From conner at lightning.engineering Sat Oct 10 00:32:47 2020 From: conner at lightning.engineering (Conner Fromknecht) Date: Fri, 9 Oct 2020 17:32:47 -0700 Subject: [Lightning-dev] Partial LND Vulnerability Disclosure, Upgrade to 0.11.x In-Reply-To: References: Message-ID: Hi all, For those looking to verify the gpg signature, please be sure the support email is formatted correctly. For example, the archive replaces "@" with " at ", and apparently google groups trims "support" to "sup...". If you run into issues, please double check the plaintext matches verbatim with what was sent on lightning-dev. Cheers, Conner On Thu, Oct 8, 2020 at 5:19 PM Conner Fromknecht wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Hi all, > > We are writing to let the Lightning community know about the existence of > vulnerabilities that affect lnd versions 0.10.x and below. The full details of > these vulnerabilities will be disclosed on October 20, 2020. The circumstances > surrounding the discovery resulted in a compressed disclosure timeline compared > to our usual timeframes. We will be publishing more details about this in the > coming weeks along with a comprehensive bug bounty program. > > While we have no reason to believe these vulnerabilities have been exploited in > the wild, we strongly urge the community to upgrade to lnd 0.11.0 or above ASAP. > Please ping us on the #lnd IRC channel, the LND Slack, or at > support at lightning.engineering if you need any assistance in doing so. Upgrade > instructions can be found in our installation docs: > https://github.com/lightningnetwork/lnd/blob/master/docs/INSTALL.md#installing-lnd. > > Regards, > Conner Fromknecht > -----BEGIN PGP SIGNATURE----- > > iQIzBAEBCAAdFiEEnI1hhop8SSADsnRO59c3tn+lkscFAl9/ozwACgkQ59c3tn+l > kscVvBAAk21z6tlHPkOSwfj1lBE0pqc65A6Qa927WEjN5hdUpjjof4Xo2j+GzbnN > Uoj4HGZu+koakzoVpJ4mzN+vg086zAnv+K668hhl7bbPHsQu6FqA1ALiAyy0nH6H > 1yukXxpRflq53RTIVPjrEnFVdt6FCLhkCm9LuOk0a/SUf8D4b/N6OaB1Bxupeceu > QFSCIkb9kvW/Eplwkv7PEnx/IZNGIQP9F11DaKLTAjWY5RnIxmCw/oamvlP8Mxt8 > /AqlzWVtPVqvwgJLhbMziraXNVV05naHrIXvbXrOI2Q7FZjdaxF+S4EKT4feuq1w > iW7NYSS/u5N2FP3yK8YIdoX0I/nwYQQcpsfbAv2dS4Ql2Td/dyREId4NcchmaKSV > N3w1jByMPWrgUtinl5WEDDOJdUKS2PHkQ95t3s/1uYDFsPz1kXJR2x37a/1AVz/K > 6zQ45wFvHEopFR49hu/CV6MUvsvn4XKzPa46Ii7puaBaNqygx0RwuwlxbxCNxPNQ > v45CaCUEq2Tj3stu7YoYGntFvrXVkxXJocn51eK6D+g0bIEXxaGlPJeTuvifKMTO > 3T3ZEEbCe9UhDUT8Ja2boP2IIi8wAyExGS59k0tndQGzMSjkzWZ0fzgYyyf+y4nt > r3nTCGi5WWe4y1i2KpiYZTRrQkbrNkRf+fnVdlnTS4lcgEWFFiY= > =8t9Q > -----END PGP SIGNATURE-----