Security update for Botan SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:0343-1 Final 1 1 2024-10-30T13:01:43Z current 2024-10-30T13:01:43Z 2024-10-30T13:01:43Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for Botan This update for Botan fixes the following issues: - Fixed CVE-2024-50382, CVE-2024-50383 - various compiler-induced side channel in GHASH when certain LLVM/GCC versions are used to compile Botan. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2024-343 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JIB3PGKG47QR6R5PTCZJFDYCEELC6BOJ/ E-Mail link for openSUSE-SU-2024:0343-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1232296 SUSE Bug 1232296 https://bugzilla.suse.com/1232297 SUSE Bug 1232297 https://bugzilla.suse.com/1232300 SUSE Bug 1232300 https://bugzilla.suse.com/1232301 SUSE Bug 1232301 https://www.suse.com/security/cve/CVE-2024-50382/ SUSE CVE CVE-2024-50382 page https://www.suse.com/security/cve/CVE-2024-50383/ SUSE CVE CVE-2024-50383 page SUSE Package Hub 15 SP5 SUSE Package Hub 15 SP6 openSUSE Leap 15.5 openSUSE Leap 15.6 Botan-2.19.5-bp156.3.6.1 Botan-doc-2.19.5-bp156.3.6.1 libbotan-2-19-2.19.5-bp156.3.6.1 libbotan-2-19-32bit-2.19.5-bp156.3.6.1 libbotan-2-19-64bit-2.19.5-bp156.3.6.1 libbotan-devel-2.19.5-bp156.3.6.1 libbotan-devel-32bit-2.19.5-bp156.3.6.1 libbotan-devel-64bit-2.19.5-bp156.3.6.1 python3-botan-2.19.5-bp156.3.6.1 Botan-2.19.5-bp156.3.6.1 as a component of SUSE Package Hub 15 SP5 Botan-doc-2.19.5-bp156.3.6.1 as a component of SUSE Package Hub 15 SP5 libbotan-2-19-2.19.5-bp156.3.6.1 as a component of SUSE Package Hub 15 SP5 libbotan-2-19-32bit-2.19.5-bp156.3.6.1 as a component of SUSE Package Hub 15 SP5 libbotan-2-19-64bit-2.19.5-bp156.3.6.1 as a component of SUSE Package Hub 15 SP5 libbotan-devel-2.19.5-bp156.3.6.1 as a component of SUSE Package Hub 15 SP5 libbotan-devel-32bit-2.19.5-bp156.3.6.1 as a component of SUSE Package Hub 15 SP5 libbotan-devel-64bit-2.19.5-bp156.3.6.1 as a component of SUSE Package Hub 15 SP5 python3-botan-2.19.5-bp156.3.6.1 as a component of SUSE Package Hub 15 SP5 Botan-2.19.5-bp156.3.6.1 as a component of SUSE Package Hub 15 SP6 Botan-doc-2.19.5-bp156.3.6.1 as a component of SUSE Package Hub 15 SP6 libbotan-2-19-2.19.5-bp156.3.6.1 as a component of SUSE Package Hub 15 SP6 libbotan-2-19-32bit-2.19.5-bp156.3.6.1 as a component of SUSE Package Hub 15 SP6 libbotan-2-19-64bit-2.19.5-bp156.3.6.1 as a component of SUSE Package Hub 15 SP6 libbotan-devel-2.19.5-bp156.3.6.1 as a component of SUSE Package Hub 15 SP6 libbotan-devel-32bit-2.19.5-bp156.3.6.1 as a component of SUSE Package Hub 15 SP6 libbotan-devel-64bit-2.19.5-bp156.3.6.1 as a component of SUSE Package Hub 15 SP6 python3-botan-2.19.5-bp156.3.6.1 as a component of SUSE Package Hub 15 SP6 Botan-2.19.5-bp156.3.6.1 as a component of openSUSE Leap 15.5 Botan-doc-2.19.5-bp156.3.6.1 as a component of openSUSE Leap 15.5 libbotan-2-19-2.19.5-bp156.3.6.1 as a component of openSUSE Leap 15.5 libbotan-2-19-32bit-2.19.5-bp156.3.6.1 as a component of openSUSE Leap 15.5 libbotan-2-19-64bit-2.19.5-bp156.3.6.1 as a component of openSUSE Leap 15.5 libbotan-devel-2.19.5-bp156.3.6.1 as a component of openSUSE Leap 15.5 libbotan-devel-32bit-2.19.5-bp156.3.6.1 as a component of openSUSE Leap 15.5 libbotan-devel-64bit-2.19.5-bp156.3.6.1 as a component of openSUSE Leap 15.5 python3-botan-2.19.5-bp156.3.6.1 as a component of openSUSE Leap 15.5 Botan-2.19.5-bp156.3.6.1 as a component of openSUSE Leap 15.6 Botan-doc-2.19.5-bp156.3.6.1 as a component of openSUSE Leap 15.6 libbotan-2-19-2.19.5-bp156.3.6.1 as a component of openSUSE Leap 15.6 libbotan-2-19-32bit-2.19.5-bp156.3.6.1 as a component of openSUSE Leap 15.6 libbotan-2-19-64bit-2.19.5-bp156.3.6.1 as a component of openSUSE Leap 15.6 libbotan-devel-2.19.5-bp156.3.6.1 as a component of openSUSE Leap 15.6 libbotan-devel-32bit-2.19.5-bp156.3.6.1 as a component of openSUSE Leap 15.6 libbotan-devel-64bit-2.19.5-bp156.3.6.1 as a component of openSUSE Leap 15.6 python3-botan-2.19.5-bp156.3.6.1 as a component of openSUSE Leap 15.6 Botan before 3.6.0, when certain LLVM versions are used, has compiler-induced secret-dependent control flow in lib/utils/ghash/ghash.cpp in GHASH in AES-GCM. There is a branch instead of an XOR with carry. This was observed for Clang in LLVM 15 on RISC-V. CVE-2024-50382 SUSE Package Hub 15 SP5:Botan-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP5:Botan-doc-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP5:libbotan-2-19-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP5:libbotan-2-19-32bit-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP5:libbotan-2-19-64bit-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP5:libbotan-devel-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP5:libbotan-devel-32bit-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP5:libbotan-devel-64bit-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP5:python3-botan-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP6:Botan-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP6:Botan-doc-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP6:libbotan-2-19-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP6:libbotan-2-19-32bit-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP6:libbotan-2-19-64bit-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP6:libbotan-devel-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP6:libbotan-devel-32bit-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP6:libbotan-devel-64bit-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP6:python3-botan-2.19.5-bp156.3.6.1 openSUSE Leap 15.5:Botan-2.19.5-bp156.3.6.1 openSUSE Leap 15.5:Botan-doc-2.19.5-bp156.3.6.1 openSUSE Leap 15.5:libbotan-2-19-2.19.5-bp156.3.6.1 openSUSE Leap 15.5:libbotan-2-19-32bit-2.19.5-bp156.3.6.1 openSUSE Leap 15.5:libbotan-2-19-64bit-2.19.5-bp156.3.6.1 openSUSE Leap 15.5:libbotan-devel-2.19.5-bp156.3.6.1 openSUSE Leap 15.5:libbotan-devel-32bit-2.19.5-bp156.3.6.1 openSUSE Leap 15.5:libbotan-devel-64bit-2.19.5-bp156.3.6.1 openSUSE Leap 15.5:python3-botan-2.19.5-bp156.3.6.1 openSUSE Leap 15.6:Botan-2.19.5-bp156.3.6.1 openSUSE Leap 15.6:Botan-doc-2.19.5-bp156.3.6.1 openSUSE Leap 15.6:libbotan-2-19-2.19.5-bp156.3.6.1 openSUSE Leap 15.6:libbotan-2-19-32bit-2.19.5-bp156.3.6.1 openSUSE Leap 15.6:libbotan-2-19-64bit-2.19.5-bp156.3.6.1 openSUSE Leap 15.6:libbotan-devel-2.19.5-bp156.3.6.1 openSUSE Leap 15.6:libbotan-devel-32bit-2.19.5-bp156.3.6.1 openSUSE Leap 15.6:libbotan-devel-64bit-2.19.5-bp156.3.6.1 openSUSE Leap 15.6:python3-botan-2.19.5-bp156.3.6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JIB3PGKG47QR6R5PTCZJFDYCEELC6BOJ/ https://www.suse.com/security/cve/CVE-2024-50382.html CVE-2024-50382 https://bugzilla.suse.com/1232300 SUSE Bug 1232300 Botan before 3.6.0, when certain GCC versions are used, has a compiler-induced secret-dependent operation in lib/utils/donna128.h in donna128 (used in Chacha-Poly1305 and x25519). An addition can be skipped if a carry is not set. This was observed for GCC 11.3.0 with -O2 on MIPS, and GCC on x86-i386. (Only 32-bit processors can be affected.) CVE-2024-50383 SUSE Package Hub 15 SP5:Botan-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP5:Botan-doc-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP5:libbotan-2-19-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP5:libbotan-2-19-32bit-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP5:libbotan-2-19-64bit-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP5:libbotan-devel-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP5:libbotan-devel-32bit-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP5:libbotan-devel-64bit-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP5:python3-botan-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP6:Botan-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP6:Botan-doc-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP6:libbotan-2-19-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP6:libbotan-2-19-32bit-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP6:libbotan-2-19-64bit-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP6:libbotan-devel-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP6:libbotan-devel-32bit-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP6:libbotan-devel-64bit-2.19.5-bp156.3.6.1 SUSE Package Hub 15 SP6:python3-botan-2.19.5-bp156.3.6.1 openSUSE Leap 15.5:Botan-2.19.5-bp156.3.6.1 openSUSE Leap 15.5:Botan-doc-2.19.5-bp156.3.6.1 openSUSE Leap 15.5:libbotan-2-19-2.19.5-bp156.3.6.1 openSUSE Leap 15.5:libbotan-2-19-32bit-2.19.5-bp156.3.6.1 openSUSE Leap 15.5:libbotan-2-19-64bit-2.19.5-bp156.3.6.1 openSUSE Leap 15.5:libbotan-devel-2.19.5-bp156.3.6.1 openSUSE Leap 15.5:libbotan-devel-32bit-2.19.5-bp156.3.6.1 openSUSE Leap 15.5:libbotan-devel-64bit-2.19.5-bp156.3.6.1 openSUSE Leap 15.5:python3-botan-2.19.5-bp156.3.6.1 openSUSE Leap 15.6:Botan-2.19.5-bp156.3.6.1 openSUSE Leap 15.6:Botan-doc-2.19.5-bp156.3.6.1 openSUSE Leap 15.6:libbotan-2-19-2.19.5-bp156.3.6.1 openSUSE Leap 15.6:libbotan-2-19-32bit-2.19.5-bp156.3.6.1 openSUSE Leap 15.6:libbotan-2-19-64bit-2.19.5-bp156.3.6.1 openSUSE Leap 15.6:libbotan-devel-2.19.5-bp156.3.6.1 openSUSE Leap 15.6:libbotan-devel-32bit-2.19.5-bp156.3.6.1 openSUSE Leap 15.6:libbotan-devel-64bit-2.19.5-bp156.3.6.1 openSUSE Leap 15.6:python3-botan-2.19.5-bp156.3.6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JIB3PGKG47QR6R5PTCZJFDYCEELC6BOJ/ https://www.suse.com/security/cve/CVE-2024-50383.html CVE-2024-50383 https://bugzilla.suse.com/1232296 SUSE Bug 1232296