Fedora has issued advisories today (July 14): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JFS2KG5HY4DHGOMBNMESN4XRXKCKA2V3/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q5LBXWVOCUQCEGOOMVMLI4WVTQ5DT4RG/ The issue is fixed upstream in 2.14.0 and Fedora backported the patch.
Status comment: (none) => Patch available from Fedora
Done for mga7!
CC: (none) => geiger.david68210
Advisory: ======================== Updated botan2 packages fix security vulnerability: The CBC padding operations were not constant time and as a result would leak the length of the plaintext values which were being padded to an attacker running a side channel attack via shared resources such as cache or branch predictor. No information about the contents was leaked, but the length alone might be used to make inferences about the contents. This issue affects TLS CBC ciphersuites as well as CBC encryption using PKCS7 or other similar padding mechanisms. In all cases, the unpadding operations were already constant time and are not affected (rhbz#1849743). References: https://bugzilla.redhat.com/show_bug.cgi?id=1849743 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q5LBXWVOCUQCEGOOMVMLI4WVTQ5DT4RG/ ======================== Updated packages in core/updates_testing: ======================== botan2-2.9.0-2.1.mga7 libbotan2-devel-2.9.0-2.1.mga7 libbotan2_9-2.9.0-2.1.mga7 botan2-doc-2.9.0-2.1.mga7 python3-botan2-2.9.0-2.1.mga7 from botan2-2.9.0-2.1.mga7.src.rpm
Assignee: bugsquad => qa-bugsStatus comment: Patch available from Fedora => (none)
MGA7-64 Plasma on Lenovo B50 No istallation issues No previous updates on this. MCC says "Botan is a BSD-licensed crypto library". # urpmq --whatrequires botan2 botan2 lib64botan2-devel lib64botan2_9 Not much of a help # urpmq --whatrequires-recursive botan2 Lists then too many tochoose from, things like okular, but then does one need an encrypted pdf. I'llkeeplooking for a while.
CC: (none) => herman.viaene
Found sample pdf in https://uwaterloo.ca/onbase/help/sample-pdf-documents, but $ strace -o botan.txt okular samplesecured_256bitaes_pdf.pdf showed nothing botan in the trace. Crying out of despair.
Want to borrow my hankie? Before updating I tried the secure and certified samples and saw exactly nothing in the traces, like you.
CC: (none) => tarazed25
Tested OK mga7 64 $ urpmf botan2 | grep /usr/bin/ botan2:/usr/bin/botan $ botan --help Usage: botan <cmd> <cmd-options> All commands support --verbose --help --output= --error-output= --rng-type= --drbg-seed= Available commands: Encoders/Decoders: asn1print Decode and print file with ASN.1 Basic Encoding Rules (BER) base64_dec Decode Base64 encoded file base64_enc Encode given file to Base64 hex_dec Hex decode a given file hex_enc Hex encode a given file ...etc $ echo "Test File" > test.txt $ botan base64_enc test.txt > test64.txt $ cat test64.txt VGVzdCBGaWxlCg== $ botan base64_dec test64.txt Test File $ python3 Python 3.7.6 (default, Jan 21 2020, 20:43:18) [GCC 8.3.1 20190524] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import botan2 >>> tester = botan2.RandomNumberGenerator() >>> tested = tester.get(10) >>> print ("Random number is {}".format(tested)) Random number is b'\x0cE\x0bLF\xc8x\x86\xa2\x9d' >>> quit() Checked botan2-doc with.. $ lynx /usr/share/doc/botan-2.9.0/manual/index.html
Whiteboard: (none) => has_procedure mga7-64-ok
Claire! Good to see you here! Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0308.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED