Candidate: CVE-2018-9860
PublicDate: 2018-04-12 05:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9860
 https://github.com/randombit/botan/commit/ec222c99719c396a1f4756b2ca345dbbfbeb5ed5
Description:
 An issue was discovered in Botan 1.11.32 through 2.x before 2.6.0. An
 off-by-one error when processing malformed TLS-CBC ciphertext could cause
 the receiving side to include in the HMAC computation exactly 64K bytes of
 data following the record buffer, aka an over-read. The MAC comparison will
 subsequently fail and the connection will be closed. This could be used for
 denial of service. No information leak occurs.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_botan1.10:
upstream_botan1.10: not-affected (code not present)
precise/esm_botan1.10: DNE
trusty_botan1.10: ignored (reached end-of-life)
trusty/esm_botan1.10: DNE (trusty was needs-triage)
xenial_botan1.10: not-affected (code not present)
artful_botan1.10: ignored (reached end-of-life)
bionic_botan1.10: not-affected (code not present)
cosmic_botan1.10: ignored (reached end-of-life)
disco_botan1.10: DNE
eoan_botan1.10: DNE
focal_botan1.10: DNE
groovy_botan1.10: DNE
hirsute_botan1.10: DNE
impish_botan1.10: DNE
jammy_botan1.10: DNE
devel_botan1.10: DNE

Patches_botan:
upstream_botan: released (2.4.0-6)
precise/esm_botan: DNE
trusty_botan: DNE
trusty/esm_botan: DNE
xenial_botan: DNE
artful_botan: DNE
bionic_botan: needed
cosmic_botan: ignored (reached end-of-life)
disco_botan: not-affected (2.9.0-2)
eoan_botan: not-affected (2.9.0-2)
focal_botan: not-affected (2.9.0-2)
groovy_botan: not-affected (2.9.0-2)
hirsute_botan: not-affected (2.9.0-2)
impish_botan: not-affected (2.9.0-2)
jammy_botan: not-affected (2.9.0-2)
devel_botan: not-affected (2.9.0-2)