Return-Path: <laanwj@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id C700B360
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Mon, 12 Oct 2015 17:17:52 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-wi0-f173.google.com (mail-wi0-f173.google.com
	[209.85.212.173])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 2028B20D
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Mon, 12 Oct 2015 17:17:52 +0000 (UTC)
Received: by wicge5 with SMTP id ge5so158953631wic.0
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Mon, 12 Oct 2015 10:17:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=date:from:to:subject:message-id:mime-version:content-type
	:content-disposition;
	bh=kMOfbKAYTgtPVFp07hWePqfTRXlv4kTrUPFry/Mv+zk=;
	b=dshKlP/ZAhrqPy0HV2XPNYWTpgd1LscVN/Q7XL8sQZMMVKW6EiZHdpPkCLe5BKa9pM
	381Nc+ETcoDHu8bBxwDDvKRhuvLXITEeonpS1NZ6IviVDCuJMpYBlmRBnqb2TJG7Wro0
	vefRRPJxjSF6b53lsynpmzEvfq+2Z3yeh8I7/9aLwbP7tbgQegrpix2zYsIH+xqNovtq
	aYYTrOP1/K/EopZ/c6z8gaPEEn6EatpI4FOZ13Jf9K+9o8eUsCibLB909EJoJ+gvAZGH
	GHHMkXnmkWwdX+t+xgYcVdTPpHPZnMd4zlfZqt3/fzMBFzqkYXXxTqQXMjjvGLyE+D0p
	wuTQ==
X-Received: by 10.181.27.138 with SMTP id jg10mr16827293wid.29.1444670270946; 
	Mon, 12 Oct 2015 10:17:50 -0700 (PDT)
Received: from amethyst.visucore.com (dhcp-089-098-228-253.chello.nl.
	[89.98.228.253]) by smtp.gmail.com with ESMTPSA id
	f17sm20950386wjn.38.2015.10.12.10.17.50
	for <bitcoin-dev@lists.linuxfoundation.org>
	(version=TLS1_2 cipher=AES128-SHA256 bits=128/128);
	Mon, 12 Oct 2015 10:17:50 -0700 (PDT)
Date: Mon, 12 Oct 2015 19:17:50 +0200
From: "Wladimir J. van der Laan" <laanwj@gmail.com>
To: Bitcoin development mailing list <bitcoin-dev@lists.linuxfoundation.org>
Message-ID: <20151012171749.GA25415@amethyst.visucore.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
	RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Subject: [bitcoin-dev] ALERT: Vulnerability in UPnP library used by Bitcoin
	Core
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Development Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Oct 2015 17:17:52 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


TL;DR disable UPnP in Bitcoin Core as soon as possible, if you still have it enabled.

Upgrading to 0.11.1rc2 or 0.10.3rc2 will also solve the issue, as they bundle a newer libupnpc (as well as disable upnp usage by default.) However these versions are still in the release candidate cycle, there is some risk in using test versions.

See https://bitcoin.org/en/alert/2015-10-12-upnp-vulnerability for details

Wladimir
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJWG+rxAAoJEHSBCwEjRsmmh14H/jWEqINoAdb9CNE5pOiFv9FG
X51SCeZ/OCQXJ5qQGgcpMfP1w2fPFJwzrrJFIp9D8MUYXc9f6ZHo0A0Uc8LmPlrW
46Wu/TgN0N5XpJ8yDzDk1GxU3fGhGEX897SOxrt8NEUcrJBC1kaLlG01ma2Mf+VJ
wXsn++pgWO/9CCQzRIBNdJf1a8qnMsyRbryW7IsLNGiR4GRKzt9Hcp/p2vVxYFdD
bjVAWsEFnRga0ho0Kpnp5RxFZxVkL03ls6yj9wqZtlMHVGuyVWiwFqMjOV30wBfv
uENkWe/6veIU+Y3PmbuPJv79kRW2xTGZTl1RIKgJAdxVWPJy58a999AToIs/BWM=
=XC8t
-----END PGP SIGNATURE-----