public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Luke Dashjr <luke@dashjr.org>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Cc: security@bitcoincore.org
Subject: [bitcoin-dev] PSA: Upcoming disclosure of pre-v0.17.1 vulnerabilities
Date: Sat, 22 Jun 2019 23:42:52 +0000	[thread overview]
Message-ID: <201906222342.56016.luke@dashjr.org> (raw)

Two relatively minor vulnerabilities will likely be disclosed sometime soon.

The first vulnerability, CVE-2017-18350, was introduced in v0.7.0 (released in 
2012 September), and affects all versions released until the fix was included 
in v0.15.1 (released in 2017 November). No versions prior to v0.15.1 are 
expected to be fixed.

The second vulnerability, CVE-2018-20586, was introduced in v0.12.0 (released 
in 2016 February), and affects all versions released until the fix was 
included in v0.17.1 (released in 2018 December). As of today, this fix has 
NOT been backported to older versions. When/if v0.15.3 and v0.16.4 are 
released, they may also include a fix, but due to the minor severity of this 
vulnerability, it does not merit a dedicated release on its own. (The git 
branches are also NOT fixed at this time.)

Please be sure you have upgraded to a fixed version no later than August 1st.


                 reply	other threads:[~2019-06-22 23:43 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=201906222342.56016.luke@dashjr.org \
    --to=luke@dashjr.org \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    --cc=security@bitcoincore.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox