doc: Fix NEWS entry to refer CVE-2021-40528.
(2) Firstly, we handled the side channel attack.
(3) The libgcrypt team decided that the side channel attack is not
worth for CVE assignment. Nevertheless, I pushed the change to
mitigate the attack. It is included in libgcrypt 1.9.3, but not in
1.8 series. It is handled as an improvement of implementation.
(4) Secondly, we handled the cross-configuration attack. I requested
an assignement of CVE from MITRE and it's CVE-2021-33560. When I
requested the assignment, it was specifically for the
(5) I pushed the change for the problem. It is included in libgcrypt
1.8.8 and libgcrypt 1.9.4.
(6) The author got a CVE independently, it's CVE-2021-40528.
Now, CVE-2021-40528 refers the cross configuration attack.
And CVE-2021-33560 refers the side channel attack, unfortunately.
To fix confusion, we change the entry to refer CVE-2021-40528.
- Signed-off-by: NIIBE Yutaka <email@example.com>