Source: botan Version: 2.6.0-1 Severity: grave Tags: patch security upstream Justification: user security hole Forwarded: https://github.com/randombit/botan/pull/1604
Hi, The following vulnerability was published for botan. CVE-2018-12435[0]: | Botan 2.5.0 through 2.6.0 allows a memory-cache side-channel attack on | ECDSA signatures, aka the Return Of the Hidden Number Problem or | ROHNP, related to dsa/dsa.cpp, ec_group/ec_group.cpp, and | ecdsa/ecdsa.cpp. To discover an ECDSA key, the attacker needs access | to either the local machine or a different virtual machine on the same | physical host. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-12435 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12435 [1] https://github.com/randombit/botan/pull/1604 [2] https://github.com/randombit/botan/pull/1604/commits/48fc8df51d99f9d8ba251219367b3d629cc848e3 Please adjust the affected versions in the BTS as needed. Note please that initially the CVE for libgcrypt was reused. But the above one and used here is the right one. Regards, Salvatore
