Release: Botan 3.5.0 #225
Closed
Release: Botan 3.5.0 #225
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Merged
This reverts the audit of a few patches that got picked up by the auto-update bot but that don't belong into 3.5.0 anymore.
KMAC was initially introduced in Botan 3.2.0 but we missed to mention it in the crypto documentation thus far.
reneme
commented
Jul 18, 2024
Comment on lines
-103
to
-122
| # Add an explicit warning about Botan2 reaching end of life to readme [ci skip] (Jack Lloyd) | ||
| - commit: 0417790d0794d2c4382f4cfe6f87a88e33f3d21d # https://github.com/randombit/botan/commit/0417790d0794d2c4382f4cfe6f87a88e33f3d21d | ||
| classification: info | ||
| auditer: FAlbertDev | ||
|
|
||
| # Fix some spelling and formatting errors in the release notes [ci skip] (Jack Lloyd) | ||
| - commit: 722dde9d63b1c4b0b3f5b2fcd5851f3a24937c1a # https://github.com/randombit/botan/commit/722dde9d63b1c4b0b3f5b2fcd5851f3a24937c1a | ||
| classification: info | ||
| auditer: FAlbertDev | ||
|
|
||
| # Describe affected versions of name constraint bugs [ci skip] (Jack Lloyd) | ||
| - commit: 82ad62fea5629c1952aa112e3016b61e2c2a56b4 # https://github.com/randombit/botan/commit/82ad62fea5629c1952aa112e3016b61e2c2a56b4 | ||
| classification: info | ||
| auditer: FAlbertDev | ||
|
|
||
| # Add 2.19.5 release notes [ci skip] (Jack Lloyd) | ||
| - commit: 939f200875f708f6b281b6aa3d38bc62a5b80355 # https://github.com/randombit/botan/commit/939f200875f708f6b281b6aa3d38bc62a5b80355 | ||
| classification: info | ||
| auditer: FAlbertDev | ||
|
|
There was a problem hiding this comment.
Those are removed because they were pulled in by the Auto-Update Bot but are not part of the 3.5.0 release.
reneme
commented
Jul 18, 2024
Comment on lines
+84
to
+85
| KMAC | ||
| ---- |
There was a problem hiding this comment.
Originally, KMAC was introduced in Botan 3.2.0 but we failed to mention it in the cryptodoc. That may have been by design, I'm not sure anymore.
Nevertheless, now that we mention KMAC in the context of SP800-56Cr2, I guess it's just fair to also mention it explicitly in the MAC section of the cryptodoc.
reneme
commented
Jul 18, 2024
Comment on lines
-6
to
-13
| .. todo:: | ||
|
|
||
| This documentation is outdated (and potentially too detailed). | ||
| It should be updated as soon as those pull requests are merged: | ||
|
|
||
| * https://github.com/randombit/botan/pull/4024 | ||
|
|
||
| Until then, I've removed some of the source links to pass CI. |
There was a problem hiding this comment.
This was postponed to 3.6.0 but randombit/botan#4024 was merged in the meantime. I.e. we'll have to tackle the overhaul of the Kyber/Dilthium chapters rather soon.
reneme
commented
Jul 18, 2024
Comment on lines
-744
to
-760
| **Vulnerability:** Botan 3.0.0-alpha1 and previous versions contained a bug in | ||
| the OCSP response validation where the authenticity of a spoofed response was not | ||
| properly checked. That allowed an attacker to forge OCSP responses for arbitrary | ||
| CAs that were considered authentic. That alone had the potential for DOS | ||
| attacks. Provided the attacker was in possession of a compromised subject | ||
| certificate, they would have been able to circumvent revocation checks and (keep) | ||
| impersonating the legitimate certificate owner (if no additional CRL-based | ||
| checks are performed). | ||
|
|
||
| This vulnerability was assigned CVE-2022-43705. For further details, please refer | ||
| to the `associated security advisory in Botan's GitHub repository | ||
| <https://github.com/randombit/botan/security/advisories/GHSA-4v9w-qvcq-6q7w>`_ or | ||
| the vulnerability description document provided along with this report. | ||
|
|
||
| **Conclusion:** With `the given patch <https://github.com/randombit/botan/pull/3067>`_ | ||
| applied, Botan is no longer vulnerable to the described issue. | ||
|
|
There was a problem hiding this comment.
This should have been removed from the document as early as the 3.1.0 release.
FAlbertDev
reviewed
Jul 19, 2024
FAlbertDev
approved these changes
Jul 19, 2024
atreiber94
approved these changes
Jul 23, 2024
Co-authored-by: Amos Treiber <[email protected]>
|
Closing as completed. Release is created and documents are persisted. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Those will contain the finishing touches for the Botan 3.5.0 documents, after the library was released on Monday.
THIS PULL REQUEST WON'T BE MERGED, BUT THE
release/3.5.0BRANCH WILL LIVE ON. We'll close the pull request as soon as the documents are finalized. Nevertheless, there are changes to the cryptodoc and testspec in this pull request that have to be applied tomain. We'll cherry-pick those as soon as we're ready to submit the documents.TODO
(perhaps also regard the new "experimental" and "deprecated" modules)