Delivery-date: Wed, 10 Jul 2024 01:09:08 -0700 Received: from mail-qk1-f188.google.com ([209.85.222.188]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sRSNv-0006S4-4m for bitcoindev@gnusha.org; Wed, 10 Jul 2024 01:09:07 -0700 Received: by mail-qk1-f188.google.com with SMTP id af79cd13be357-7a143064810sf11369785a.3 for ; Wed, 10 Jul 2024 01:09:06 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1720598940; cv=pass; d=google.com; s=arc-20160816; b=RFQDrg1oUrKQSixFrkbKvrjDi8/pIWLIpSJwsShSVjHp4uJZCBxmE1CPKYLkEVeqKt +dJnoduk9spugLSfXopytcmFkHEKpXPRPEkSZ9ypr98G/WSXyuENHOz+Kr2I0Mts5ZGx 7bN9uo0JmFVuf0qRKQEh/4o7J4kzhwM1tzfqlkeXYWIqYW+jgLzb3Y043sx1ay+xYoVh KAJeD7tDIihp6WKfMBVVy+S1xwKgzpaZBE1Eaiv469I/tz9ZvDf0Bj5Ara2/CfgPR/fE v0ix5PSbn/YU1YZHKLeXUOcgLUCf436Z6PbTYmdhb1quZGWvAV01AB4D9zDnss1YGBrw djyQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:feedback-id :references:in-reply-to:message-id:subject:cc:from:to:date :dkim-signature; bh=UGhuMqc4PLD6PAwalkX8orxNtVr9OYTZCSISZRXStGI=; fh=JkGSNvB4ObQe/mIBN6FxdGe6zVsS+U1l3G3alVcf/jU=; b=v8wkAABAwUUgZzpiBi+OWu8wQaVABIsH/o72J28+hl0F7F1akDVJnwbf6ftO810j2r 0uYXRrv9RurgRRvI5j304RMrAj59DZttjmXo8KXa8/uNB45Ie1nbKEWMnlRt7EcH6cHX QGoo7t2BySHlmhTBp9dlUqivq1tQw+SRVtH7fdEh5aABqq0bZ7RMBqJUc/wqE0W47y5H DEhrCXaLSWPEYKW5acVOSzmTdpUXNQ+dGKFP6ehSeCeE2EFl7l8/FE076mysOOCVgAQx FvstdeeRoXE0uMp7RCFNX/H9rPiuruU1IDhpFrjjOJfp/Hl2RhWpT2VWqxb11NWX0Cpv 3UfQ==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@protonmail.com header.s=protonmail3 header.b=rsR6Qt23; spf=pass (google.com: domain of darosior@protonmail.com designates 185.70.43.25 as permitted sender) smtp.mailfrom=darosior@protonmail.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1720598940; x=1721203740; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :feedback-id:references:in-reply-to:message-id:subject:cc:from:to :date:from:to:cc:subject:date:message-id:reply-to; bh=UGhuMqc4PLD6PAwalkX8orxNtVr9OYTZCSISZRXStGI=; b=VH1vYX/2D41a6RPPzYDKkGEEmfXeMRQyXTDhijnkZd3BlCN0cw21XfSKSY5dkudIS5 5dGZzq/5ARPXG5YZeUL45HCkzUbFW9aK/AZquWn3DrpbHbPnNK5UGQoLYdz7AvYPplfC Xzpv5OMvJLbCiTm8AbXdNuvTlVvQnviTOommhCEmSoS1IVL/IHzOOac7ekhccsa9074P EFiiO/3etXYoYEOXGFrdKR2zuhAsIWBnQcpP+1PO9p9QCcrOi96sqoiVBNX6towKeDhT 7x6qYJXq4n1G+KQAiBzNuYrQd/41aYfZfImep7OJaiF3QvnHUh7u29gUfheV2VxAwXmp 3reQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720598940; x=1721203740; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :feedback-id:references:in-reply-to:message-id:subject:cc:from:to :date:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=UGhuMqc4PLD6PAwalkX8orxNtVr9OYTZCSISZRXStGI=; b=FWQXUngvDFCFIogsjdPzOHtnV71BcqV39vBZQjYwfP7CbQR+Ug1EscMyoEGtPdvRmF sbJv9ge7mlF+khZm/Gl4r8F8Wma3PyTAQEozQUVzzMK8Tozd69YrtOVNQWVa6e0r7Atr sCrhr+p7qaC04590fhy5QTLYVcHBiJ8COX5+B36/LyK2UhecjfdJ0VYXUNO/6tkqA8f1 RzMWDCPSTM9lKtTGAGXN/hXHA7BnMSf4IkuhHa8OkfaqmMHwjO7wl6XZEAKgiZAWgDHN CnzyCBQKEuFKh7QHWbJnqioNN4alvm6SY0B7GZKhKFJdkiY2uyfRaAwy7U8x+RuteYfM vRVQ== X-Forwarded-Encrypted: i=2; AJvYcCUV8Q01zyvFeN4ohjjRxtjGUicwXfSIb/YzYOA6+V5yoK+luOB9WGpoXo0+DsXYFgezS8pHxujcbj71Anqr+oOJPL3B29c= X-Gm-Message-State: AOJu0Yx0XZ0qDeg2MFdHL0tClb9vjRCYlqoNFO5YwF08Kf2JUlpbideX PJ96P0uuvUexck/TCgBQjp+G9oFwF5mx6T+zOCfqxzCQu0FlA/if X-Google-Smtp-Source: AGHT+IErjoarb4ijGAymh4Fp1uEVbCrthvJ9MdcOPAsOfgv3d6Zu2jmX5BJrNTLdxt87LXXs9U1CiA== X-Received: by 2002:a05:6214:626:b0:6b5:e3fe:e734 with SMTP id 6a1803df08f44-6b61bc7ef71mr51883196d6.3.1720598940420; Wed, 10 Jul 2024 01:09:00 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com Received: by 2002:a05:6214:301c:b0:6b5:de7b:b3b7 with SMTP id 6a1803df08f44-6b5ea7691dels116308356d6.1.-pod-prod-09-us; Wed, 10 Jul 2024 01:08:59 -0700 (PDT) X-Received: by 2002:a05:6214:c81:b0:6b5:2539:396c with SMTP id 6a1803df08f44-6b61bccb568mr830566d6.7.1720598939184; Wed, 10 Jul 2024 01:08:59 -0700 (PDT) Received: by 2002:a05:620a:9489:b0:79f:1828:5134 with SMTP id af79cd13be357-7a13fd6f665ms85a; Wed, 10 Jul 2024 00:40:55 -0700 (PDT) X-Received: by 2002:a5d:4811:0:b0:367:8a3e:c127 with SMTP id ffacd0b85a97d-367cead9253mr3123419f8f.63.1720597252434; Wed, 10 Jul 2024 00:40:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1720597252; cv=none; d=google.com; s=arc-20160816; b=Y0UlZusgYmXaehp6w/V5PlT6oYuDBejXqWimfcESSHD92q1A6XZIqEAG96QfQ+l/dF X4oXoXp3mdGx8ssDCx/lD4fRUCxap5mkYp0hJGbHHwKa8CfYshffg/501neN4nj2Y8J2 3zQvuQXEQJubu8XT/y37089YxQMO10/8/DUJWE+ilzpUQqbrrPB1ZlHfgpTsLK6zzfQ8 EpXPx1tNeLKHumZFzJAehok6gTCvi6WEGBCg85zw8VDx4jDLVD52Xrt6SPvpYC7KBUny iNWykqVyqpvU1DluTafZNx4zCfR6DQPjS/zd2urN6klK/hxQLKpF+l0wtp++clfp8S37 +3yg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:feedback-id:references:in-reply-to:message-id:subject :cc:from:to:date:dkim-signature; bh=727V916P2roZCB77wAqpgVLIediXTy3ewGmvaaTjkfM=; fh=sapDHqhE46zLmMBeB1lkoe0zq8J9+V3Afx71/j8kvug=; b=ntvEn7juI+F0TJ8/XYdSgv2e1p5bapEVojfsN7XZWZyPN1wymTVFs+WCfp69Xt+TIR RmkfJw2aswSM3XXdwjfHPrIcweGv5FbfefhAcevPH955dK6zsJBBF28cT1g+oStwDM2d lPOs7Uqk2Gm8Z8HAS+KR8bU2OSdfO4ORdpgiDVlLRM2KgkTg2jwG3vp1TdNWtNeBOmzS HMahl0jU761MHN/DmfRKWUnifUFKsMASswyGVXAensDE2s88DcBSVMDk8HfvvhK/Ih/V ykyaQ00eKZP7YjjP0YeJuf0TKz4F/9I9+PMpJvMy7XrUgGml6pdSw3P9a+7HZJmsGLc1 S2pA==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@protonmail.com header.s=protonmail3 header.b=rsR6Qt23; spf=pass (google.com: domain of darosior@protonmail.com designates 185.70.43.25 as permitted sender) smtp.mailfrom=darosior@protonmail.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com Received: from mail-4325.protonmail.ch (mail-4325.protonmail.ch. [185.70.43.25]) by gmr-mx.google.com with ESMTPS id ffacd0b85a97d-367cdf9f8c7si73200f8f.3.2024.07.10.00.40.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 10 Jul 2024 00:40:52 -0700 (PDT) Received-SPF: pass (google.com: domain of darosior@protonmail.com designates 185.70.43.25 as permitted sender) client-ip=185.70.43.25; Date: Wed, 10 Jul 2024 07:40:46 +0000 To: Antoine Riard From: "'Antoine Poinsot' via Bitcoin Development Mailing List" Cc: Bitcoin Development Mailing List Subject: Re: [bitcoindev] Re: Public disclosure of 10 vulnerabilities affecting Bitcoin Core < 0.21.0 Message-ID: In-Reply-To: References: Feedback-ID: 7060259:user:proton X-Pm-Message-ID: a3b1f8b5c88589196c5607ed59443c735fd0bf34 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1_qnGJhEl9ygMNc8NaoJI6fTfyDXNHEQDDw2hcnxRaa8U" X-Original-Sender: darosior@protonmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@protonmail.com header.s=protonmail3 header.b=rsR6Qt23; spf=pass (google.com: domain of darosior@protonmail.com designates 185.70.43.25 as permitted sender) smtp.mailfrom=darosior@protonmail.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com X-Original-From: Antoine Poinsot Reply-To: Antoine Poinsot Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -1.0 (-) This is a multi-part message in MIME format. --b1_qnGJhEl9ygMNc8NaoJI6fTfyDXNHEQDDw2hcnxRaa8U Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hey Antoine, > I think one thing that could be a benefit could be to assign a unique num= eric identifier to each sec advisory. Those are underway. We retro-actively requested CVE numbers for historical = issues from Mitre. Best, Antoine (the other other one). On Tuesday, July 9th, 2024 at 3:16 AM, Antoine Riard wrote: > Hello Antoine, > > Nothing really new in those 10 security advisories, I think one thing tha= t could be a benefit could be to assign a unique numeric identifier to each= sec advisory. > > As openssh showed this week this could be good to minimize risks of regre= ssions by favoring methodic screen of old vulnerabilities at review of new = changes. > > On the security researcher / handler-side, having unique numeric identifi= ers make it also easier to coordinate mitigation patches development and de= ployment. > > Best, > Antoine (the other one). > Le mercredi 3 juillet 2024 =C3=A0 17:36:02 UTC+1, Antoine Poinsot a =C3= =A9crit : > >> Hi everyone, >> >> Today we are releasing 10 security advisories for the Bitcoin Core proje= ct. Those bugs affect versions of Bitcoin Core before (and not including) 0= .21.0. >> >> This is part of the gradual adoption by the project of a new vulnerabili= ty disclosure policy. >> >> The policy and the 10 security advisories can be found on the project's = website at https://bitcoincore.org/en/security-advisories . >> >> We will follow up later in july to publicly disclose vulnerabilities fix= ed in version 22.0. And then in august to disclose those fixed in version 2= 3.0, and so on until we run out of old unmaintained versions to disclose vu= lnerabilities for. The announced policy will then start to be observed for = new versions. >> >> Antoine Poinsot > > -- > You received this message because you are subscribed to the Google Groups= "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, send an= email to bitcoindev+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgi= d/bitcoindev/a3a30a30-a28b-4348-a0bd-5a70714997e7n%40googlegroups.com. --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/= bitcoindev/kIhV8zCjV9UxkbWZQRWCiQPj9viUYzO4xAeWBiRCio4w0BeIqAi1weUgs7E7Ftv7= w94igEJZtXEmnKMpfHM4VtmPnLrJa8Im26P0QRsWLjI%3D%40protonmail.com. --b1_qnGJhEl9ygMNc8NaoJI6fTfyDXNHEQDDw2hcnxRaa8U Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hey Antoine,

I think one thing that could be a benefit could be = to assign a unique numeric identifier to each sec advisory.

Those are underway. We retro-ac= tively requested CVE numbers for historical issues from Mitre.
=

Best,
Antoin= e (the other other one).
On Tuesday, July 9th, 2024 at 3:16 AM, Antoine Riard <antoine.ri= ard@gmail.com> wrote:
Hello Antoine,

Nothing really new in those 1= 0 security advisories, I think one thing that could be a benefit could be t= o assign a unique numeric identifier to each sec advisory.

As openssh showed this week this could be good to minimize risks o= f regressions by favoring methodic screen of old vulnerabilities at review = of new changes.

On the security researcher / handl= er-side, having unique numeric identifiers make it also easier to coordinat= e mitigation patches development and deployment.

B= est,
Antoine (the other one).

Le mercredi 3 juillet 2024 =C3= =A0 17:36:02 UTC+1, Antoine Poinsot a =C3=A9crit :
Hi everyone,

Today we are releasing 10 security advisories for the Bitcoin Core proj= ect. Those bugs affect versions of Bitcoin Core before (and not including) = 0.21.0.

This is part of the gradual adoption by the project of a new vulnerabil= ity disclosure policy.

The policy and the 10 security advisories can be found on the project's= website at https://bitcoincore.org/en/security-advisories .

We will follow up later in july to publicly disclose vulnerabilities fi= xed in version 22.0. And then in august to disclose those fixed in version = 23.0, and so on until we run out of old unmaintained versions to disclose v= ulnerabilities for. The announced policy will then start to be observed for= new versions.

Antoine Poinsot

--
You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to
bitcoindev+unsubscribe@googl= egroups.com.
To view this discussion on the web visit https://groups.= google.com/d/msgid/bitcoindev/a3a30a30-a28b-4348-a0bd-5a70714997e7n%40googl= egroups.com.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/b= itcoindev/kIhV8zCjV9UxkbWZQRWCiQPj9viUYzO4xAeWBiRCio4w0BeIqAi1weUgs7E7Ftv7w= 94igEJZtXEmnKMpfHM4VtmPnLrJa8Im26P0QRsWLjI%3D%40protonmail.com.
--b1_qnGJhEl9ygMNc8NaoJI6fTfyDXNHEQDDw2hcnxRaa8U--