Candidate: CVE-2018-12435
PublicDate: 2018-06-15 02:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12435
 https://github.com/randombit/botan/pull/1604
 https://github.com/randombit/botan/commit/48fc8df51d99f9d8ba251219367b3d629cc848e3
 https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/
Description:
 Botan 2.5.0 through 2.6.0 before 2.7.0 allows a memory-cache side-channel
 attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or
 ROHNP, related to dsa/dsa.cpp, ec_group/ec_group.cpp, and ecdsa/ecdsa.cpp.
 To discover an ECDSA key, the attacker needs access to either the local
 machine or a different virtual machine on the same physical host.
Ubuntu-Description:
Notes:
 msalvatore> From the release notes, "versions before 2.5.0 are not affected"
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901619
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N [5.9 MEDIUM]


Patches_botan1.10:
upstream_botan1.10: not-affected (debian: Issue introduced in 2.5.0)
precise/esm_botan1.10: DNE
trusty_botan1.10: ignored (reached end-of-life)
trusty/esm_botan1.10: DNE (trusty was needs-triage)
xenial_botan1.10: not-affected (code not present)
artful_botan1.10: ignored (reached end-of-life)
bionic_botan1.10: not-affected (code not present)
cosmic_botan1.10: ignored (reached end-of-life)
disco_botan1.10: DNE
eoan_botan1.10: DNE
devel_botan1.10: DNE

Patches_botan:
 upstream: https://github.com/randombit/botan/commit/48fc8df51d99f9d8ba251219367b3d629cc848e3
upstream_botan: released (2.6.0-3)
precise/esm_botan: DNE
trusty_botan: DNE
trusty/esm_botan: DNE
xenial_botan: DNE
artful_botan: DNE
bionic_botan: not-affected (code not present)
cosmic_botan: not-affected (2.6.0-3)
disco_botan: not-affected (2.6.0-3)
eoan_botan: not-affected (2.6.0-3)
devel_botan: not-affected (2.6.0-3)