data/reports: add missing ghsa to GO-2022-0425

tatianab · Tatiana Bradley · commit d286f284544f · 2022-12-29T20:17:53.000Z
Aliases: CVE-2021-4239, GHSA-g9mp-8g3h-3c5c, GHSA-6cr6-fmvc-vw2p Updates #425 Fixes #1202 Change-Id: Ib68103cbdd713c8598a5ded98b30532b178507c5 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/459839 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Tim King <taking@google.com> Run-TryBot: Tatiana Bradley <tatiana@golang.org> Reviewed-by: Tatiana Bradley <tatiana@golang.org>
diff --git a/data/osv/GO-2022-0425.json b/data/osv/GO-2022-0425.json
@@ -4,7 +4,8 @@
   "modified": "0001-01-01T00:00:00Z",
   "aliases": [
     "CVE-2021-4239",
-    "GHSA-g9mp-8g3h-3c5c"
+    "GHSA-g9mp-8g3h-3c5c",
+    "GHSA-6cr6-fmvc-vw2p"
   ],
   "details": "The Noise protocol implementation suffers from weakened cryptographic security after encrypting 2^64 messages, and a potential denial of service attack.\n\nAfter 2^64 (~18.4 quintillion) messages are encrypted with the Encrypt function, the nonce counter will wrap around, causing multiple messages to be encrypted with the same key and nonce.\n\nIn a separate issue, the Decrypt function increments the nonce state even when it fails to decrypt a message. If an attacker can provide an invalid input to the Decrypt function, this will cause the nonce state to desynchronize between the peers, resulting in a failure to encrypt all subsequent messages.",
   "affected": [
diff --git a/data/reports/GO-2022-0425.yaml b/data/reports/GO-2022-0425.yaml
@@ -30,6 +30,7 @@ description: |
 published: 2022-02-15T01:57:18Z
 ghsas:
   - GHSA-g9mp-8g3h-3c5c
+  - GHSA-6cr6-fmvc-vw2p
 references:
   - fix: https://github.com/flynn/noise/pull/44
 cve_metadata:
