DescriptionA side-channel issue was discovered in Botan before 2.9.0. An attacker capable of precisely measuring the time taken for ECC key generation may be able to derive information about the high bits of the secret key, as the function to derive the public point from the secret scalar uses an unblinded Montgomery ladder whose loop iteration count depends on the bitlength of the secret. This issue affects only key generation, not ECDSA signatures or ECDH key agreement.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs918732

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
botan (PTS)buster, sid2.9.0-2fixed
botan1.10 (PTS)jessie, jessie (security)1.10.8-2+deb8u2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
botan1.10source(unstable)(not affected)


- botan1.10 <not-affected> (Vulnerable code introduced in 1.11.20)

Search for package or bug name: Reporting problems