From b118681ebc4c9ea4b9da79b0f9541405a64f4c13 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Wed, 10 Nov 2021 11:45:17 +0900
Subject: doc: Fix NEWS entry to refer CVE-2021-40528.

--

Timeline:

(1) T5328 is created for https://eprint.iacr.org/2021/923.pdf

(2) Firstly, we handled the side channel attack.

(3) The libgcrypt team decided that the side channel attack is not
worth for CVE assignment.  Nevertheless, I pushed the change to
mitigate the attack.  It is included in libgcrypt 1.9.3, but not in
1.8 series.  It is handled as an improvement of implementation.

(4) Secondly, we handled the cross-configuration attack.  I requested
an assignement of CVE from MITRE and it's CVE-2021-33560.  When I
requested the assignment, it was specifically for the
cross-configuration attack.

(5) I pushed the change for the problem.  It is included in libgcrypt
1.8.8 and libgcrypt 1.9.4.

(6) The author got a CVE independently, it's CVE-2021-40528.

Now, CVE-2021-40528 refers the cross configuration attack.
And CVE-2021-33560 refers the side channel attack, unfortunately.

To fix confusion, we change the entry to refer CVE-2021-40528.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
 NEWS | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index aa95f192..3a9566ca 100644
--- a/NEWS
+++ b/NEWS
@@ -11,7 +11,7 @@ Noteworthy changes in version 1.9.4 (2021-08-22)  [C23/A3/R4]
  * Bug fixes:
 
    - Fix Elgamal encryption for other implementations.
-     [#5328,CVE-2021-33560]
+     [#5328,CVE-2021-40528]
 
    - Fix alignment problem on macOS.  [#5440]
 
-- 
cgit v1.2.1