1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
|
Delivery-date: Thu, 19 Sep 2024 05:37:23 -0700
Received: from mail-yb1-f184.google.com ([209.85.219.184])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBC3PT7FYWAMRB6VVWC3QMGQEGMI54BY@googlegroups.com>)
id 1srGPT-0003IR-0t
for bitcoindev@gnusha.org; Thu, 19 Sep 2024 05:37:23 -0700
Received: by mail-yb1-f184.google.com with SMTP id 3f1490d57ef6-e02fff66a83sf1407719276.0
for <bitcoindev@gnusha.org>; Thu, 19 Sep 2024 05:37:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1726749436; x=1727354236; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:sender:from
:to:cc:subject:date:message-id:reply-to;
bh=+GcUYnTzfj/iI0YX/9TVMF9HyEIWlKUTGYdYbotBQvU=;
b=BkXrNWmuUnoRfEq6EPtUuZouLd8AuLYH563r+d0bP0fKdUbWZuNRj6M9tdtEFsbeTI
HhqTxdgqJk4y9QpC25k+gVARRADNPRZm9/oYgJaRuaHhd+dWHR3u1WGNwb2yArtJz+zp
l1CwH4CjpQF/0p0Y7roQcuT9FvE2fPzsieCtqqv+kX6wRGvTgVMzhy1EOivDXTtaUxV/
qF4wUojVgoH0zjhQ5kuiMMlqgUhoryvRYxs6VIJ7ZijZocE9MmZhk7griCrg8h6Yk+kd
J4oFfS5zBGip5/Q3WgNpL9dVqxN2XBnmN7tLZIm5+f8K8i6Qua4f9Rp5htGVu6gaivKd
5hwg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1726749436; x=1727354236; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:from:to:cc
:subject:date:message-id:reply-to;
bh=+GcUYnTzfj/iI0YX/9TVMF9HyEIWlKUTGYdYbotBQvU=;
b=RauL8yc3Wy3iwcIc6mZubI/swDpNoloPjMkfIebBNMLMS0HkbvAv/ppNuZB2vubMLn
GwZt7KjkXjBWNIeWrXhLRsZown5zDeIXqL6Ybc+YwC6sJ/O5oifh2Ojvaz/Bact9Q14F
VnzxP+YTIvyqbNOJW1oaDUYT5m8eXocnETCATKZQ3Srfa1PF6pFpCUOv3SvkhxRuI7mY
ZbgT4hwUm8fpQN1EqBmJgZSjLPbBxIbBNWPrrQybgcoFrJ0yWj4iqZsZIL/e6MrIyzuG
IiqNMJH7WhQc2Ct14zE9YXbpIvAGr7SDnnInrvZ8T/AxeBKIreQsmzOij3sUPr2dNsG7
qn7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1726749436; x=1727354236;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:x-beenthere
:x-gm-message-state:sender:from:to:cc:subject:date:message-id
:reply-to;
bh=+GcUYnTzfj/iI0YX/9TVMF9HyEIWlKUTGYdYbotBQvU=;
b=rGNMJuWlptFimHcHwjyeuHx7RA8hshhu8+zhQz+jiIbMFrmTM+kBG59E9PpmBUE7Ro
UEJLjKjUoFqgK6Ce/gIaacgZBw/EWwgMwkT7rLn4Lz+C5oWF/MME143bxO5dYg+lvD1Z
p0ssq+h9fb4wwJlc4dctGats2k2YLu1hllOvnuHqF2qQbXla8Hkh6d85y66zQqjEZr0v
8oM72Ej7QwBcNGYNFpVIIWrr5WT4bJlEX+3lnUVqP6Ujz8enW+WcjzDAX4BeHGpYUuuZ
scBtkKPRkfhNjUhNT5dUuLCiCMJZOqp2PkOY3YiWndf/n3Kfs4fUA5jJEAI4oDCL8dKK
v7gg==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=1; AJvYcCVaKoN+sQRETpUesYmWeKlF/mQ2h3fV41aeXigABqYxZNppTMxfwZSCWan6xL/GNO4YTqJlJphAXuMv@gnusha.org
X-Gm-Message-State: AOJu0YzeJlEpMkTDANVKe5tLnd3HZ5frSLTsaavW5HpH1wUtrrYpRjhD
kcnuucND85mEHeHbKtR6KDRDXHBwiOR13ot3nm8eI1v3dXFSxLp6
X-Google-Smtp-Source: AGHT+IHxSf+IvhTV9gQW0qBYul1x9GiGltnpq6mMc3iKhxYBYBn2vAf5tix6An6L8IrPi0NIlmr3HQ==
X-Received: by 2002:a05:6902:102e:b0:e20:2acb:79b5 with SMTP id 3f1490d57ef6-e202acb7a79mr1416969276.51.1726749436467;
Thu, 19 Sep 2024 05:37:16 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:a05:6902:1146:b0:e1c:fa56:9b8d with SMTP id
3f1490d57ef6-e2027e60acals1164275276.2.-pod-prod-01-us; Thu, 19 Sep 2024
05:37:14 -0700 (PDT)
X-Received: by 2002:a05:690c:6c82:b0:6db:c7d6:8d3c with SMTP id 00721157ae682-6dbc7d68e5emr238300657b3.40.1726749434425;
Thu, 19 Sep 2024 05:37:14 -0700 (PDT)
Received: by 2002:a81:b302:0:b0:6dd:c9c1:7a16 with SMTP id 00721157ae682-6ddf9c44140ms7b3;
Thu, 19 Sep 2024 01:13:00 -0700 (PDT)
X-Received: by 2002:a05:690c:6a0f:b0:6dd:1331:8110 with SMTP id 00721157ae682-6dd13319d59mr145863947b3.35.1726733579155;
Thu, 19 Sep 2024 01:12:59 -0700 (PDT)
Date: Thu, 19 Sep 2024 01:12:58 -0700 (PDT)
From: Antoine Riard <antoine.riard@gmail.com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Message-Id: <950859e2-e548-4361-8e5b-2595c0ed7a43n@googlegroups.com>
In-Reply-To: <WhFGS_EOQtdGWTKD1oqSujp1GW-v_ZUJemlNePPGaGBgzpmu6ThpqLwJpUVei85OiMu_xxjEzt_SeOWY7547C72BVISLENOd_qrdCwPajgk=@protonmail.com>
References: <WhFGS_EOQtdGWTKD1oqSujp1GW-v_ZUJemlNePPGaGBgzpmu6ThpqLwJpUVei85OiMu_xxjEzt_SeOWY7547C72BVISLENOd_qrdCwPajgk=@protonmail.com>
Subject: [bitcoindev] Re: Public disclosure of 1 vulnerability affecting
Bitcoin Core <24.0.1
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_11462_849771626.1726733578755"
X-Original-Sender: antoine.riard@gmail.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.5 (/)
------=_Part_11462_849771626.1726733578755
Content-Type: multipart/alternative;
boundary="----=_Part_11463_472927724.1726733578755"
------=_Part_11463_472927724.1726733578755
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi Darosior,
Thanks for writing the report.
"With that, Bitcoin Core no longer relies on having checkpoints to protect=
=20
against any known attacks."
I think it's good time to get that back on track:
https://github.com/bitcoin/bitcoin/pull/25725
As of commit ab0b5706b, it sounds checkpoints are still there.
Best,
Antoine (the other one)
ots hash: e4888dbb9983b541649f66bb23665e25fa22c47deeec5a294cf6e7624911cd07
Le jeudi 19 septembre 2024 =C3=A0 08:27:23 UTC+1, Antoine Poinsot a =C3=A9c=
rit :
> Hi everyone,
>
> Today we are releasing 1 security advisory for the Bitcoin Core project.=
=20
> This vulnerability affects versions of Bitcoin Core before (and not=20
> including) 24.0.1.
>
> The details for this vulnerability are available at=20
> https://bitcoincore.org/en/2024/09/18/disclose-headers-oom.
>
> This is part of the gradual adoption by the project of a new vulnerabilit=
y=20
> disclosure policy. The policy is available at=20
> https://bitcoincore.org/en/security-advisories/#policy. We will follow up=
=20
> next month with vulnerabilities affecting Bitcoin Core versions before (a=
nd=20
> not including) 25.0, if any.
>
> Antoine Poinsot
>
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/=
bitcoindev/950859e2-e548-4361-8e5b-2595c0ed7a43n%40googlegroups.com.
------=_Part_11463_472927724.1726733578755
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi Darosior,<br /><br />Thanks for writing the report.<br /><br />"With tha=
t, Bitcoin Core no longer relies on having checkpoints to protect against a=
ny known attacks."<br /><br />I think it's good time to get that back on tr=
ack:<br />https://github.com/bitcoin/bitcoin/pull/25725<br /><br />As of co=
mmit ab0b5706b, it sounds checkpoints are still there.<br /><br />Best,<br =
/>Antoine (the other one)<br />ots hash: e4888dbb9983b541649f66bb23665e25fa=
22c47deeec5a294cf6e7624911cd07<br /><br /><div class=3D"gmail_quote"><div d=
ir=3D"auto" class=3D"gmail_attr">Le jeudi 19 septembre 2024 =C3=A0 08:27:23=
UTC+1, Antoine Poinsot a =C3=A9crit=C2=A0:<br/></div><blockquote class=3D"=
gmail_quote" style=3D"margin: 0 0 0 0.8ex; border-left: 1px solid rgb(204, =
204, 204); padding-left: 1ex;">Hi everyone,
<br>
<br>Today we are releasing 1 security advisory for the Bitcoin Core project=
. This vulnerability affects versions of Bitcoin Core before (and not inclu=
ding) 24.0.1.
<br>
<br>The details for this vulnerability are available at <a href=3D"https://=
bitcoincore.org/en/2024/09/18/disclose-headers-oom" target=3D"_blank" rel=
=3D"nofollow" data-saferedirecturl=3D"https://www.google.com/url?hl=3Dfr&am=
p;q=3Dhttps://bitcoincore.org/en/2024/09/18/disclose-headers-oom&source=
=3Dgmail&ust=3D1726818482230000&usg=3DAOvVaw1BJzRNP4tEcM851k20aKGu"=
>https://bitcoincore.org/en/2024/09/18/disclose-headers-oom</a>.
<br>
<br>This is part of the gradual adoption by the project of a new vulnerabil=
ity disclosure policy. The policy is available at <a href=3D"https://bitcoi=
ncore.org/en/security-advisories/#policy" target=3D"_blank" rel=3D"nofollow=
" data-saferedirecturl=3D"https://www.google.com/url?hl=3Dfr&q=3Dhttps:=
//bitcoincore.org/en/security-advisories/%23policy&source=3Dgmail&u=
st=3D1726818482230000&usg=3DAOvVaw0CcRt0WgDJeM3A9srnlS8x">https://bitco=
incore.org/en/security-advisories/#policy</a>. We will follow up next month=
with vulnerabilities affecting Bitcoin Core versions before (and not inclu=
ding) 25.0, if any.
<br>
<br>Antoine Poinsot
<br></blockquote></div>
<p></p>
-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List" group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion on the web visit <a href=3D"https://groups.google.c=
om/d/msgid/bitcoindev/950859e2-e548-4361-8e5b-2595c0ed7a43n%40googlegroups.=
com?utm_medium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msg=
id/bitcoindev/950859e2-e548-4361-8e5b-2595c0ed7a43n%40googlegroups.com</a>.=
<br />
------=_Part_11463_472927724.1726733578755--
------=_Part_11462_849771626.1726733578755--
|