[Git][security-tracker-team/security-tracker][master] Track CVE-2021-33560 and CVE-2021-40528

Sun, 28 Nov 2021 11:45:52 -0800 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f6b10d81 by Salvatore Bonaccorso at 2021-11-28T20:45:19+01:00
Track CVE-2021-33560 and CVE-2021-40528

This got complex as the initial CVE assignment got swapped later.
Following other distributions we now recitify the old tracking.

This now was really a unnecessary burden, in particular because the
upstream repository commit reference will not swap the CVE in the commit
message, which I would expect can cause some further confusions.

Thus keep as well the notes about the swapping.

- - - - -


2 changed files:

- data/CVE/list
- data/DLA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -12129,7 +12129,7 @@ CVE-2021-40529 (The ElGamal implementation in Botan 
through 2.18.1, as used in T
        NOTE: Fixed by: 
https://github.com/randombit/botan/commit/9a23e4e3bc3966340531f2ff608fa9d33b5185a2
        NOTE: 
https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1
        NOTE: 
https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2
-CVE-2021-40528 (The ElGamal implementation in Libgcrypt before 1.9.4 allows 
plaintext  ...)
+CVE-2021-33560
        - libgcrypt20 1.9.4-2
        [bullseye] - libgcrypt20 <no-dsa> (Minor issue)
        [buster] - libgcrypt20 <no-dsa> (Minor issue)
@@ -28835,7 +28835,7 @@ CVE-2021-33562 (A reflected cross-site scripting (XSS) 
vulnerability in Shopizer
        NOT-FOR-US: Shopizer
 CVE-2021-33561 (A stored cross-site scripting (XSS) vulnerability in Shopizer 
before 2 ...)
        NOT-FOR-US: Shopizer
-CVE-2021-33560 (Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles 
ElGamal encry ...)
+CVE-2021-40528
        {DLA-2691-1}
        - libgcrypt20 1.8.7-6
        [buster] - libgcrypt20 1.8.4-5+deb10u1


=====================================
data/DLA/list
=====================================
@@ -428,7 +428,7 @@
        {CVE-2020-26558 CVE-2021-0129}
        [stretch] - bluez 5.43-2+deb9u4
 [25 Jun 2021] DLA-2691-1 libgcrypt20 - security update
-       {CVE-2021-33560}
+       {CVE-2021-40528}
        [stretch] - libgcrypt20 1.7.6-2+deb9u4
 [22 Jun 2021] DLA-2690-1 linux-4.19 - security update
        {CVE-2020-24586 CVE-2020-24587 CVE-2020-24588 CVE-2020-25670 
CVE-2020-25671 CVE-2020-25672 CVE-2020-26139 CVE-2020-26147 CVE-2020-26558 
CVE-2020-29374 CVE-2021-0129 CVE-2021-23133 CVE-2021-23134 CVE-2021-28688 
CVE-2021-28964 CVE-2021-28971 CVE-2021-28972 CVE-2021-29154 CVE-2021-29155 
CVE-2021-29264 CVE-2021-29647 CVE-2021-29650 CVE-2021-31829 CVE-2021-31916 
CVE-2021-32399 CVE-2021-33034 CVE-2021-3483 CVE-2021-3506 CVE-2021-3564 
CVE-2021-3573 CVE-2021-38208}



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6b10d815c089f0dcd3ee211478f7d0c736b7213

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6b10d815c089f0dcd3ee211478f7d0c736b7213
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to