From mboxrd@z Thu Jan  1 00:00:00 1970
Delivery-date: Mon, 08 Jul 2024 18:16:19 -0700
Received: from mail-yb1-f192.google.com ([209.85.219.192])
	by mail.fairlystable.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <bitcoindev+bncBC3PT7FYWAMRBWU6WK2AMGQEZLY6OFA@googlegroups.com>)
	id 1sQzSs-0005J1-JS
	for bitcoindev@gnusha.org; Mon, 08 Jul 2024 18:16:18 -0700
Received: by mail-yb1-f192.google.com with SMTP id 3f1490d57ef6-e032d4cf26asf8903759276.3
        for <bitcoindev@gnusha.org>; Mon, 08 Jul 2024 18:16:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1720487772; x=1721092572; darn=gnusha.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-sender:mime-version
         :subject:references:in-reply-to:message-id:to:from:date:sender:from
         :to:cc:subject:date:message-id:reply-to;
        bh=OQdwbuRy6Mv0rzjZ0OT0g6asSsrpO5hhixwPOSuk9zg=;
        b=fROGi3RHYCxT7aL2chGE24HUra4IyS1gjx38hnkML2L2X6Fkb3grRsyOHE5guFPCT2
         7MXZ9/g0Nr7rUGox9t6tixZUnRR1T4xlZmdwklwwd6KPuUppN7YDMrNg8sKqXdDa0hZr
         KyU3YxVbq2aMInht7tp2uyLtkZ7xNOpp68teFzx18c7b8+wPR4T4APrTvmZUdRwPpydO
         5ptTdEEAA7mtUPFxJZ9nqo8iCw2trFNplB9tXBkTYReDeqNtNPH2mG7rTe1IRYP8xQVV
         /6/YIlcEilMxD1r9Aak7fqf+x5Tk2nLfaPzEiWC1+UEylJk0e3wUYq/9Ess58Myy+kWn
         XfpA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1720487772; x=1721092572; darn=gnusha.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-sender:mime-version
         :subject:references:in-reply-to:message-id:to:from:date:from:to:cc
         :subject:date:message-id:reply-to;
        bh=OQdwbuRy6Mv0rzjZ0OT0g6asSsrpO5hhixwPOSuk9zg=;
        b=NSuZ9NG19jwrBGNT5l+zZWEIoJMSvyaQOpkH8Ssv9+48TnIDBwZOC3RSQmvBqz9WV+
         T2avNie0jLAmxIt9dnn31k5fTnBC8ttEOVeSPsiT9KlWjmO1Xm9lJO8f8yvwQRIeqRUC
         v9EAEYjqCtQci2VjPawyPBATst5CZnw972dWzBwuKJR9/hDm0WhRvzzoERbe3vs2+Aqt
         G9u6dbDYoFsrGiGSHgS/Bo96NTOh+nZG+BHwQ9rqoKeOQ7hRhPqCimJPG2J44EtVv+Zb
         O6fIDMqalqvfVm1jAjl/2ZlKVWImaVFtLlZMhYWaArcwCKQcFS4IwyuXuNQBq8OLNXsR
         S+UQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1720487772; x=1721092572;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-sender:mime-version
         :subject:references:in-reply-to:message-id:to:from:date:x-beenthere
         :x-gm-message-state:sender:from:to:cc:subject:date:message-id
         :reply-to;
        bh=OQdwbuRy6Mv0rzjZ0OT0g6asSsrpO5hhixwPOSuk9zg=;
        b=prJRApVCeGiN2BTOftO4yaF4hwoe/eilBuSyra6eTW1G8cfRl8tpKYCYrPfpN6pjNC
         GPpP1ZgktSo0XDtndycIXNgcC8BbnSXk900a7iEJfQb3n7/W0TPHLCnKa3ROspDIuiSF
         Q+YmnjzBRSMKgUOwAz22cLLi2EqKp6u8AX7yofx3aK23HxMLDLhmZzfmEc9WhCs8Uy3g
         7+OkURlaLpgQAxrLdEuCBqz0ELE3eNoTyuCRUxTxO+z7u1rJMhi5qS1O/+D3aHCMoZ90
         bjR6xP1bBpAlFKnFYk3tmgsdAKkDoNjQPR1S6ETl0NN/+bVmz8PtkeyrvoqHVmY4PwW7
         KYVw==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=1; AJvYcCWdzDh51trEdFvJFAXe+X3okJftr9jVCg0e39GcK7ovRvAm+5/u0p9hs40TdlWUSwqb/iuh9xgMSg9pkZP3PI/Rhu/QPJs=
X-Gm-Message-State: AOJu0YxfNnKkTVQ8P4gmCmQkTMEM5HiPWAPmCQiANGJ06KCeEwkvAZyP
	hW9gIty4s9YHWkToeljAcrLdAW6G9BaRUVuvvC/SqpSTs7gbC6mj
X-Google-Smtp-Source: AGHT+IHUN6OrvWJuGLJYlXyKNAoUAronb9nE5NL/ZoRAI7ygjoHRsUL8a1MdgggVVdiPG1/r4Am29g==
X-Received: by 2002:a25:b19d:0:b0:e03:4f47:aada with SMTP id 3f1490d57ef6-e041b060f59mr1539773276.25.1720487772242;
        Mon, 08 Jul 2024 18:16:12 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:a05:6902:120d:b0:e02:b40e:8e90 with SMTP id
 3f1490d57ef6-e03bd1d5d32ls1490676276.2.-pod-prod-09-us; Mon, 08 Jul 2024
 18:16:10 -0700 (PDT)
X-Received: by 2002:a05:690c:380e:b0:62d:a29:537e with SMTP id 00721157ae682-658ef53b41dmr326147b3.4.1720487770773;
        Mon, 08 Jul 2024 18:16:10 -0700 (PDT)
Received: by 2002:a05:690c:4289:b0:63b:c3b0:e1c with SMTP id 00721157ae682-6514011671ams7b3;
        Wed, 3 Jul 2024 10:12:56 -0700 (PDT)
X-Received: by 2002:a05:6902:727:b0:e03:52c8:ad30 with SMTP id 3f1490d57ef6-e03ad9005e7mr132034276.3.1720026775866;
        Wed, 03 Jul 2024 10:12:55 -0700 (PDT)
Date: Wed, 3 Jul 2024 10:12:55 -0700 (PDT)
From: Antoine Riard <antoine.riard@gmail.com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Message-Id: <a3a30a30-a28b-4348-a0bd-5a70714997e7n@googlegroups.com>
In-Reply-To: <xsylfaVvODFtrvkaPyXh0mIc64DWMCchxiVdTApFqJ_0Q5v0bOoDpS_36HwDKmzdDO9U2RKMzESEiVaq47FTamegi2kCNtVZeDAjSR4G7Ic=@protonmail.com>
References: <xsylfaVvODFtrvkaPyXh0mIc64DWMCchxiVdTApFqJ_0Q5v0bOoDpS_36HwDKmzdDO9U2RKMzESEiVaq47FTamegi2kCNtVZeDAjSR4G7Ic=@protonmail.com>
Subject: [bitcoindev] Re: Public disclosure of 10 vulnerabilities affecting
 Bitcoin Core < 0.21.0
MIME-Version: 1.0
Content-Type: multipart/mixed; 
	boundary="----=_Part_122502_1618442064.1720026775642"
X-Original-Sender: antoine.riard@gmail.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.5 (/)

------=_Part_122502_1618442064.1720026775642
Content-Type: multipart/alternative; 
	boundary="----=_Part_122503_1220747874.1720026775642"

------=_Part_122503_1220747874.1720026775642
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hello Antoine,

Nothing really new in those 10 security advisories, I think one thing that=
=20
could be a benefit could be to assign a unique numeric identifier to each=
=20
sec advisory.

As openssh showed this week this could be good to minimize risks of=20
regressions by favoring methodic screen of old vulnerabilities at review of=
=20
new changes.

On the security researcher / handler-side, having unique numeric=20
identifiers make it also easier to coordinate mitigation patches=20
development and deployment.

Best,
Antoine (the other one).

Le mercredi 3 juillet 2024 =C3=A0 17:36:02 UTC+1, Antoine Poinsot a =C3=A9c=
rit :

> Hi everyone,
>
> Today we are releasing 10 security advisories for the Bitcoin Core=20
> project. Those bugs affect versions of Bitcoin Core before (and not=20
> including) 0.21.0.
>
> This is part of the gradual adoption by the project of a new vulnerabilit=
y=20
> disclosure policy.
>
> The policy and the 10 security advisories can be found on the project's=
=20
> website at https://bitcoincore.org/en/security-advisories .
>
> We will follow up later in july to publicly disclose vulnerabilities fixe=
d=20
> in version 22.0. And then in august to disclose those fixed in version=20
> 23.0, and so on until we run out of old unmaintained versions to disclose=
=20
> vulnerabilities for. The announced policy will then start to be observed=
=20
> for new versions.
>
> Antoine Poinsot
>

--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/=
bitcoindev/a3a30a30-a28b-4348-a0bd-5a70714997e7n%40googlegroups.com.

------=_Part_122503_1220747874.1720026775642
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hello Antoine,<div><br /></div><div>Nothing really new in those 10 security=
 advisories, I think one thing that could be a benefit could be to assign a=
 unique numeric identifier to each sec advisory.</div><div><br /></div><div=
>As openssh showed this week this could be good to minimize risks of regres=
sions by favoring methodic screen of old vulnerabilities at review of new c=
hanges.</div><div><br /></div><div>On the security researcher / handler-sid=
e, having unique numeric identifiers make it also easier to coordinate miti=
gation patches development and deployment.</div><div><br /></div><div>Best,=
</div><div>Antoine (the other one).<br /><br /></div><div class=3D"gmail_qu=
ote"><div dir=3D"auto" class=3D"gmail_attr">Le mercredi 3 juillet 2024 =C3=
=A0 17:36:02 UTC+1, Antoine Poinsot a =C3=A9crit=C2=A0:<br/></div><blockquo=
te class=3D"gmail_quote" style=3D"margin: 0 0 0 0.8ex; border-left: 1px sol=
id rgb(204, 204, 204); padding-left: 1ex;">Hi everyone,
<br>
<br>Today we are releasing 10 security advisories for the Bitcoin Core proj=
ect. Those bugs affect versions of Bitcoin Core before (and not including) =
0.21.0.
<br>
<br>This is part of the gradual adoption by the project of a new vulnerabil=
ity disclosure policy.
<br>
<br>The policy and the 10 security advisories can be found on the project&#=
39;s website at <a href=3D"https://bitcoincore.org/en/security-advisories" =
target=3D"_blank" rel=3D"nofollow" data-saferedirecturl=3D"https://www.goog=
le.com/url?hl=3Dfr&amp;q=3Dhttps://bitcoincore.org/en/security-advisories&a=
mp;source=3Dgmail&amp;ust=3D1720112766726000&amp;usg=3DAOvVaw0ZIGVGNIhgpYTc=
1sZGwO_d">https://bitcoincore.org/en/security-advisories</a> .
<br>
<br>We will follow up later in july to publicly disclose vulnerabilities fi=
xed in version 22.0. And then in august to disclose those fixed in version =
23.0, and so on until we run out of old unmaintained versions to disclose v=
ulnerabilities for. The announced policy will then start to be observed for=
 new versions.
<br>
<br>Antoine Poinsot
<br></blockquote></div>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion on the web visit <a href=3D"https://groups.google.c=
om/d/msgid/bitcoindev/a3a30a30-a28b-4348-a0bd-5a70714997e7n%40googlegroups.=
com?utm_medium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msg=
id/bitcoindev/a3a30a30-a28b-4348-a0bd-5a70714997e7n%40googlegroups.com</a>.=
<br />

------=_Part_122503_1220747874.1720026775642--

------=_Part_122502_1618442064.1720026775642--