[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#701817: unblock: botan1.10/1.10.4-1



On Fri, Mar 15, 2013 at 9:43 PM, Jonathan Wiltshire <jmw@debian.org> wrote:
Control: tag -1 moreinfo

Hi Ondřej,

On Wed, Feb 27, 2013 at 02:52:52PM +0100, Ondřej Surý wrote:
> Please unblock package botan1.10
>
> Hi,
>
> I would like to pre-mediate the inclusion of 1.10.4 (e.g. new upstream version).
>
> The patch is very small and fixes three issues.  Upstream changelog:

What is the impact and severity of these issues? I don't have enough
knowledge of the package to assess this from the upstream release notes,
and the BTS is lacking any clues.

Not sure if this helps, but Jack Lloyd (upstream author) replied:

> In botan, for RSA, blinding is used by default so a timing channel
> would be at least relatively difficult to exploit there, and ECDSA
> uses Montgomery representation natively and never uses the affected
> codepaths. The fixed windows used in the modular exponentation (3 to 5
> bits) also greatly reduces the information gained. I would assess that
> DSA signers, especially ones that were willing to sign many attacker
> controlled inputs, are at substantial risk, as recovering only a few
> bits of k over many signatures can allow fully recovery of the key in
> that algorithm.

But I would say that I am not going to risk the release and I will push this update through p-s-u after we release.  Do you agree?

O.
--
Ondřej Surý <ondrej@sury.org>


On Fri, Mar 15, 2013 at 9:43 PM, Jonathan Wiltshire <jmw@debian.org> wrote:
Control: tag -1 moreinfo

Hi Ondřej,

On Wed, Feb 27, 2013 at 02:52:52PM +0100, Ondřej Surý wrote:
> Please unblock package botan1.10
>
> Hi,
>
> I would like to pre-mediate the inclusion of 1.10.4 (e.g. new upstream version).
>
> The patch is very small and fixes three issues.  Upstream changelog:

What is the impact and severity of these issues? I don't have enough
knowledge of the package to assess this from the upstream release notes,
and the BTS is lacking any clues.

Thanks,

--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

<directhex> i have six years of solaris sysadmin experience, from
            8->10. i am well qualified to say it is made from bonghits
                        layered on top of bonghits



--
Ondřej Surý <ondrej@sury.org>
Reply to: