1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
Return-Path: <simon@bitcartel.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 2D8B589F
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 10 Sep 2017 22:03:53 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-pg0-f42.google.com (mail-pg0-f42.google.com [74.125.83.42])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 9E605180
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 10 Sep 2017 22:03:52 +0000 (UTC)
Received: by mail-pg0-f42.google.com with SMTP id j16so1920812pga.1
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 10 Sep 2017 15:03:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=bitcartel-com.20150623.gappssmtp.com; s=20150623;
h=from:subject:to:message-id:date:user-agent:mime-version
:content-language:content-transfer-encoding;
bh=hj08VYTTuq6LWeB7cSMpIslbmqWhrsjv4rhZYFs46iM=;
b=Hqb5qCPvN31lm8kBX5f+AT4yLgWJyFXd8hHEmBGVQ0OF4XGbkOcKMg/QQeGW1qsLdg
h2YRJm4TBtC7UtNkMxyDzCIW2IDGpj4AAR63egB9CHcZrzETEP76YI45aPLWGRa+kXKh
J/26j93am7lGKt89b4K+9/cYRYD9t5Uwjvcm9xKn5qsysKw7gDlJG9W5Leajz+w9LnX/
p6XasuwWCJlqmXF7ej8+pgjdZj63O8qnnRpq7Q4O6PndPuxda5O/alrtm78LIjZXPetZ
YCsLXdDB095B2PbeVnaVX3s7CExsg5ML147uW/spYvqXP1+TRSDPDe5SN9m2pxK6blzh
fVTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:from:subject:to:message-id:date:user-agent
:mime-version:content-language:content-transfer-encoding;
bh=hj08VYTTuq6LWeB7cSMpIslbmqWhrsjv4rhZYFs46iM=;
b=mAfXObqSzFAMZBdft4fG0waZgCyBK4rwnQyyZdTmTwQmf5dR2h4iDvq1M9wF+KwjXU
9DAwINoksGNi9dUUHIWRe/yZfR7ED5m3UULoiHJ57cfu6MI7PF9ntY574F46huso/eLB
SiKhZQrc72cndgZbo/SllUvocevLRzKt8/1yk1kUbWP9GzAuQe/xela3V7JQj5T+PNM8
iWSbcOd2mJHvxSsh9doCyw3zAq7V+NrXH2RrVESIsHQHbPqdeHj4lSjK1YQMYcQw0xiH
xjZZqHp5+fy0MFy27jkHqzutTanC8KG8DR5gruGOII6JIDehmxXduuWZYFMlqCcnv5xE
6C9w==
X-Gm-Message-State: AHPjjUgMQRoP9bHiARlMvuFB1ig9pYJrsHZC+f9Hcq+V68Hpl84S5hM4
k7IR/jtOI//6UGy9xE1Uhw==
X-Google-Smtp-Source: ADKCNb6kax5oE41yk8xW7s5TpT5N3dosshmj09qzxSzp/2Wn4Xzn1CS1vtw6Jc7XDyl+4vlFjlAfiw==
X-Received: by 10.101.82.140 with SMTP id y12mr10044800pgp.142.1505081031816;
Sun, 10 Sep 2017 15:03:51 -0700 (PDT)
Received: from [10.0.35.131] (50-254-134-21-static.hfc.comcastbusiness.net.
[50.254.134.21]) by smtp.googlemail.com with ESMTPSA id
a78sm14415025pfl.39.2017.09.10.15.03.49
for <bitcoin-dev@lists.linuxfoundation.org>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Sun, 10 Sep 2017 15:03:49 -0700 (PDT)
From: Simon Liu <simon@bitcartel.com>
To: Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>
Message-ID: <3e4541f3-f65c-5199-5e85-9a65ea5142e7@bitcartel.com>
Date: Sun, 10 Sep 2017 15:03:48 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Thunderbird/52.2.1
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=0.0 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
RCVD_IN_DNSWL_NONE autolearn=disabled version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Sun, 10 Sep 2017 22:23:26 +0000
Subject: [bitcoin-dev] Responsible disclosure of bugs
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Sep 2017 22:03:53 -0000
Hi,
Given today's presentation by Chris Jeffrey at the Breaking Bitcoin
conference, and the subsequent discussion around responsible disclosure
and industry practice, perhaps now would be a good time to discuss
"Bitcoin and CVEs" which has gone unanswered for 6 months.
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-March/013751.html
To quote:
"Are there are any vulnerabilities in Bitcoin which have been fixed but
not yet publicly disclosed? Is the following list of Bitcoin CVEs
up-to-date?
https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures
There have been no new CVEs posted for almost three years, except for
CVE-2015-3641, but there appears to be no information publicly available
for that issue:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3641
It would be of great benefit to end users if the community of clients
and altcoins derived from Bitcoin Core could be patched for any known
vulnerabilities.
Does anyone keep track of security related bugs and patches, where the
defect severity is similar to those found on the CVE list above? If
yes, can that list be shared with other developers?"
Best Regards,
Simon
|