Control: tag -1 d-i On Fri, Apr 11, 2025 at 09:27:32PM +0200, Bastien Roucaries wrote: > [ Changes ] > Fix CVE-2022-37660: the PKEX code remains active even after a successful PKEX > association. An attacker that successfully bootstrapped public keys with > another entity using PKEX in the past, will be able to subvert a future > bootstrapping by passively observing public keys, re-using the encrypting > element Qi and subtracting it from the captured message M (X = M - Qi). This > will result in the public ephemeral key X; the only element required to > subvert > the PKEX association
d-i ack needed for the udeb; assuming no objections there, please tag "confirmed" and upload. Thanks, -- Jonathan Wiltshire [email protected] Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
