Vulnerability

[LFC_Bitcoin]

Is there a reason for people running a node to be concerned? Are stored funds at risk?

Two relatively minor vulnerabilities will likely be disclosed sometime soon.

The first vulnerability, CVE-2017-18350, was introduced in v0.7.0 (released in
2012 September), and affects all versions released until the fix was included
in v0.15.1 (released in 2017 November). No versions prior to v0.15.1 are
expected to be fixed.

The second vulnerability, CVE-2018-20586, was introduced in v0.12.0 (released
in 2016 February), and affects all versions released until the fix was
included in v0.17.1 (released in 2018 December). As of today, this fix has
NOT been backported to older versions. When/if v0.15.3 and v0.16.4 are
released, they may also include a fix, but due to the minor severity of this
vulnerability, it does not merit a dedicated release on its own. (The git
branches are also NOT fixed at this time.)

Please be sure you have upgraded to a fixed version no later than August 1st.

https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-June/017040.html

[AB de Royse777]

Is there a reason for people running a node to be concerned? Are stored funds at risk?

I am not an expert but I do not think the funds are at risk however it is always good to update your core when an update is available.

[HeRetiK]

Is there a reason for people running a node to be concerned? Are stored funds at risk?

We'll know more once said vulnerabilities have been officially disclosed, at this point we can only guess. However since luke has been referring to those vulnerabilities as "minor" I doubt that any funds are at risk.

[LFC_Bitcoin]

theymos is usually pretty quick to tell us about this kind of stuff.

[AB de Royse777]

theymos is usually pretty quick to tell us about this kind of stuff.

achow101  as well is one of the best person to assist you here.

[achow101]

I am actually unsure about the details of these two vulnerabilities. However I think that they don't effect coin storage or security (that would be considered a major vulnerability and probably be announced by some other method). It is likely that these vulns are related to DoS attacks.

Even so, I would recommend that you upgrade your node as soon as possible just to be safe.

[seoincorporation]

We have already discussed this in the spanish section and is crazy to how can devs say things like this, i mean, if they find a vulnerability then should give precise information about it, but if they say a vulnerability will come is like a crazy prediction.

If someone has info about these vulns please share it with us.

[achow101]

We have already discussed this in the spanish section and is crazy to how can devs say things like this, i mean, if they find a vulnerability then should give precise information about it, but if they say a vulnerability will come is like a crazy prediction.

It isn't a prediction. Luke-jr knows exactly what the vulnerabilities are and is letting everyone know that there exist vulnerabilities and that people should upgrade before he discloses what those vulnerabilities are. By informing everyone that there are vulnerabilities in certain versions, he gives people time (and a reason) to upgrade before malicious actors are able to know what the vulnerabilities are and exploit them.

The whole point of the pre-announcement is so that when the vulnerability details are available (and thus anyone technical could understand and exploit them), everyone will already be upgraded so that it is safe to reveal what the vulnerabilities are.

[seoincorporation]

...

You are right, thank for sharing your point of view, at the end we don't want the bad guys to know the vulnerability before the coders team, and is a smart way to warn the community by a public way, than try to solve the bug alone while the hackers could take advantage of it.

You really change my way to see the race between hackers and crackers, is about who find the vuln first, one to fix it and another one to exploit it, thanks.