Disclosure of remote crash due to addr message spam
Nodes could be spammed with addr messsages, which could be used to crash them. A fix was released on September 14th, 2021 in Bitcoin Core v22.0.
Public disclosure of 2 vulnerabilities affecting Bitcoin Core < v22.0
176 views
Skip to first unread message
Niklas Goegge
Jul 31, 2024, 2:02:28 PMJul 31
to Bitcoin Development Mailing List
Hi everyone,
Today we are releasing 2 security advisories for the Bitcoin Core project. Those bugs affect versions of Bitcoin Core before (and not including) v22.0.
This is part of the gradual adoption by the project of a new vulnerability disclosure policy.
The policy and the 2 security advisories can be found on the project's website at https://bitcoincore.org/en/security-advisories .
We will follow up later in August to publicly disclose vulnerabilities fixed in version v23.0. And then in September to disclose those fixed in version v24.0, and so on until we run out of unmaintained versions to disclose vulnerabilities for. The announced policy will then start to be observed for new versions.
Niklas Gögge
Today we are releasing 2 security advisories for the Bitcoin Core project. Those bugs affect versions of Bitcoin Core before (and not including) v22.0.
This is part of the gradual adoption by the project of a new vulnerability disclosure policy.
The policy and the 2 security advisories can be found on the project's website at https://bitcoincore.org/en/security-advisories .
We will follow up later in August to publicly disclose vulnerabilities fixed in version v23.0. And then in September to disclose those fixed in version v24.0, and so on until we run out of unmaintained versions to disclose vulnerabilities for. The announced policy will then start to be observed for new versions.
Niklas Gögge
Peter Todd
Jul 31, 2024, 3:04:39 PMJul 31
to Niklas Goegge, Bitcoin Development Mailing List
On Wed, Jul 31, 2024 at 10:01:17AM -0700, Niklas Goegge wrote:
> Hi everyone,
>
> Today we are releasing 2 security advisories for the Bitcoin Core project.
> Those bugs affect versions of Bitcoin Core before (and not including)
> v22.0.
>
> This is part of the gradual adoption by the project of a new vulnerability
> disclosure policy.
>
> The policy and the 2 security advisories can be found on the project's
> website at https://bitcoincore.org/en/security-advisories .
You should say which two security vulnerabilities the newly disclosed ones
> Hi everyone,
>
> Today we are releasing 2 security advisories for the Bitcoin Core project.
> Those bugs affect versions of Bitcoin Core before (and not including)
> v22.0.
>
> This is part of the gradual adoption by the project of a new vulnerability
> disclosure policy.
>
> The policy and the 2 security advisories can be found on the project's
> website at https://bitcoincore.org/en/security-advisories .
actually are. The link does not make that clear at all.
--
https://petertodd.org 'peter'[:-1]@petertodd.org
hashnoncemessage
Aug 4, 2024, 4:15:25 AMAug 4
to Peter Todd, Niklas Goegge, Bitcoin Development Mailing List
The disclosure dates should also please be included on that page.
For clarity, the advisories appear to be in reverse chronological order of their posting.
The two newest disclosures are the ones announced in OP
Disclosure of the impact of an infinite loop bug in the miniupnp dependency
Nodes could be crashed by a malicious UPnP device on the local network. A fix was released on September 14th, 2021 in Bitcoin Core v22.0.
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/ZqqKA%2BgrzscldhiU%40petertodd.org.
Reply all
Reply to author
Forward
0 new messages