Bug 977421 (CVE-2016-2850) - VUL-0: CVE-2016-2850: Botan: Failure to enforce TLS policy
Summary: VUL-0: CVE-2016-2850: Botan: Failure to enforce TLS policy
Status: RESOLVED INVALID
Alias: CVE-2016-2850
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: Philipp Thomas
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/168340/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-04-27 11:59 UTC by Andreas Stieger
Modified: 2016-04-27 12:06 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-04-27 11:59:28 UTC 
From http://botan.randombit.net/security.html#id1
CVE-2016-2850: Failure to enforce TLS policy

TLS v1.2 allows negotiating which signature algorithms and hash functions each side is willing to accept. However received signatures were not actually checked against the specified policy. This had the effect of allowing a server to use an MD5 or SHA-1 signature, even though the default policy prohibits it. The same issue affected client cert authentication.

The TLS client also failed to verify that the ECC curve the server chose to use was one which was acceptable by the client policy.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1330875
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2849
Comment 1 Andreas Stieger 2016-04-27 12:06:37 UTC 
Introduced in 1.11.0, fixed in 1.11.29

SLE 11 1.6.4 not affected
SLE 12 1.10.6 not affected

openSUSE:13.2:Update/Botan 1.10.8 not affected
openSUSE:Leap:42.1:Update/Botan 1.10.10 not affected
openSUSE:Factory/Botan 1.10.12 not affected
devel:libraries:c_c++/Botan 1.10.12 not affected