Update to 1.10.12 The library changes from .so.0.9 to .so.1.12, needs a bump on devel/monotone (and probably all other dependencies). As far as I can tell from <http://botan.randombit.net/security.html> upgrading from previous 1.10.9 to this release fixes the following: CVE-2016-2195: Heap overflow on invalid ECC point Introduced in 1.9.18, fixed in 1.10.11 CVE-2016-2194: Infinite loop in modular square root algorithm Introduced in 1.7.15, fixed in 1.10.11 CVE-2015-5726: Crash in BER decoder Introduced in 1.10.0, fixed in 1.10.10 CVE-2015-5727: Excess memory allocation in BER decoder Introduced in 1.10.0, fixed in 1.10.10
I'll also add entries to the vuxml.
Created attachment 168780 [details] patch against current portsnap
A commit references this bug: Author: madpilot Date: Thu Mar 31 08:01:09 UTC 2016 New revision: 412209 URL: https://svnweb.freebsd.org/changeset/ports/412209 Log: Document mutiple Botan vulnerabilities. PR: 208393 Submitted by: Lapo Luchini <lapo at lapo.it> Security: CVE-2015-5726 Security: CVE-2015-5727 Security: CVE-2016-2194 Security: CVE-2016-2195 Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: madpilot Date: Thu Mar 31 08:09:26 UTC 2016 New revision: 412212 URL: https://svnweb.freebsd.org/changeset/ports/412212 Log: - Update botan110 to 1.10.12 - Chase shlib version bump in dependent ports PR: 208393 Submitted by: Lapo Luchini <lapo at lapo.it> (maintainer) Security: 2004616d-f66c-11e5-b94c-001999f8d30b Security: 4cd9b19f-f66d-11e5-b94c-001999f8d30b MFH: 2016Q1 Changes: head/devel/monotone/Makefile head/dns/bundy/Makefile head/dns/powerdns/Makefile head/security/botan110/Makefile head/security/botan110/distinfo head/security/softhsm/Makefile
Committed! Thanks.