[Git][security-tracker-team/security-tracker][master] Update notes for two libgcrypt20 CVEs

Sun Sep 19 12:35:57 BST 2021


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ff7bba42 by Salvatore Bonaccorso at 2021-09-19T13:35:23+02:00
Update notes for two libgcrypt20 CVEs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1905,7 +1905,11 @@ CVE-2021-40528 (The ElGamal implementation in Libgcrypt before 1.9.4 allows plai
 	NOTE: https://eprint.iacr.org/2021/923
 	NOTE: https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1
 	NOTE: https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2
-	NOTE: Related to CVE-2021-33560, but not a duplicate
+	NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=e8b7f10be275bcedb5fc05ed4837a89bfd605c61 (1.9.x)
+	NOTE: Related to CVE-2021-33560, but not a duplicate. Unfortunately scope of CVE-2021-33560 and
+	NOTE: CVE-2021-40528 got switched at some point, and CVE-2021-33560 referring to the blinding
+	NOTE: hardening. We keep the original association as per 2021-09-19 (until MITRE clarifies on
+	NOTE: a query).
 CVE-2021-40527
 	RESERVED
 CVE-2021-40526
@@ -18003,7 +18007,10 @@ CVE-2021-33560 (Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal
 	[buster] - libgcrypt20 1.8.4-5+deb10u1
 	NOTE: https://dev.gnupg.org/T5328
 	NOTE: https://eprint.iacr.org/2021/923.pdf
-	NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=3462280f2e23e16adf3ed5176e0f2413d8861320
+	NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=3462280f2e23e16adf3ed5176e0f2413d8861320 (1.9.x)
+	NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=707c3c5c511ee70ad0e39ec613471f665305fbea (1.8.x)
+	NOTE: See notes on CVE-2021-40528 on the confusion about swapping of scope of
+	NOTE: CVE-2021-40528 and CVE-2021-33560.
 CVE-2021-33559
 	RESERVED
 CVE-2021-33558 (Boa 0.94.13 allows remote attackers to obtain sensitive information vi ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff7bba427b8f21ddd1849d525f153f05aafc9abe

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff7bba427b8f21ddd1849d525f153f05aafc9abe
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210919/3d94a1d2/attachment.htm>
