Advisories ยป MGASA-2016-0208

Updated botan packages fix security vulnerabilities

Publication date: 29 May 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-7827 , CVE-2016-2849

Description

Updated botan packages fix security vulnerabilities:

During RSA decryption, how long decoding of PKCS #1 v1.5 padding took was
input dependent. If these differences could be measured by an attacker,
it could be used to mount a Bleichenbacher million-message attack
(CVE-2015-7827).

ECDSA (and DSA) signature algorithms perform a modular inverse on the
signature nonce k. The modular inverse algorithm used had input dependent
loops, and it is possible a side channel attack could recover sufficient
information about the nonce to eventually recover the ECDSA secret key
(CVE-2016-2849).
                

References

SRPMS

5/core