The nixpkgs-unstable channel's programs.sqlite was used to identify
packages producing exactly one binary, and these automatically added
to their package definitions wherever possible.
Changelog: https://botan.randombit.net/news.html
Most notable changes: better PQC and TLS 1.3 support
Signed-off-by: Markus Theil <theil.markus@gmail.com>
The explicit setting of the C++ standard to C++11 was
introduced with botan 2.0.1 and is no longer needed.
Signed-off-by: Markus Theil <theil.markus@gmail.com>
Use the existing generic botan file and add specialization
for botan 3. Botan 3 most importantly adds support for
TLS 1.3 and PQC algorithms. Introduce Botan 3 in parallel to
Botan 2, as it is a major release and e.g. now uses C++20
in contrast to C++11 of Botan 2.9.
Signed-off-by: Markus Theil <theil.markus@gmail.com>
In botan 2.11.0 the upstream switched to tar.xz archives. To continue
supporting botan1 the source package extension can now be overriden from
within the specialized package.
Addresses two advisories, neither of which received a CVE:
- 2020-07-05: Failure to enforce name constraints on alternative names
- 2020-03-24: Side channel during CBC padding
Fixes:
CVE-2018-12435: requires >= 2.7.0 (NVD extry is incorrect)
"Bug introduced in 2.5.0, fixed in 2.7.0. The 1.10 branch is not affected."
A side channel in the ECDSA signature operation could allow a local attacker to recover the secret key.
CVE-2018-20187: requires >= 2.9.0
"Introduced in 1.11.20, fixed in 2.8.0."
A timing side channel during ECC key generation could leak information about the high bits of the secret scalar. Such information allows an attacker to perform a brute force attack on the key somewhat more efficiently than they would otherwise.
