From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id C700B360 for ; Mon, 12 Oct 2015 17:17:52 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-wi0-f173.google.com (mail-wi0-f173.google.com [209.85.212.173]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 2028B20D for ; Mon, 12 Oct 2015 17:17:52 +0000 (UTC) Received: by wicge5 with SMTP id ge5so158953631wic.0 for ; Mon, 12 Oct 2015 10:17:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:subject:message-id:mime-version:content-type :content-disposition; bh=kMOfbKAYTgtPVFp07hWePqfTRXlv4kTrUPFry/Mv+zk=; b=dshKlP/ZAhrqPy0HV2XPNYWTpgd1LscVN/Q7XL8sQZMMVKW6EiZHdpPkCLe5BKa9pM 381Nc+ETcoDHu8bBxwDDvKRhuvLXITEeonpS1NZ6IviVDCuJMpYBlmRBnqb2TJG7Wro0 vefRRPJxjSF6b53lsynpmzEvfq+2Z3yeh8I7/9aLwbP7tbgQegrpix2zYsIH+xqNovtq aYYTrOP1/K/EopZ/c6z8gaPEEn6EatpI4FOZ13Jf9K+9o8eUsCibLB909EJoJ+gvAZGH GHHMkXnmkWwdX+t+xgYcVdTPpHPZnMd4zlfZqt3/fzMBFzqkYXXxTqQXMjjvGLyE+D0p wuTQ== X-Received: by 10.181.27.138 with SMTP id jg10mr16827293wid.29.1444670270946; Mon, 12 Oct 2015 10:17:50 -0700 (PDT) Received: from amethyst.visucore.com (dhcp-089-098-228-253.chello.nl. [89.98.228.253]) by smtp.gmail.com with ESMTPSA id f17sm20950386wjn.38.2015.10.12.10.17.50 for (version=TLS1_2 cipher=AES128-SHA256 bits=128/128); Mon, 12 Oct 2015 10:17:50 -0700 (PDT) Date: Mon, 12 Oct 2015 19:17:50 +0200 From: "Wladimir J. van der Laan" To: Bitcoin development mailing list Message-ID: <20151012171749.GA25415@amethyst.visucore.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [bitcoin-dev] ALERT: Vulnerability in UPnP library used by Bitcoin Core X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Development Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Oct 2015 17:17:52 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 TL;DR disable UPnP in Bitcoin Core as soon as possible, if you still have it enabled. Upgrading to 0.11.1rc2 or 0.10.3rc2 will also solve the issue, as they bundle a newer libupnpc (as well as disable upnp usage by default.) However these versions are still in the release candidate cycle, there is some risk in using test versions. See https://bitcoin.org/en/alert/2015-10-12-upnp-vulnerability for details Wladimir -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCgAGBQJWG+rxAAoJEHSBCwEjRsmmh14H/jWEqINoAdb9CNE5pOiFv9FG X51SCeZ/OCQXJ5qQGgcpMfP1w2fPFJwzrrJFIp9D8MUYXc9f6ZHo0A0Uc8LmPlrW 46Wu/TgN0N5XpJ8yDzDk1GxU3fGhGEX897SOxrt8NEUcrJBC1kaLlG01ma2Mf+VJ wXsn++pgWO/9CCQzRIBNdJf1a8qnMsyRbryW7IsLNGiR4GRKzt9Hcp/p2vVxYFdD bjVAWsEFnRga0ho0Kpnp5RxFZxVkL03ls6yj9wqZtlMHVGuyVWiwFqMjOV30wBfv uENkWe/6veIU+Y3PmbuPJv79kRW2xTGZTl1RIKgJAdxVWPJy58a999AToIs/BWM= =XC8t -----END PGP SIGNATURE-----