Mageia alert MGASA-2017-0321 (botan) [LWN.net]

From:
    	       Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	       updates-announce@ml.mageia.org 
Subject:
    	       [updates-announce] MGASA-2017-0321: Updated botan packages fix security vulnerabilities 
Date:
    	       Fri, 1 Sep 2017 23:11:09 +0200
Message-ID:
    	       <20170901211109.202A69F872@duvel.mageia.org>
MGASA-2017-0321 - Updated botan packages fix security vulnerabilities

Publication date: 01 Sep 2017
URL: http://advisories.mageia.org/MGASA-2017-0321.html
Type: security
Affected Mageia releases: 5
CVE: CVE-2016-9132,
     CVE-2017-2801

Description:
While decoding BER length fields, an integer overflow could occur. This
could occur while parsing untrusted inputs such as X.509 certificates.
The overflow  does not seem to lead to any obviously exploitable
condition, but exploitation cannot be positively ruled out. Only 32-bit
platforms are likely affected; to cause an overflow on 64-bit the parsed
data would have to be many gigabytes (CVE-2016-9132).

Aleksandar Nikolic discovered that an error in the x509 parser of the
Botan crypto library could result in an out-of-bounds memory read,
resulting in denial of service or an information leak if processing a
malformed certificate (CVE-2017-2801).

References:
- https://bugs.mageia.org/show_bug.cgi?id=20014
- https://botan.randombit.net/security.html
-
https://lists.fedoraproject.org/archives/list/package-ann...
- https://www.debian.org/security/2017/dsa-3939
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9132
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2801

SRPMS:
- 5/core/botan-1.10.14-1.mga5

From:		Mageia Updates <buildsystem-daemon@mageia.org>
To:		updates-announce@ml.mageia.org
Subject:		[updates-announce] MGASA-2017-0321: Updated botan packages fix security vulnerabilities
Date:		Fri, 1 Sep 2017 23:11:09 +0200
Message-ID:		<20170901211109.202A69F872@duvel.mageia.org>