From c0f08c9c0a28de4c58a8d157f0ba73b4da839d36 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 20 Feb 2022 15:16:18 +0100
Subject: Add initial notes for CVE-2016-20013

---
 data/CVE/list.2016 | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/data/CVE/list.2016 b/data/CVE/list.2016
index cef3871438..8a75a71ddd 100644
--- a/data/CVE/list.2016
+++ b/data/CVE/list.2016
@@ -1,5 +1,8 @@
 CVE-2016-20013 (sha256crypt and sha512crypt through 0.6 allow attackers to cause a den ...)
-	TODO: check
+	NOTE: https://akkadia.org/drepper/SHA-crypt.txt
+	NOTE: https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/
+	NOTE: https://twitter.com/solardiz/status/795601240151457793
+	TODO: check, several sources (busybox, sssd, dietlibc, php*, ...) do embed an implentation of the code, but only track those with security impact
 CVE-2016-20012 (OpenSSH through 8.7 allows remote attackers, who have a suspicion that ...)
 	- openssh <unfixed> (unimportant)
 	NOTE: https://github.com/openssh/openssh-portable/pull/270
-- 
cgit v1.2.3