --git a/configure.py b/configure.py -index b606e06..f184939 100755 ---- a/configure.py -+++ b/configure.py -@@ -1135,7 +1135,7 @@ def create_template_vars(build_config, options, modules, cc, arch, osinfo): +--- + configure.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: Botan-1.10.14/configure.py +=================================================================== +--- Botan-1.10.14.orig/configure.py 2016-11-28 11:52:20.000000000 +0100 ++++ Botan-1.10.14/configure.py 2016-12-28 10:59:39.592584921 +0100 +@@ -1140,7 +1140,7 @@ def create_template_vars(build_config, o options.cpu, options.debug_build), 'lib_opt': cc.library_opt_flags(options),