Fedora 25 : botan (2016-3b59109c48)

2016-12-2700:00:00

www.tenable.com

JSON

Botan 1.10.14

NOTE WELL: Botan 1.10.x is supported for security patches only until 2017-12-31
Fix integer overflow during BER decoding, found by Falko Strenzke. This bug is not thought to be directly exploitable but upgrading ASAP is advised.
(CVE-2016-9132)
Fix two cases where (in error situations) an exception would be thrown from a destructor, causing a call to std::terminate.
When RC4 is disabled in the build, also prevent it from being included in the OpenSSL provider. (GH #638)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory FEDORA-2016-3b59109c48.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(96109);
  script_version("3.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/11");

  script_cve_id("CVE-2016-9132");
  script_xref(name:"FEDORA", value:"2016-3b59109c48");

  script_name(english:"Fedora 25 : botan (2016-3b59109c48)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"### Botan 1.10.14 ###

  - NOTE WELL: Botan 1.10.x is supported for security
    patches only until 2017-12-31

  - Fix integer overflow during BER decoding, found by Falko
    Strenzke. This bug is not thought to be directly
    exploitable but upgrading ASAP is advised.
    (CVE-2016-9132)

  - Fix two cases where (in error situations) an exception
    would be thrown from a destructor, causing a call to
    std::terminate.

  - When RC4 is disabled in the build, also prevent it from
    being included in the OpenSSL provider. (GH #638)

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bodhi.fedoraproject.org/updates/FEDORA-2016-3b59109c48"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected botan package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:botan");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/30");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/12/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/27");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! preg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);


flag = 0;
if (rpm_check(release:"FC25", reference:"botan-1.10.14-3.fc25")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "botan");
}

VendorProductVersionCPE
fedoraprojectfedorabotanp-cpe:/a:fedoraproject:fedora:botan
fedoraprojectfedora25cpe:/o:fedoraproject:fedora:25

Vendor	Product	Version	CPE
fedoraproject	fedora	botan	p-cpe:/a:fedoraproject:fedora:botan
fedoraproject	fedora	25	cpe:/o:fedoraproject:fedora:25

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9132

bodhi.fedoraproject.org/updates/FEDORA-2016-3b59109c48

JSON

Related for FEDORA_2016-3B59109C48.NASL