Document multiple issues in Botan

PR:		209595
Reported by:	Sevan Janiyan <venture37@geeklan.co.uk>
Security:	CVE-2015-7827
Security:	CVE-2016-2849
Security:	https://vuxml.FreeBSD.org/freebsd/ac0900df-31d0-11e6-8e82-002590263bf5.html
Security:	CVE-2014-9742
Security:	https://vuxml.FreeBSD.org/freebsd/f771880c-31cf-11e6-8e82-002590263bf5.html

1 files changed, 57 insertions, 0 deletions

diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index 5fc488849004..7d5cdbe27b8b 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -58,6 +58,63 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="ac0900df-31d0-11e6-8e82-002590263bf5">
+    <topic>botan -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>botan110</name>
+	<range><lt>1.10.13</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Jack Lloyd reports:</p>
+	<blockquote cite="https://lists.randombit.net/pipermail/botan-devel/2016-April/002101.html">
+	  <p>Botan 1.10.13 has been released backporting some side channel
+	    protections for ECDSA signatures (CVE-2016-2849) and PKCS #1 RSA
+	    decryption (CVE-2015-7827).</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2016-2849</cvename>
+      <cvename>CVE-2015-7827</cvename>
+      <url>https://lists.randombit.net/pipermail/botan-devel/2016-April/002101.html</url>
+    </references>
+    <dates>
+      <discovery>2016-04-28</discovery>
+      <entry>2016-06-14</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="f771880c-31cf-11e6-8e82-002590263bf5">
+    <topic>botan -- cryptographic vulnerability</topic>
+    <affects>
+      <package>
+	<name>botan110</name>
+	<range><lt>1.10.8</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>MITRE reports:</p>
+	<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9742">
+	  <p>The Miller-Rabin primality check in Botan before 1.10.8 and 1.11.x
+	    before 1.11.9 improperly uses a single random base, which makes it
+	    easier for remote attackers to defeat cryptographic protection
+	    mechanisms via a DH group.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2014-9742</cvename>
+    </references>
+    <dates>
+      <discovery>2014-04-11</discovery>
+      <entry>2016-06-14</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="6d402857-2fba-11e6-9f31-5404a68ad561">
     <topic>VLC -- Possibly remote code execution via crafted file</topic>
     <affects>