Your submission was sent successfully! Close

CVE-2018-9860

Published: 12 April 2018

An issue was discovered in Botan 1.11.32 through 2.x before 2.6.0. An off-by-one error when processing malformed TLS-CBC ciphertext could cause the receiving side to include in the HMAC computation exactly 64K bytes of data following the record buffer, aka an over-read. The MAC comparison will subsequently fail and the connection will be closed. This could be used for denial of service. No information leak occurs.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
botan
Launchpad, Ubuntu, Debian
Upstream
Released (2.4.0-6)
Ubuntu 21.10 (Impish Indri) Not vulnerable
(2.9.0-2)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(2.9.0-2)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(2.9.0-2)
Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

botan1.10
Launchpad, Ubuntu, Debian
Upstream Not vulnerable
(code not present)
Ubuntu 21.10 (Impish Indri) Does not exist

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(code not present)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(code not present)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needs-triage)