Candidate: CVE-2021-3446
PublicDate: 2021-03-25 19:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3446
Description:
 A flaw was found in libtpms in versions before 0.8.2. The commonly used
 integration of libtpms with OpenSSL contained a vulnerability related to
 the returned IV (initialization vector) when certain symmetric ciphers were
 used. Instead of returning the last IV it returned the initial IV to the
 caller, thus weakening the subsequent encryption and decryption steps. The
 highest threat from this vulnerability is to data confidentiality.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N [5.5 MEDIUM]


Patches_libtpms:
 upstream: https://github.com/stefanberger/libtpms/commit/32c159ab53db703749a8f90430cdc7b20b00975e
upstream_libtpms: released (0.8.2)
precise/esm_libtpms: DNE
trusty_libtpms: ignored (out of standard support)
trusty/esm_libtpms: DNE
xenial_libtpms: DNE
bionic_libtpms: DNE
focal_libtpms: DNE
groovy_libtpms: ignored (reached end-of-life)
hirsute_libtpms: ignored (reached end-of-life)
impish_libtpms: not-affected (0.8.2-1ubuntu1)
jammy_libtpms: not-affected (0.9.3-0ubuntu1)
devel_libtpms: not-affected (0.9.3-0ubuntu1)