US Computer Emergency Readiness Team / nist.gov publish 2year old bitcoin vulns

[julz]

http://www.us-cert.gov/cas/bulletins/SB12-226.html

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5139

which references the discussion thread: https://bitcointalk.org/index.php?topic=822.0


Why now?  Is it standard practice to release such old warnings?

With wording like:
"allows remote attackers to bypass intended economic restrictions and create many bitcoins via a crafted Bitcoin transaction."
and
"Impact Type:Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service"

It's potentially damaging If people don't notice how old it is I would have thought.

[1713571590]

1713571590

[1713571590]

1713571590

[1713571590]

1713571590

[1713571590]

1713571590

[1713571590]

1713571590

[niko]

Good catch, julz. I have mixed feelings about this, but currently lean towards "great!" - essentially, a US government agency is recommending Bitcoin users to upgrade to the latest clients. 
Bitcoin is listed there with the likes of Cisco. I like.

[rjk]

Those CVE numbers were issued a while back, but I guess they only just got around to publishing the actual vulnerability?

[BkkCoins]

Maybe it took 2 years for the bureaucracy to decide that Bitcoin was ok for them to comment on or publish about. That could be a good sign. Or it's part of a new ramping up of disinformation against Bitcoin.

[niko]

Maybe it took 2 years for the bureaucracy to decide that Bitcoin was ok for them to comment on or publish about. That could be a good sign. Or it's part of a new ramping up of disinformation against Bitcoin.

NIST is about as close as you can get to a "friendly government" in the US. Their findings are of course in the public domain, but also - unlike many other agencies - in most cases directly applicable to real life.

Unless new information emerges soon, I'd call this a good sign, even if it's slow and confusing in some ways.