Advisories » MGASA-2020-0308

Updated botan2 packages fix security vulnerability

Publication date: 31 Jul 2020
Modification date: 31 Jul 2020
Type: security
Affected Mageia releases : 7

Description

The CBC padding operations were not constant time and as a result would leak
the length of the plaintext values which were being padded to an attacker
running a side channel attack via shared resources such as cache or branch
predictor. No information about the contents was leaked, but the length alone
might be used to make inferences about the contents. This issue affects TLS CBC
ciphersuites as well as CBC encryption using PKCS7 or other similar padding
mechanisms. In all cases, the unpadding operations were already constant time
and are not affected (rhbz#1849743).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=26955
• https://bugzilla.redhat.com/show_bug.cgi?id=1849743
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q5LBXWVOCUQCEGOOMVMLI4WVTQ5DT4RG/

SRPMS

7/core

• botan2-2.9.0-2.1.mga7