Title: [Lightning-dev] CVEs assigned for lightning projects: please upgrade! Post by: Baofeng on August 31, 2019, 06:43:25 AM [Lightning-dev] CVEs assigned for lightning projects: please upgrade!
Quote -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Security issues have been found in various lightning projects which could cause loss of funds. Full details will be released in 4 weeks (2019-09-27), please uprade well before then. Effected releases: CVE-2019-12998 c-lightning < 0.7.1 CVE-2019-12999 lnd < 0.7 CVE-2019-13000 eclair <= 0.3 Cheers, Rusty. -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEFe6NbKsOfwz5mb/L2SAObNGtuPEFAl1o7UAACgkQ2SAObNGt uPFR7xAAqlcY/gCzfx5Sl49BwLIvr5EZlKYxasIoU4FoiAxLN0sRMksBLY+gUA3L 7XuPi7oJSsnJc0Gvq6DnWo8W/jqAETgK0XeCyESdtX1tLeXMEiCoAXccRBT/hNbr aHRiyeRO6YnrfzJN2CKStzXUvoVEvyB4lpMZ+dTJYdulOUs20ELU/zzSQe/syGnD 7kujvBVyk4LJIYQ9piGl1pc4Y8mORK2ttYCVk4HCy+eu1RGHRVze135ve2MhQVOd Mzs57lqXM8k+ZUumD5eB6pgvENlFzgFVaywYvf7+RSZIx185qosHTbQU84icyunp W68FhCk9DMUYlhU8lBVyX1qS1+YhBYvm79zK4lCSJ9CQBZ2Oox2tz9RuO/3DPSol RCZ3+h8SCKai8ZASXhz4dL4nXSpdKNjJrQdRvp7I1e2netkZpaF2Dyd7FDvFnhad SWP/juo/n9rmkyfbuxQYj5sdixV9G9cpV85BnQDX558r+AMRPVin/xs5NBZMknkN S7Wc9aq8nlVUeoTV5+TnGbz8NPXyYLNSotJdwBnA+RWTD9emCBah3UOxVlJR7N5e nZuumPauLJyZESzxvRDgQ0Hca7hMCMBh+xJ/OFDy+n4oHxFLihCtY3EktSE43v2N +PXbLFXw9w7jSPxn5FgqzB9D/E/eqkLe/+UKsnQ0ji8trEd36DU= =Z6RL -----END PGP SIGNATURE----- https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-August/002130.html Title: Re: [Lightning-dev] CVEs assigned for lightning projects: please upgrade! Post by: Baofeng on September 11, 2019, 07:31:37 PM It's been confirmed that is has been exploited already:
Quote We've confirmed instances of the CVE being exploited in the wild. If you’re not on the following versions of either of these implementations (these versions are fully patched), then you need to upgrade now to avoid risk of funds loss: * lnd v0.7.1 -- anything 0.7 and below is vulnerable * c-lightning v0.7.1 -- anything 0.7 and below is vulnerable * eclair v0.3.1 -- anything 0.3 and below is vulnerable We'd also like to remind the community that we still have limits in place on the network to mitigate widespread funds loss, and please keep that in mind when putting funds onto the network at this early stage. https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-September/002148.html Title: Re: [Lightning-dev] CVEs assigned for lightning projects: please upgrade! Post by: DaveF on September 28, 2019, 01:32:22 PM It's been confirmed that is has been exploited already: https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-September/002148.html So in the link posted above: Quote We've confirmed instances of the CVE being exploited in the wild. If you’re not on the following versions of either of these implementations (these versions are fully patched), then you need to upgrade now to avoid risk of funds loss: * lnd v0.7.1 -- anything 0.7 and below is vulnerable * c-lightning v0.7.1 -- anything 0.7 and below is vulnerable * eclair v0.3.1 -- anything 0.3 and below is vulnerable But in the actual "release" of the vulnerability (It had been discussed for a while on some hacker sites and at DefCon) https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-September/002174.html They put this in the timeline: Quote 2019-09-07: First conclusive evidence of exploit attempt in the wild. While having this in the text above it: Quote While this long-standing bug had not been independently discovered, and thus was unlikely to be discovered by a malicious party before being fixed, it did provide an opportunity to test communications and methods of upgrade across the entire lightning ecosystem. That's some really good doublethink. -Dave |