Partial LND Vulnerability Disclosure, Upgrade to 0.11.x
87 views
Skip to first unread message
Conner Fromknecht
Oct 8, 2020, 8:19:21 PM10/8/20
to lightning-dev, lnd
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi all,
We are writing to let the Lightning community know about the existence of
vulnerabilities that affect lnd versions 0.10.x and below. The full details of
these vulnerabilities will be disclosed on October 20, 2020. The circumstances
surrounding the discovery resulted in a compressed disclosure timeline compared
to our usual timeframes. We will be publishing more details about this in the
coming weeks along with a comprehensive bug bounty program.
While we have no reason to believe these vulnerabilities have been exploited in
the wild, we strongly urge the community to upgrade to lnd 0.11.0 or above ASAP.
Please ping us on the #lnd IRC channel, the LND Slack, or at
sup...@lightning.engineering if you need any assistance in doing so. Upgrade
instructions can be found in our installation docs:
https://github.com/lightningnetwork/lnd/blob/master/docs/INSTALL.md#installing-lnd.
Regards,
Conner Fromknecht
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEnI1hhop8SSADsnRO59c3tn+lkscFAl9/ozwACgkQ59c3tn+l
kscVvBAAk21z6tlHPkOSwfj1lBE0pqc65A6Qa927WEjN5hdUpjjof4Xo2j+GzbnN
Uoj4HGZu+koakzoVpJ4mzN+vg086zAnv+K668hhl7bbPHsQu6FqA1ALiAyy0nH6H
1yukXxpRflq53RTIVPjrEnFVdt6FCLhkCm9LuOk0a/SUf8D4b/N6OaB1Bxupeceu
QFSCIkb9kvW/Eplwkv7PEnx/IZNGIQP9F11DaKLTAjWY5RnIxmCw/oamvlP8Mxt8
/AqlzWVtPVqvwgJLhbMziraXNVV05naHrIXvbXrOI2Q7FZjdaxF+S4EKT4feuq1w
iW7NYSS/u5N2FP3yK8YIdoX0I/nwYQQcpsfbAv2dS4Ql2Td/dyREId4NcchmaKSV
N3w1jByMPWrgUtinl5WEDDOJdUKS2PHkQ95t3s/1uYDFsPz1kXJR2x37a/1AVz/K
6zQ45wFvHEopFR49hu/CV6MUvsvn4XKzPa46Ii7puaBaNqygx0RwuwlxbxCNxPNQ
v45CaCUEq2Tj3stu7YoYGntFvrXVkxXJocn51eK6D+g0bIEXxaGlPJeTuvifKMTO
3T3ZEEbCe9UhDUT8Ja2boP2IIi8wAyExGS59k0tndQGzMSjkzWZ0fzgYyyf+y4nt
r3nTCGi5WWe4y1i2KpiYZTRrQkbrNkRf+fnVdlnTS4lcgEWFFiY=
=8t9Q
-----END PGP SIGNATURE-----
Hash: SHA256
Hi all,
We are writing to let the Lightning community know about the existence of
vulnerabilities that affect lnd versions 0.10.x and below. The full details of
these vulnerabilities will be disclosed on October 20, 2020. The circumstances
surrounding the discovery resulted in a compressed disclosure timeline compared
to our usual timeframes. We will be publishing more details about this in the
coming weeks along with a comprehensive bug bounty program.
While we have no reason to believe these vulnerabilities have been exploited in
the wild, we strongly urge the community to upgrade to lnd 0.11.0 or above ASAP.
Please ping us on the #lnd IRC channel, the LND Slack, or at
sup...@lightning.engineering if you need any assistance in doing so. Upgrade
instructions can be found in our installation docs:
https://github.com/lightningnetwork/lnd/blob/master/docs/INSTALL.md#installing-lnd.
Regards,
Conner Fromknecht
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEnI1hhop8SSADsnRO59c3tn+lkscFAl9/ozwACgkQ59c3tn+l
kscVvBAAk21z6tlHPkOSwfj1lBE0pqc65A6Qa927WEjN5hdUpjjof4Xo2j+GzbnN
Uoj4HGZu+koakzoVpJ4mzN+vg086zAnv+K668hhl7bbPHsQu6FqA1ALiAyy0nH6H
1yukXxpRflq53RTIVPjrEnFVdt6FCLhkCm9LuOk0a/SUf8D4b/N6OaB1Bxupeceu
QFSCIkb9kvW/Eplwkv7PEnx/IZNGIQP9F11DaKLTAjWY5RnIxmCw/oamvlP8Mxt8
/AqlzWVtPVqvwgJLhbMziraXNVV05naHrIXvbXrOI2Q7FZjdaxF+S4EKT4feuq1w
iW7NYSS/u5N2FP3yK8YIdoX0I/nwYQQcpsfbAv2dS4Ql2Td/dyREId4NcchmaKSV
N3w1jByMPWrgUtinl5WEDDOJdUKS2PHkQ95t3s/1uYDFsPz1kXJR2x37a/1AVz/K
6zQ45wFvHEopFR49hu/CV6MUvsvn4XKzPa46Ii7puaBaNqygx0RwuwlxbxCNxPNQ
v45CaCUEq2Tj3stu7YoYGntFvrXVkxXJocn51eK6D+g0bIEXxaGlPJeTuvifKMTO
3T3ZEEbCe9UhDUT8Ja2boP2IIi8wAyExGS59k0tndQGzMSjkzWZ0fzgYyyf+y4nt
r3nTCGi5WWe4y1i2KpiYZTRrQkbrNkRf+fnVdlnTS4lcgEWFFiY=
=8t9Q
-----END PGP SIGNATURE-----
Conner Fromknecht
Oct 9, 2020, 8:32:59 PM10/9/20
to lightning-dev, lnd
Hi all,
For those looking to verify the gpg signature, please be sure the
support email is formatted
correctly. For example, the archive replaces "@" with " at ", and
apparently google groups
trims "support" to "sup...". If you run into issues, please double
check the plaintext matches
verbatim with what was sent on lightning-dev.
Cheers,
Conner
For those looking to verify the gpg signature, please be sure the
support email is formatted
correctly. For example, the archive replaces "@" with " at ", and
apparently google groups
trims "support" to "sup...". If you run into issues, please double
check the plaintext matches
verbatim with what was sent on lightning-dev.
Cheers,
Conner
Reply all
Reply to author
Forward
0 new messages