| Message ID | 20240407170936.2788174-1-fontaine.fabrice@gmail.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/1] package/botan: security bump to version 3.3.0 | expand |
On 07/04/2024 19:09, Fabrice Fontaine wrote: > - Fix a potential denial of service caused by accepting arbitrary > length primes as potential elliptic curve parameters in ASN.1 > encodings. With very large inputs the primality verification > can become computationally expensive. Now any prime field larger > than 1024 bits is rejected immediately. > > https://botan.randombit.net/news.html#version-3-3-0-2024-02-20 > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Applied to master, thanks. Regards, Arnout > --- > package/botan/botan.hash | 2 +- > package/botan/botan.mk | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/package/botan/botan.hash b/package/botan/botan.hash > index 840191aa4b..37e00ea9cc 100644 > --- a/package/botan/botan.hash > +++ b/package/botan/botan.hash > @@ -1,4 +1,4 @@ > # From https://botan.randombit.net/releases/sha256sums.txt > -sha256 049c847835fcf6ef3a9e206b33de05dd38999c325e247482772a5598d9e5ece3 Botan-3.2.0.tar.xz > +sha256 368f11f426f1205aedb9e9e32368a16535dc11bd60351066e6f6664ec36b85b9 Botan-3.3.0.tar.xz > # Locally computed > sha256 1833cde7c7cc03296b1ef2ddc178b1cd7fd1c476840f32cf6aedb09ab0bc9004 license.txt > diff --git a/package/botan/botan.mk b/package/botan/botan.mk > index 95352ea41b..e0bd258f57 100644 > --- a/package/botan/botan.mk > +++ b/package/botan/botan.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -BOTAN_VERSION = 3.2.0 > +BOTAN_VERSION = 3.3.0 > BOTAN_SOURCE = Botan-$(BOTAN_VERSION).tar.xz > BOTAN_SITE = http://botan.randombit.net/releases > BOTAN_LICENSE = BSD-2-Clause
diff --git a/package/botan/botan.hash b/package/botan/botan.hash index 840191aa4b..37e00ea9cc 100644 --- a/package/botan/botan.hash +++ b/package/botan/botan.hash @@ -1,4 +1,4 @@ # From https://botan.randombit.net/releases/sha256sums.txt -sha256 049c847835fcf6ef3a9e206b33de05dd38999c325e247482772a5598d9e5ece3 Botan-3.2.0.tar.xz +sha256 368f11f426f1205aedb9e9e32368a16535dc11bd60351066e6f6664ec36b85b9 Botan-3.3.0.tar.xz # Locally computed sha256 1833cde7c7cc03296b1ef2ddc178b1cd7fd1c476840f32cf6aedb09ab0bc9004 license.txt diff --git a/package/botan/botan.mk b/package/botan/botan.mk index 95352ea41b..e0bd258f57 100644 --- a/package/botan/botan.mk +++ b/package/botan/botan.mk @@ -4,7 +4,7 @@ # ################################################################################ -BOTAN_VERSION = 3.2.0 +BOTAN_VERSION = 3.3.0 BOTAN_SOURCE = Botan-$(BOTAN_VERSION).tar.xz BOTAN_SITE = http://botan.randombit.net/releases BOTAN_LICENSE = BSD-2-Clause
- Fix a potential denial of service caused by accepting arbitrary length primes as potential elliptic curve parameters in ASN.1 encodings. With very large inputs the primality verification can become computationally expensive. Now any prime field larger than 1024 bits is rejected immediately. https://botan.randombit.net/news.html#version-3-3-0-2024-02-20 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> --- package/botan/botan.hash | 2 +- package/botan/botan.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)