Описание
Security update for Botan
This update for Botan fixes the following issues:
- Fixed CVE-2024-50382, CVE-2024-50383 - various compiler-induced side channel in GHASH when certain LLVM/GCC versions are used to compile Botan.
Список пакетов
SUSE Package Hub 15 SP5
Botan-2.19.5-bp156.3.6.1
Botan-doc-2.19.5-bp156.3.6.1
libbotan-2-19-2.19.5-bp156.3.6.1
libbotan-2-19-32bit-2.19.5-bp156.3.6.1
libbotan-2-19-64bit-2.19.5-bp156.3.6.1
libbotan-devel-2.19.5-bp156.3.6.1
libbotan-devel-32bit-2.19.5-bp156.3.6.1
libbotan-devel-64bit-2.19.5-bp156.3.6.1
python3-botan-2.19.5-bp156.3.6.1
SUSE Package Hub 15 SP6
Botan-2.19.5-bp156.3.6.1
Botan-doc-2.19.5-bp156.3.6.1
libbotan-2-19-2.19.5-bp156.3.6.1
libbotan-2-19-32bit-2.19.5-bp156.3.6.1
libbotan-2-19-64bit-2.19.5-bp156.3.6.1
libbotan-devel-2.19.5-bp156.3.6.1
libbotan-devel-32bit-2.19.5-bp156.3.6.1
libbotan-devel-64bit-2.19.5-bp156.3.6.1
python3-botan-2.19.5-bp156.3.6.1
openSUSE Leap 15.5
Botan-2.19.5-bp156.3.6.1
Botan-doc-2.19.5-bp156.3.6.1
libbotan-2-19-2.19.5-bp156.3.6.1
libbotan-2-19-32bit-2.19.5-bp156.3.6.1
libbotan-2-19-64bit-2.19.5-bp156.3.6.1
libbotan-devel-2.19.5-bp156.3.6.1
libbotan-devel-32bit-2.19.5-bp156.3.6.1
libbotan-devel-64bit-2.19.5-bp156.3.6.1
python3-botan-2.19.5-bp156.3.6.1
openSUSE Leap 15.6
Botan-2.19.5-bp156.3.6.1
Botan-doc-2.19.5-bp156.3.6.1
libbotan-2-19-2.19.5-bp156.3.6.1
libbotan-2-19-32bit-2.19.5-bp156.3.6.1
libbotan-2-19-64bit-2.19.5-bp156.3.6.1
libbotan-devel-2.19.5-bp156.3.6.1
libbotan-devel-32bit-2.19.5-bp156.3.6.1
libbotan-devel-64bit-2.19.5-bp156.3.6.1
python3-botan-2.19.5-bp156.3.6.1
Ссылки
- E-Mail link for openSUSE-SU-2024:0343-1
- SUSE Security Ratings
- SUSE Bug 1232296
- SUSE Bug 1232297
- SUSE Bug 1232300
- SUSE Bug 1232301
- SUSE CVE CVE-2024-50382 page
- SUSE CVE CVE-2024-50383 page
Описание
Botan before 3.6.0, when certain LLVM versions are used, has compiler-induced secret-dependent control flow in lib/utils/ghash/ghash.cpp in GHASH in AES-GCM. There is a branch instead of an XOR with carry. This was observed for Clang in LLVM 15 on RISC-V.
Затронутые продукты
SUSE Package Hub 15 SP5:Botan-2.19.5-bp156.3.6.1
SUSE Package Hub 15 SP5:Botan-doc-2.19.5-bp156.3.6.1
SUSE Package Hub 15 SP5:libbotan-2-19-2.19.5-bp156.3.6.1
SUSE Package Hub 15 SP5:libbotan-2-19-32bit-2.19.5-bp156.3.6.1
Ссылки
- CVE-2024-50382
- SUSE Bug 1232300
Описание
Botan before 3.6.0, when certain GCC versions are used, has a compiler-induced secret-dependent operation in lib/utils/donna128.h in donna128 (used in Chacha-Poly1305 and x25519). An addition can be skipped if a carry is not set. This was observed for GCC 11.3.0 with -O2 on MIPS, and GCC on x86-i386. (Only 32-bit processors can be affected.)
Затронутые продукты
SUSE Package Hub 15 SP5:Botan-2.19.5-bp156.3.6.1
SUSE Package Hub 15 SP5:Botan-doc-2.19.5-bp156.3.6.1
SUSE Package Hub 15 SP5:libbotan-2-19-2.19.5-bp156.3.6.1
SUSE Package Hub 15 SP5:libbotan-2-19-32bit-2.19.5-bp156.3.6.1
Ссылки
- CVE-2024-50383
- SUSE Bug 1232296