{
  "schema_version": "1.7.0",
  "id": "MGASA-2020-0308",
  "published": "2020-07-31T23:25:42Z",
  "modified": "2020-07-31T22:43:42Z",
  "summary": "Updated botan2 packages fix security vulnerability",
  "details": "The CBC padding operations were not constant time and as a result would leak\nthe length of the plaintext values which were being padded to an attacker\nrunning a side channel attack via shared resources such as cache or branch\npredictor. No information about the contents was leaked, but the length alone\nmight be used to make inferences about the contents. This issue affects TLS CBC\nciphersuites as well as CBC encryption using PKCS7 or other similar padding\nmechanisms. In all cases, the unpadding operations were already constant time\nand are not affected (rhbz#1849743).\n",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://advisories.mageia.org/MGASA-2020-0308.html"
    },
    {
      "type": "REPORT",
      "url": "https://bugs.mageia.org/show_bug.cgi?id=26955"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1849743"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q5LBXWVOCUQCEGOOMVMLI4WVTQ5DT4RG/"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Mageia:7",
        "name": "botan2",
        "purl": "pkg:rpm/mageia/botan2?arch=source&distro=mageia-7"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.9.0-2.1.mga7"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    }
  ],
  "credits": [
    {
      "name": "Mageia",
      "type": "COORDINATOR",
      "contact": [
        "https://wiki.mageia.org/en/Packages_Security_Team"
      ]
    }
  ]
}