From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 08 Jul 2024 18:16:19 -0700 Received: from mail-yb1-f192.google.com ([209.85.219.192]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sQzSs-0005J1-JS for bitcoindev@gnusha.org; Mon, 08 Jul 2024 18:16:18 -0700 Received: by mail-yb1-f192.google.com with SMTP id 3f1490d57ef6-e032d4cf26asf8903759276.3 for ; Mon, 08 Jul 2024 18:16:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1720487772; x=1721092572; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:sender:from :to:cc:subject:date:message-id:reply-to; bh=OQdwbuRy6Mv0rzjZ0OT0g6asSsrpO5hhixwPOSuk9zg=; b=fROGi3RHYCxT7aL2chGE24HUra4IyS1gjx38hnkML2L2X6Fkb3grRsyOHE5guFPCT2 7MXZ9/g0Nr7rUGox9t6tixZUnRR1T4xlZmdwklwwd6KPuUppN7YDMrNg8sKqXdDa0hZr KyU3YxVbq2aMInht7tp2uyLtkZ7xNOpp68teFzx18c7b8+wPR4T4APrTvmZUdRwPpydO 5ptTdEEAA7mtUPFxJZ9nqo8iCw2trFNplB9tXBkTYReDeqNtNPH2mG7rTe1IRYP8xQVV /6/YIlcEilMxD1r9Aak7fqf+x5Tk2nLfaPzEiWC1+UEylJk0e3wUYq/9Ess58Myy+kWn XfpA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1720487772; x=1721092572; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=OQdwbuRy6Mv0rzjZ0OT0g6asSsrpO5hhixwPOSuk9zg=; b=NSuZ9NG19jwrBGNT5l+zZWEIoJMSvyaQOpkH8Ssv9+48TnIDBwZOC3RSQmvBqz9WV+ T2avNie0jLAmxIt9dnn31k5fTnBC8ttEOVeSPsiT9KlWjmO1Xm9lJO8f8yvwQRIeqRUC v9EAEYjqCtQci2VjPawyPBATst5CZnw972dWzBwuKJR9/hDm0WhRvzzoERbe3vs2+Aqt G9u6dbDYoFsrGiGSHgS/Bo96NTOh+nZG+BHwQ9rqoKeOQ7hRhPqCimJPG2J44EtVv+Zb O6fIDMqalqvfVm1jAjl/2ZlKVWImaVFtLlZMhYWaArcwCKQcFS4IwyuXuNQBq8OLNXsR S+UQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720487772; x=1721092572; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=OQdwbuRy6Mv0rzjZ0OT0g6asSsrpO5hhixwPOSuk9zg=; b=prJRApVCeGiN2BTOftO4yaF4hwoe/eilBuSyra6eTW1G8cfRl8tpKYCYrPfpN6pjNC GPpP1ZgktSo0XDtndycIXNgcC8BbnSXk900a7iEJfQb3n7/W0TPHLCnKa3ROspDIuiSF Q+YmnjzBRSMKgUOwAz22cLLi2EqKp6u8AX7yofx3aK23HxMLDLhmZzfmEc9WhCs8Uy3g 7+OkURlaLpgQAxrLdEuCBqz0ELE3eNoTyuCRUxTxO+z7u1rJMhi5qS1O/+D3aHCMoZ90 bjR6xP1bBpAlFKnFYk3tmgsdAKkDoNjQPR1S6ETl0NN/+bVmz8PtkeyrvoqHVmY4PwW7 KYVw== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=1; AJvYcCWdzDh51trEdFvJFAXe+X3okJftr9jVCg0e39GcK7ovRvAm+5/u0p9hs40TdlWUSwqb/iuh9xgMSg9pkZP3PI/Rhu/QPJs= X-Gm-Message-State: AOJu0YxfNnKkTVQ8P4gmCmQkTMEM5HiPWAPmCQiANGJ06KCeEwkvAZyP hW9gIty4s9YHWkToeljAcrLdAW6G9BaRUVuvvC/SqpSTs7gbC6mj X-Google-Smtp-Source: AGHT+IHUN6OrvWJuGLJYlXyKNAoUAronb9nE5NL/ZoRAI7ygjoHRsUL8a1MdgggVVdiPG1/r4Am29g== X-Received: by 2002:a25:b19d:0:b0:e03:4f47:aada with SMTP id 3f1490d57ef6-e041b060f59mr1539773276.25.1720487772242; Mon, 08 Jul 2024 18:16:12 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com Received: by 2002:a05:6902:120d:b0:e02:b40e:8e90 with SMTP id 3f1490d57ef6-e03bd1d5d32ls1490676276.2.-pod-prod-09-us; Mon, 08 Jul 2024 18:16:10 -0700 (PDT) X-Received: by 2002:a05:690c:380e:b0:62d:a29:537e with SMTP id 00721157ae682-658ef53b41dmr326147b3.4.1720487770773; Mon, 08 Jul 2024 18:16:10 -0700 (PDT) Received: by 2002:a05:690c:4289:b0:63b:c3b0:e1c with SMTP id 00721157ae682-6514011671ams7b3; Wed, 3 Jul 2024 10:12:56 -0700 (PDT) X-Received: by 2002:a05:6902:727:b0:e03:52c8:ad30 with SMTP id 3f1490d57ef6-e03ad9005e7mr132034276.3.1720026775866; Wed, 03 Jul 2024 10:12:55 -0700 (PDT) Date: Wed, 3 Jul 2024 10:12:55 -0700 (PDT) From: Antoine Riard To: Bitcoin Development Mailing List Message-Id: In-Reply-To: References: Subject: [bitcoindev] Re: Public disclosure of 10 vulnerabilities affecting Bitcoin Core < 0.21.0 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_122502_1618442064.1720026775642" X-Original-Sender: antoine.riard@gmail.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) ------=_Part_122502_1618442064.1720026775642 Content-Type: multipart/alternative; boundary="----=_Part_122503_1220747874.1720026775642" ------=_Part_122503_1220747874.1720026775642 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello Antoine, Nothing really new in those 10 security advisories, I think one thing that= =20 could be a benefit could be to assign a unique numeric identifier to each= =20 sec advisory. As openssh showed this week this could be good to minimize risks of=20 regressions by favoring methodic screen of old vulnerabilities at review of= =20 new changes. On the security researcher / handler-side, having unique numeric=20 identifiers make it also easier to coordinate mitigation patches=20 development and deployment. Best, Antoine (the other one). Le mercredi 3 juillet 2024 =C3=A0 17:36:02 UTC+1, Antoine Poinsot a =C3=A9c= rit : > Hi everyone, > > Today we are releasing 10 security advisories for the Bitcoin Core=20 > project. Those bugs affect versions of Bitcoin Core before (and not=20 > including) 0.21.0. > > This is part of the gradual adoption by the project of a new vulnerabilit= y=20 > disclosure policy. > > The policy and the 10 security advisories can be found on the project's= =20 > website at https://bitcoincore.org/en/security-advisories . > > We will follow up later in july to publicly disclose vulnerabilities fixe= d=20 > in version 22.0. And then in august to disclose those fixed in version=20 > 23.0, and so on until we run out of old unmaintained versions to disclose= =20 > vulnerabilities for. The announced policy will then start to be observed= =20 > for new versions. > > Antoine Poinsot > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/= bitcoindev/a3a30a30-a28b-4348-a0bd-5a70714997e7n%40googlegroups.com. ------=_Part_122503_1220747874.1720026775642 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello Antoine,

Nothing really new in those 10 security= advisories, I think one thing that could be a benefit could be to assign a= unique numeric identifier to each sec advisory.

As openssh showed this week this could be good to minimize risks of regres= sions by favoring methodic screen of old vulnerabilities at review of new c= hanges.

On the security researcher / handler-sid= e, having unique numeric identifiers make it also easier to coordinate miti= gation patches development and deployment.

Best,=
Antoine (the other one).

Le mercredi 3 juillet 2024 =C3= =A0 17:36:02 UTC+1, Antoine Poinsot a =C3=A9crit=C2=A0:
Hi everyone,

Today we are releasing 10 security advisories for the Bitcoin Core proj= ect. Those bugs affect versions of Bitcoin Core before (and not including) = 0.21.0.

This is part of the gradual adoption by the project of a new vulnerabil= ity disclosure policy.

The policy and the 10 security advisories can be found on the project&#= 39;s website at https://bitcoincore.org/en/security-advisories .

We will follow up later in july to publicly disclose vulnerabilities fi= xed in version 22.0. And then in august to disclose those fixed in version = 23.0, and so on until we run out of old unmaintained versions to disclose v= ulnerabilities for. The announced policy will then start to be observed for= new versions.

Antoine Poinsot

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg= id/bitcoindev/a3a30a30-a28b-4348-a0bd-5a70714997e7n%40googlegroups.com.=
------=_Part_122503_1220747874.1720026775642-- ------=_Part_122502_1618442064.1720026775642--