Bug 208393 - [MAINTAINER] security/botan110: update to 1.10.12
Summary: [MAINTAINER] security/botan110: update to 1.10.12
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Guido Falsi
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-03-30 10:27 UTC by Lapo Luchini
Modified: 2016-03-31 08:10 UTC (History)
1 user (show)

See Also:


Attachments
patch against current portsnap (2.01 KB, patch)
2016-03-30 11:32 UTC, Lapo Luchini
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Lapo Luchini 2016-03-30 10:27:02 UTC
Update to 1.10.12

The library changes from .so.0.9 to .so.1.12, needs a bump on devel/monotone (and probably all other dependencies).

As far as I can tell from <http://botan.randombit.net/security.html> upgrading from previous 1.10.9 to this release fixes the following:

CVE-2016-2195: Heap overflow on invalid ECC point
    Introduced in 1.9.18, fixed in 1.10.11
CVE-2016-2194: Infinite loop in modular square root algorithm
    Introduced in 1.7.15, fixed in 1.10.11
CVE-2015-5726: Crash in BER decoder
    Introduced in 1.10.0, fixed in 1.10.10
CVE-2015-5727: Excess memory allocation in BER decoder
    Introduced in 1.10.0, fixed in 1.10.10
Comment 1 Guido Falsi freebsd_committer freebsd_triage 2016-03-30 10:46:05 UTC
I'll also add entries to the vuxml.
Comment 2 Lapo Luchini 2016-03-30 11:32:39 UTC
Created attachment 168780 [details]
patch against current portsnap
Comment 3 commit-hook freebsd_committer freebsd_triage 2016-03-31 08:02:03 UTC
A commit references this bug:

Author: madpilot
Date: Thu Mar 31 08:01:09 UTC 2016
New revision: 412209
URL: https://svnweb.freebsd.org/changeset/ports/412209

Log:
  Document mutiple Botan vulnerabilities.

  PR:		208393
  Submitted by:	Lapo Luchini <lapo at lapo.it>
  Security:	CVE-2015-5726
  Security:	CVE-2015-5727
  Security:	CVE-2016-2194
  Security:	CVE-2016-2195

Changes:
  head/security/vuxml/vuln.xml
Comment 4 commit-hook freebsd_committer freebsd_triage 2016-03-31 08:10:05 UTC
A commit references this bug:

Author: madpilot
Date: Thu Mar 31 08:09:26 UTC 2016
New revision: 412212
URL: https://svnweb.freebsd.org/changeset/ports/412212

Log:
  - Update botan110 to 1.10.12
  - Chase shlib version bump in dependent ports

  PR:		208393
  Submitted by:	Lapo Luchini <lapo at lapo.it> (maintainer)
  Security:	2004616d-f66c-11e5-b94c-001999f8d30b
  Security:	4cd9b19f-f66d-11e5-b94c-001999f8d30b
  MFH:		2016Q1

Changes:
  head/devel/monotone/Makefile
  head/dns/bundy/Makefile
  head/dns/powerdns/Makefile
  head/security/botan110/Makefile
  head/security/botan110/distinfo
  head/security/softhsm/Makefile
Comment 5 Guido Falsi freebsd_committer freebsd_triage 2016-03-31 08:10:15 UTC
Committed! Thanks.