* [bitcoindev] Public disclosure of 2 vulnerabilities affecting Bitcoin Core < v22.0 @ 2024-07-31 17:01 Niklas Goegge 2024-07-31 19:01 ` Peter Todd 0 siblings, 1 reply; 3+ messages in thread From: Niklas Goegge @ 2024-07-31 17:01 UTC (permalink / raw) To: Bitcoin Development Mailing List [-- Attachment #1.1: Type: text/plain, Size: 1148 bytes --] Hi everyone, Today we are releasing 2 security advisories for the Bitcoin Core project. Those bugs affect versions of Bitcoin Core before (and not including) v22.0. This is part of the gradual adoption by the project of a new vulnerability disclosure policy. The policy and the 2 security advisories can be found on the project's website at https://bitcoincore.org/en/security-advisories . We will follow up later in August to publicly disclose vulnerabilities fixed in version v23.0. And then in September to disclose those fixed in version v24.0, and so on until we run out of unmaintained versions to disclose vulnerabilities for. The announced policy will then start to be observed for new versions. Niklas Gögge -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/bf5287e8-0960-45e8-9c90-64ffc5fdc9aan%40googlegroups.com. [-- Attachment #1.2: Type: text/html, Size: 1553 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [bitcoindev] Public disclosure of 2 vulnerabilities affecting Bitcoin Core < v22.0 2024-07-31 17:01 [bitcoindev] Public disclosure of 2 vulnerabilities affecting Bitcoin Core < v22.0 Niklas Goegge @ 2024-07-31 19:01 ` Peter Todd 2024-08-04 6:41 ` 'hashnoncemessage' via Bitcoin Development Mailing List 0 siblings, 1 reply; 3+ messages in thread From: Peter Todd @ 2024-07-31 19:01 UTC (permalink / raw) To: Niklas Goegge; +Cc: Bitcoin Development Mailing List [-- Attachment #1: Type: text/plain, Size: 1039 bytes --] On Wed, Jul 31, 2024 at 10:01:17AM -0700, Niklas Goegge wrote: > Hi everyone, > > Today we are releasing 2 security advisories for the Bitcoin Core project. > Those bugs affect versions of Bitcoin Core before (and not including) > v22.0. > > This is part of the gradual adoption by the project of a new vulnerability > disclosure policy. > > The policy and the 2 security advisories can be found on the project's > website at https://bitcoincore.org/en/security-advisories . You should say which two security vulnerabilities the newly disclosed ones actually are. The link does not make that clear at all. -- https://petertodd.org 'peter'[:-1]@petertodd.org -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/ZqqKA%2BgrzscldhiU%40petertodd.org. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [bitcoindev] Public disclosure of 2 vulnerabilities affecting Bitcoin Core < v22.0 2024-07-31 19:01 ` Peter Todd @ 2024-08-04 6:41 ` 'hashnoncemessage' via Bitcoin Development Mailing List 0 siblings, 0 replies; 3+ messages in thread From: 'hashnoncemessage' via Bitcoin Development Mailing List @ 2024-08-04 6:41 UTC (permalink / raw) To: Peter Todd; +Cc: Niklas Goegge, Bitcoin Development Mailing List [-- Attachment #1: Type: text/plain, Size: 2408 bytes --] The disclosure dates should also please be included on that page. For clarity, the advisories appear to be in reverse chronological order of their posting. The two newest disclosures are the ones announced in OP [Disclosure of remote crash due to addr message spam](https://bitcoincore.org/en/2024/07/31/disclose-addrman-int-overflow/) Nodes could be spammed with addr messsages, which could be used to crash them. A fix was released on September 14th, 2021 in Bitcoin Core v22.0. [Disclosure of the impact of an infinite loop bug in the miniupnp dependency](https://bitcoincore.org/en/2024/07/31/disclose-upnp-oom/) Nodes could be crashed by a malicious UPnP device on the local network. A fix was released on September 14th, 2021 in Bitcoin Core v22.0. On Wed, Jul 31, 2024 at 21:01, Peter Todd <[pete@petertodd.org](mailto:On Wed, Jul 31, 2024 at 21:01, Peter Todd <<a href=)> wrote: > On Wed, Jul 31, 2024 at 10:01:17AM -0700, Niklas Goegge wrote: >> Hi everyone, >> >> Today we are releasing 2 security advisories for the Bitcoin Core project. >> Those bugs affect versions of Bitcoin Core before (and not including) >> v22.0. >> >> This is part of the gradual adoption by the project of a new vulnerability >> disclosure policy. >> >> The policy and the 2 security advisories can be found on the project's >> website at https://bitcoincore.org/en/security-advisories . > > You should say which two security vulnerabilities the newly disclosed ones > actually are. The link does not make that clear at all. > > -- > https://petertodd.org 'peter'[:-1]@petertodd.org > > -- > You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/ZqqKA%2BgrzscldhiU%40petertodd.org. -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/ZGhOmx0cu1iFlx-rixCamesD8EL25jxiTuzSHROj9EW3n1GIeIazTEIhziicy8_4BX9sxUmxJnY0-Zl3qHpTBzQiigfkmkz8vC2Ju-ZztBY%3D%40proton.me. [-- Attachment #2: Type: text/html, Size: 4564 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-08-04 8:15 UTC | newest] Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2024-07-31 17:01 [bitcoindev] Public disclosure of 2 vulnerabilities affecting Bitcoin Core < v22.0 Niklas Goegge 2024-07-31 19:01 ` Peter Todd 2024-08-04 6:41 ` 'hashnoncemessage' via Bitcoin Development Mailing List
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox