svn commit: r416872 - head/security/vuxml

Jason Unovitch junovitch at FreeBSD.org
Tue Jun 14 01:48:38 UTC 2016 

Author: junovitch
Date: Tue Jun 14 01:48:36 2016
New Revision: 416872
URL: https://svnweb.freebsd.org/changeset/ports/416872

Log:
  Document multiple issues in Botan
  
  PR:		209595
  Reported by:	Sevan Janiyan <venture37 at geeklan.co.uk>
  Security:	CVE-2015-7827
  Security:	CVE-2016-2849
  Security:	https://vuxml.FreeBSD.org/freebsd/ac0900df-31d0-11e6-8e82-002590263bf5.html
  Security:	CVE-2014-9742
  Security:	https://vuxml.FreeBSD.org/freebsd/f771880c-31cf-11e6-8e82-002590263bf5.html

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Tue Jun 14 01:30:38 2016	(r416871)
+++ head/security/vuxml/vuln.xml	Tue Jun 14 01:48:36 2016	(r416872)
@@ -58,6 +58,63 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="ac0900df-31d0-11e6-8e82-002590263bf5">
+    <topic>botan -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>botan110</name>
+	<range><lt>1.10.13</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Jack Lloyd reports:</p>
+	<blockquote cite="https://lists.randombit.net/pipermail/botan-devel/2016-April/002101.html">
+	  <p>Botan 1.10.13 has been released backporting some side channel
+	    protections for ECDSA signatures (CVE-2016-2849) and PKCS #1 RSA
+	    decryption (CVE-2015-7827).</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2016-2849</cvename>
+      <cvename>CVE-2015-7827</cvename>
+      <url>https://lists.randombit.net/pipermail/botan-devel/2016-April/002101.html</url>
+    </references>
+    <dates>
+      <discovery>2016-04-28</discovery>
+      <entry>2016-06-14</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="f771880c-31cf-11e6-8e82-002590263bf5">
+    <topic>botan -- cryptographic vulnerability</topic>
+    <affects>
+      <package>
+	<name>botan110</name>
+	<range><lt>1.10.8</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>MITRE reports:</p>
+	<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9742">
+	  <p>The Miller-Rabin primality check in Botan before 1.10.8 and 1.11.x
+	    before 1.11.9 improperly uses a single random base, which makes it
+	    easier for remote attackers to defeat cryptographic protection
+	    mechanisms via a DH group.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2014-9742</cvename>
+    </references>
+    <dates>
+      <discovery>2014-04-11</discovery>
+      <entry>2016-06-14</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="6d402857-2fba-11e6-9f31-5404a68ad561">
     <topic>VLC -- Possibly remote code execution via crafted file</topic>
     <affects>

More information about the svn-ports-all mailing list