Release: Botan 3.5.0 #225
Release: Botan 3.5.0 #225
Conversation
This reverts the audit of a few patches that got picked up by the auto-update bot but that don't belong into 3.5.0 anymore.
KMAC was initially introduced in Botan 3.2.0 but we missed to mention it in the crypto documentation thus far.
| # Add an explicit warning about Botan2 reaching end of life to readme [ci skip] (Jack Lloyd) | ||
| - commit: 0417790d0794d2c4382f4cfe6f87a88e33f3d21d # https://github.com/randombit/botan/commit/0417790d0794d2c4382f4cfe6f87a88e33f3d21d | ||
| classification: info | ||
| auditer: FAlbertDev | ||
|
|
||
| # Fix some spelling and formatting errors in the release notes [ci skip] (Jack Lloyd) | ||
| - commit: 722dde9d63b1c4b0b3f5b2fcd5851f3a24937c1a # https://github.com/randombit/botan/commit/722dde9d63b1c4b0b3f5b2fcd5851f3a24937c1a | ||
| classification: info | ||
| auditer: FAlbertDev | ||
|
|
||
| # Describe affected versions of name constraint bugs [ci skip] (Jack Lloyd) | ||
| - commit: 82ad62fea5629c1952aa112e3016b61e2c2a56b4 # https://github.com/randombit/botan/commit/82ad62fea5629c1952aa112e3016b61e2c2a56b4 | ||
| classification: info | ||
| auditer: FAlbertDev | ||
|
|
||
| # Add 2.19.5 release notes [ci skip] (Jack Lloyd) | ||
| - commit: 939f200875f708f6b281b6aa3d38bc62a5b80355 # https://github.com/randombit/botan/commit/939f200875f708f6b281b6aa3d38bc62a5b80355 | ||
| classification: info | ||
| auditer: FAlbertDev | ||
|
|
There was a problem hiding this comment.
Those are removed because they were pulled in by the Auto-Update Bot but are not part of the 3.5.0 release.
| KMAC | ||
| ---- |
There was a problem hiding this comment.
Originally, KMAC was introduced in Botan 3.2.0 but we failed to mention it in the cryptodoc. That may have been by design, I'm not sure anymore.
Nevertheless, now that we mention KMAC in the context of SP800-56Cr2, I guess it's just fair to also mention it explicitly in the MAC section of the cryptodoc.
| .. todo:: | ||
|
|
||
| This documentation is outdated (and potentially too detailed). | ||
| It should be updated as soon as those pull requests are merged: | ||
|
|
||
| * https://github.com/randombit/botan/pull/4024 | ||
|
|
||
| Until then, I've removed some of the source links to pass CI. |
There was a problem hiding this comment.
This was postponed to 3.6.0 but randombit/botan#4024 was merged in the meantime. I.e. we'll have to tackle the overhaul of the Kyber/Dilthium chapters rather soon.
| **Vulnerability:** Botan 3.0.0-alpha1 and previous versions contained a bug in | ||
| the OCSP response validation where the authenticity of a spoofed response was not | ||
| properly checked. That allowed an attacker to forge OCSP responses for arbitrary | ||
| CAs that were considered authentic. That alone had the potential for DOS | ||
| attacks. Provided the attacker was in possession of a compromised subject | ||
| certificate, they would have been able to circumvent revocation checks and (keep) | ||
| impersonating the legitimate certificate owner (if no additional CRL-based | ||
| checks are performed). | ||
|
|
||
| This vulnerability was assigned CVE-2022-43705. For further details, please refer | ||
| to the `associated security advisory in Botan's GitHub repository | ||
| <https://github.com/randombit/botan/security/advisories/GHSA-4v9w-qvcq-6q7w>`_ or | ||
| the vulnerability description document provided along with this report. | ||
|
|
||
| **Conclusion:** With `the given patch <https://github.com/randombit/botan/pull/3067>`_ | ||
| applied, Botan is no longer vulnerable to the described issue. | ||
|
|
There was a problem hiding this comment.
This should have been removed from the document as early as the 3.1.0 release.
| This section covers changes to the build system. Most notably, Botan now | ||
| requires at least XCode 15 to build on macOS and distinguishes between clang | ||
| fork of xcode and vanilla clang. |
There was a problem hiding this comment.
| This section covers changes to the build system. Most notably, Botan now | |
| requires at least XCode 15 to build on macOS and distinguishes between clang | |
| fork of xcode and vanilla clang. | |
| This section covers changes to the build system. Most notably, Botan now | |
| requires at least XCode 15 to build on macOS and distinguishes between the clang | |
| fork of XCode and vanilla clang. |
| @@ -1,5 +1,8 @@ | |||
| title: HSS/LMS | |||
|
|
|||
| description: | | |||
There was a problem hiding this comment.
Somehow Philippe is missing as Code Author here in the PDF
There was a problem hiding this comment.
Currently the scripts don't take the Co-Authored-By: ... in the commits into account. Only the pull-request author. I'm guessing that's the reason it didn't pick up @lieser.
We could certainly look into this, though. Sucks that we're currently missing due credit. Perhaps GitHub even provides an API to resolve the email addresses in Co-Authored-By into a GitHub account? That'd certainly help.
Co-authored-by: Amos Treiber <40764707+atreiber94@users.noreply.github.com>
Those will contain the finishing touches for the Botan 3.5.0 documents, after the library was released on Monday.
THIS PULL REQUEST WON'T BE MERGED, BUT THE
release/3.5.0BRANCH WILL LIVE ON. We'll close the pull request as soon as the documents are finalized. Nevertheless, there are changes to the cryptodoc and testspec in this pull request that have to be applied tomain. We'll cherry-pick those as soon as we're ready to submit the documents.TODO
(perhaps also regard the new "experimental" and "deprecated" modules)