Home GnuPG

doc: Fix NEWS entry to refer CVE-2021-40528.

Description

doc: Fix NEWS entry to refer CVE-2021-40528.

Timeline:

(1) T5328 is created for https://eprint.iacr.org/2021/923.pdf

(2) Firstly, we handled the side channel attack.

(3) The libgcrypt team decided that the side channel attack is not
worth for CVE assignment. Nevertheless, I pushed the change to
mitigate the attack. It is included in libgcrypt 1.9.3, but not in
1.8 series. It is handled as an improvement of implementation.

(4) Secondly, we handled the cross-configuration attack. I requested
an assignement of CVE from MITRE and it's CVE-2021-33560. When I
requested the assignment, it was specifically for the
cross-configuration attack.

(5) I pushed the change for the problem. It is included in libgcrypt
1.8.8 and libgcrypt 1.9.4.

(6) The author got a CVE independently, it's CVE-2021-40528.

Now, CVE-2021-40528 refers the cross configuration attack.
And CVE-2021-33560 refers the side channel attack, unfortunately.

To fix confusion, we change the entry to refer CVE-2021-40528.

  • Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

Details

Provenance
gniibeAuthored on Nov 10 2021, 3:45 AM
Parents
rC0d568f2e5d82: doc: Address the bug on AArch64 in README.
Branches
Unknown
Tags
Unknown