Source: esptool Version: 4.6.2+dfsg-0.1 Severity: normal Tags: security upstream Forwarded: https://github.com/espressif/esptool/issues/926 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for esptool. CVE-2023-46894[0]: | An issue discovered in esptool 4.6.2 allows attackers to view | sensitive information via weak cryptographic algorithm. If I undestand the upstream discussion[1] correctly this is not something hich is going to be fixed until the oldest earliest chips are not supported anymore. So this bug is merely for documentation purpose and can be closed once this support vanishes (or feel free to aswer the above, we might then simply mark it as unimportant in the security-tracker. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-46894 https://www.cve.org/CVERecord?id=CVE-2023-46894 [1] https://github.com/espressif/esptool/issues/926 Regards, Salvatore
