Source: botan X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for botan. CVE-2024-50383[0]: | Botan before 3.6.0, when certain GCC versions are used, has a | compiler-induced secret-dependent operation in lib/utils/donna128.h | in donna128 (used in Chacha-Poly1305 and x25519). An addition can be | skipped if a carry is not set. This was observed for GCC 11.3.0 with | -O2 on MIPS, and GCC on x86-i386. (Only 32-bit processors can be | affected.) https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-50383 https://www.cve.org/CVERecord?id=CVE-2024-50383 Please adjust the affected versions in the BTS as needed.
