Bitcoin Forum
May 12, 2024, 11:26:42 PM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
   Home   Help Search Login Register More  
Bitcoin Forum > Bitcoin > Development & Technical Discussion > Wallet software > [Lightning-dev] CVEs assigned for lightning projects: please upgrade!
Pages: [1]
« previous topic next topic »
  Print  
Author Topic: [Lightning-dev] CVEs assigned for lightning projects: please upgrade!  (Read 184 times)
Baofeng (OP)
Legendary
*
Offline Offline

Activity: 2590
Merit: 1658



View Profile
August 31, 2019, 06:43:25 AM
Merited by Kemarit (1), ABCbits (1), hugeblack (1)
 #1
[Lightning-dev] CVEs assigned for lightning projects: please upgrade!

Quote
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Security issues have been found in various lightning projects which
could cause loss of funds.

Full details will be released in 4 weeks (2019-09-27), please uprade
well before then.

Effected releases:

    CVE-2019-12998 c-lightning < 0.7.1
    CVE-2019-12999 lnd < 0.7
    CVE-2019-13000 eclair <= 0.3

Cheers,
Rusty.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEFe6NbKsOfwz5mb/L2SAObNGtuPEFAl1o7UAACgkQ2SAObNGt
uPFR7xAAqlcY/gCzfx5Sl49BwLIvr5EZlKYxasIoU4FoiAxLN0sRMksBLY+gUA3L
7XuPi7oJSsnJc0Gvq6DnWo8W/jqAETgK0XeCyESdtX1tLeXMEiCoAXccRBT/hNbr
aHRiyeRO6YnrfzJN2CKStzXUvoVEvyB4lpMZ+dTJYdulOUs20ELU/zzSQe/syGnD
7kujvBVyk4LJIYQ9piGl1pc4Y8mORK2ttYCVk4HCy+eu1RGHRVze135ve2MhQVOd
Mzs57lqXM8k+ZUumD5eB6pgvENlFzgFVaywYvf7+RSZIx185qosHTbQU84icyunp
W68FhCk9DMUYlhU8lBVyX1qS1+YhBYvm79zK4lCSJ9CQBZ2Oox2tz9RuO/3DPSol
RCZ3+h8SCKai8ZASXhz4dL4nXSpdKNjJrQdRvp7I1e2netkZpaF2Dyd7FDvFnhad
SWP/juo/n9rmkyfbuxQYj5sdixV9G9cpV85BnQDX558r+AMRPVin/xs5NBZMknkN
S7Wc9aq8nlVUeoTV5+TnGbz8NPXyYLNSotJdwBnA+RWTD9emCBah3UOxVlJR7N5e
nZuumPauLJyZESzxvRDgQ0Hca7hMCMBh+xJ/OFDy+n4oHxFLihCtY3EktSE43v2N
+PXbLFXw9w7jSPxn5FgqzB9D/E/eqkLe/+UKsnQ0ji8trEd36DU=
=Z6RL
-----END PGP SIGNATURE-----

https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-August/002130.html
███████████████████████
████████████████████
██████████████████
████████████████████
███▀▀▀█████████████████
███▄▄▄█████████████████
██████████████████████
██████████████████████
███████████████████████
█████████████████████
███████████████████
███████████████
████████████████████████
███████████████████████████
███████████████████████████
███████████████████████████
█████████▀▀██▀██▀▀█████████
█████████████▄█████████████
███████████████████████
████████████████████████
████████████▄█▄█████████
████████▀▀███████████
██████████████████
▀███████████████████▀
▀███████████████▀
█████████████████████████
O F F I C I A L   P A R T N E R S
▬▬▬▬▬▬▬▬▬▬
ASTON VILLA FC
BURNLEY FC
BK8?.
..PLAY NOW..
1715556402
Hero Member
*
Offline Offline

Posts: 1715556402

View Profile Personal Message (Offline)

Ignore
1715556402
1715556402
Reply with quote  #2
1715556402
Report to moderator
1715556402
Hero Member
*
Offline Offline

Posts: 1715556402

View Profile Personal Message (Offline)

Ignore
1715556402
1715556402
Reply with quote  #2
1715556402
Report to moderator
[BPIP] Who are your biggest merit fans? Who do you send all of your sMerit to? .. Do you.. MATR?? O_o
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1715556402
Hero Member
*
Offline Offline

Posts: 1715556402

View Profile Personal Message (Offline)

Ignore
1715556402
1715556402
Reply with quote  #2
1715556402
Report to moderator
1715556402
Hero Member
*
Offline Offline

Posts: 1715556402

View Profile Personal Message (Offline)

Ignore
1715556402
1715556402
Reply with quote  #2
1715556402
Report to moderator
Baofeng (OP)
Legendary
*
Offline Offline

Activity: 2590
Merit: 1658



View Profile
September 11, 2019, 07:31:37 PM
 #2
It's been confirmed that is has been exploited already:

Quote
We've confirmed instances of the CVE being exploited in the wild.  If you’re
not on the following versions of either of these implementations (these
versions are fully patched), then you need to upgrade now to avoid risk of
funds loss:
    * lnd v0.7.1 -- anything 0.7 and below is vulnerable
    * c-lightning v0.7.1 -- anything 0.7 and below is vulnerable
    * eclair v0.3.1 -- anything 0.3 and below is vulnerable

We'd also like to remind the community that we still have limits in place on
the network to mitigate widespread funds loss, and please keep that in mind
when putting funds onto the network at this early stage.

https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-September/002148.html
███████████████████████
████████████████████
██████████████████
████████████████████
███▀▀▀█████████████████
███▄▄▄█████████████████
██████████████████████
██████████████████████
███████████████████████
█████████████████████
███████████████████
███████████████
████████████████████████
███████████████████████████
███████████████████████████
███████████████████████████
█████████▀▀██▀██▀▀█████████
█████████████▄█████████████
███████████████████████
████████████████████████
████████████▄█▄█████████
████████▀▀███████████
██████████████████
▀███████████████████▀
▀███████████████▀
█████████████████████████
O F F I C I A L   P A R T N E R S
▬▬▬▬▬▬▬▬▬▬
ASTON VILLA FC
BURNLEY FC
BK8?.
..PLAY NOW..
DaveF
Legendary
*
Offline Offline

Activity: 3472
Merit: 6271


Crypto Swap Exchange


View Profile WWW
September 28, 2019, 01:32:22 PM
 #3
Quote from: Baofeng on September 11, 2019, 07:31:37 PM
It's been confirmed that is has been exploited already:

https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-September/002148.html

So in the link posted above:

Quote
We've confirmed instances of the CVE being exploited in the wild.  If you’re
not on the following versions of either of these implementations (these
versions are fully patched), then you need to upgrade now to avoid risk of
funds loss:
    * lnd v0.7.1 -- anything 0.7 and below is vulnerable
    * c-lightning v0.7.1 -- anything 0.7 and below is vulnerable
    * eclair v0.3.1 -- anything 0.3 and below is vulnerable


But in the actual "release" of the vulnerability (It had been discussed for a while on some hacker sites and at DefCon)

https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-September/002174.html

They put this in the timeline:

Quote
2019-09-07: First conclusive evidence of exploit attempt in the wild.

While having this in the text above it:

Quote
While this long-standing bug had not been independently discovered, and thus
was unlikely to be discovered by a malicious party before being fixed, it did
provide an opportunity to test communications and methods of upgrade across
the entire lightning ecosystem.

That's some really good doublethink.

-Dave
█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████		▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Pages: [1]
  Print  
Bitcoin Forum > Bitcoin > Development & Technical Discussion > Wallet software > [Lightning-dev] CVEs assigned for lightning projects: please upgrade!
 « previous topic next topic »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!