summaryrefslogtreecommitdiff
path: root/f7/2cb070d8fa436d2e106fbed5478e8716325cf6
blob: 5e84b6e1ad5b1aa141cae07a7cec5daef1bdccc4 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
Return-Path: <luke@dashjr.org>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 8643218AB
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sat, 22 Jun 2019 23:43:34 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from zinan.dashjr.org (zinan.dashjr.org [192.3.11.21])
	by smtp1.linuxfoundation.org (Postfix) with ESMTP id E4071224
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sat, 22 Jun 2019 23:43:33 +0000 (UTC)
Received: from [2001:470:5:265:a45d:823b:2d27:961c] (unknown
	[IPv6:2001:470:5:265:a45d:823b:2d27:961c])
	(Authenticated sender: luke-jr)
	by zinan.dashjr.org (Postfix) with ESMTPSA id 448AF38A0CFC;
	Sat, 22 Jun 2019 23:43:06 +0000 (UTC)
X-Hashcash: 1:25:190622:bitcoin-dev@lists.linuxfoundation.org::0daegRglCztqBF+1:aMnu5
X-Hashcash: 1:25:190622:security@bitcoincore.org::eQ0BP5q2omUjIYQS:arGoT
From: Luke Dashjr <luke@dashjr.org>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Date: Sat, 22 Jun 2019 23:42:52 +0000
User-Agent: KMail/1.9.10
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <201906222342.56016.luke@dashjr.org>
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
X-Mailman-Approved-At: Sun, 23 Jun 2019 16:34:34 +0000
Cc: security@bitcoincore.org
Subject: [bitcoin-dev] PSA: Upcoming disclosure of pre-v0.17.1
	vulnerabilities
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Jun 2019 23:43:34 -0000

Two relatively minor vulnerabilities will likely be disclosed sometime soon.

The first vulnerability, CVE-2017-18350, was introduced in v0.7.0 (released in 
2012 September), and affects all versions released until the fix was included 
in v0.15.1 (released in 2017 November). No versions prior to v0.15.1 are 
expected to be fixed.

The second vulnerability, CVE-2018-20586, was introduced in v0.12.0 (released 
in 2016 February), and affects all versions released until the fix was 
included in v0.17.1 (released in 2018 December). As of today, this fix has 
NOT been backported to older versions. When/if v0.15.3 and v0.16.4 are 
released, they may also include a fix, but due to the minor severity of this 
vulnerability, it does not merit a dedicated release on its own. (The git 
branches are also NOT fixed at this time.)

Please be sure you have upgraded to a fixed version no later than August 1st.