SB2017081302 - Fedora 26 update for botan
Published: August 13, 2017 Updated: April 24, 2025
Security Bulletin ID
SB2017081302
Severity
Low
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2017-14737)
The vulnerability allows a local authenticated user to gain access to sensitive information.
A cryptographic cache-based side channel in the RSA implementation in Botan before 1.10.17, and 1.11.x and 2.x before 2.3.0, allows a local attacker to recover information about RSA secret keys, as demonstrated by CacheD. This occurs because an array is indexed with bits derived from a secret key.
2) Improper input validation (CVE-ID: CVE-2017-2801)
The vulnerability allows a remote attacker to disclose potentially sensitive information or cause (DoS) condition.The vulnerability exists due to improper validation of X.509 certificate fields when processing a specially formed DN. A remote attacker can submit a crafted X.509 certificate to affected client or server software, bypass security restrictions and cause out of bound memory read.
Successful exploitation of the vulnerability may result in information disclosure or denial of service on the targeted system.
Remediation
Install update from vendor's website.