Bug 26955

Done for mga7!

CC: (none) => geiger.david68210

Advisory:
========================

Updated botan2 packages fix security vulnerability:

The CBC padding operations were not constant time and as a result would leak
the length of the plaintext values which were being padded to an attacker
running a side channel attack via shared resources such as cache or branch
predictor. No information about the contents was leaked, but the length alone
might be used to make inferences about the contents. This issue affects TLS CBC
ciphersuites as well as CBC encryption using PKCS7 or other similar padding
mechanisms. In all cases, the unpadding operations were already constant time
and are not affected (rhbz#1849743).

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1849743
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q5LBXWVOCUQCEGOOMVMLI4WVTQ5DT4RG/
========================

Updated packages in core/updates_testing:
========================
botan2-2.9.0-2.1.mga7
libbotan2-devel-2.9.0-2.1.mga7
libbotan2_9-2.9.0-2.1.mga7
botan2-doc-2.9.0-2.1.mga7
python3-botan2-2.9.0-2.1.mga7

from botan2-2.9.0-2.1.mga7.src.rpm

Assignee: bugsquad => qa-bugs
Status comment: Patch available from Fedora => (none)

MGA7-64 Plasma on Lenovo B50
No istallation issues
No previous updates on this. MCC says "Botan is a BSD-licensed crypto library".
# urpmq --whatrequires botan2
botan2
lib64botan2-devel
lib64botan2_9
Not much of a help
# urpmq --whatrequires-recursive botan2  
Lists then too many tochoose from, things like okular, but then does one need an encrypted  pdf. I'llkeeplooking for a while.

CC: (none) => herman.viaene

Found sample pdf in https://uwaterloo.ca/onbase/help/sample-pdf-documents,
but $ strace -o botan.txt okular samplesecured_256bitaes_pdf.pdf
showed nothing botan in the trace.  Crying out of despair.

Want to borrow my hankie?  Before updating I tried the secure and certified samples and saw exactly nothing in the traces, like you.

CC: (none) => tarazed25

Tested OK mga7 64

$ urpmf botan2 | grep /usr/bin/
botan2:/usr/bin/botan


$ botan --help
Usage: botan <cmd> <cmd-options>
All commands support --verbose --help --output= --error-output= --rng-type= --drbg-seed=

Available commands:

Encoders/Decoders:
   asn1print          Decode and print file with ASN.1 Basic Encoding Rules (BER)
   base64_dec         Decode Base64 encoded file
   base64_enc         Encode given file to Base64
   hex_dec            Hex decode a given file
   hex_enc            Hex encode a given file
...etc



$ echo "Test File" > test.txt
$ botan base64_enc test.txt > test64.txt
$ cat test64.txt
VGVzdCBGaWxlCg==

$ botan base64_dec test64.txt
Test File


$ python3
Python 3.7.6 (default, Jan 21 2020, 20:43:18) 
[GCC 8.3.1 20190524] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import botan2
>>> tester = botan2.RandomNumberGenerator()
>>> tested = tester.get(10)
>>> print ("Random number is {}".format(tested))
Random number is b'\x0cE\x0bLF\xc8x\x86\xa2\x9d'
>>> quit()

Checked botan2-doc with..
$ lynx /usr/share/doc/botan-2.9.0/manual/index.html

Whiteboard: (none) => has_procedure mga7-64-ok

Claire! Good to see you here!

Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0308.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED