Bitcoin Forum
April 02, 2020, 12:53:58 AM *
News: Latest Bitcoin Core release: 0.19.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Vulnerability  (Read 212 times)
LFC_Bitcoin
Legendary
*
Offline Offline

Activity: 2030
Merit: 2955


One of the world's leading Bitcoin-powered casinos


View Profile
June 24, 2019, 03:40:03 PM
 #1

Is there a reason for people running a node to be concerned? Are stored funds at risk?





Two relatively minor vulnerabilities will likely be disclosed sometime soon.

The first vulnerability, CVE-2017-18350, was introduced in v0.7.0 (released in
2012 September), and affects all versions released until the fix was included
in v0.15.1 (released in 2017 November). No versions prior to v0.15.1 are
expected to be fixed.

The second vulnerability, CVE-2018-20586, was introduced in v0.12.0 (released
in 2016 February), and affects all versions released until the fix was
included in v0.17.1 (released in 2018 December). As of today, this fix has
NOT been backported to older versions. When/if v0.15.3 and v0.16.4 are
released, they may also include a fix, but due to the minor severity of this
vulnerability, it does not merit a dedicated release on its own. (The git
branches are also NOT fixed at this time.)

Please be sure you have upgraded to a fixed version no later than August 1st.


https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-June/017040.html



1585788838
Hero Member
*
Offline Offline

Posts: 1585788838

View Profile Personal Message (Offline)

Ignore
1585788838
Reply with quote  #2

1585788838
Report to moderator
1585788838
Hero Member
*
Offline Offline

Posts: 1585788838

View Profile Personal Message (Offline)

Ignore
1585788838
Reply with quote  #2

1585788838
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1585788838
Hero Member
*
Offline Offline

Posts: 1585788838

View Profile Personal Message (Offline)

Ignore
1585788838
Reply with quote  #2

1585788838
Report to moderator
1585788838
Hero Member
*
Offline Offline

Posts: 1585788838

View Profile Personal Message (Offline)

Ignore
1585788838
Reply with quote  #2

1585788838
Report to moderator
1585788838
Hero Member
*
Offline Offline

Posts: 1585788838

View Profile Personal Message (Offline)

Ignore
1585788838
Reply with quote  #2

1585788838
Report to moderator
Royse777
Legendary
*
Offline Offline

Activity: 980
Merit: 1185


Office and WIN listed on https://bit.ly/33NdWDW


View Profile
June 24, 2019, 03:52:43 PM
 #2

Is there a reason for people running a node to be concerned? Are stored funds at risk?
I am not an expert but I do not think the funds are at risk however it is always good to update your core when an update is available.

.
.
.
▄███████████████████▄
█████████████████████
████████████▀▀░░░░███
███████████▌░░░░░░███
███████████░░░░██████
███████████░░░░██████
████████░░░░░░░░░░▐██
████████░░░░░░░░░░███

███████████░░░░██████

███████████░░░░██████

███████████░░░░██████

███████████░░░░██████

▀██████████░░░░█████▀
▄███████████████████▄
█████████████████████
█████████████████████
████▀██████▀░░░▀▀▄███
████░░▀▀███░░░░░░▄███
████▀░░░░░░░░░░░▐████
████▄░░░░░░░░░░░█████
█████▀░░░░░░░░░▄█████

████▀█▄░░░░░░░▄██████

█████▄░░░░░▄▄████████

█████████████████████

█████████████████████

▀███████████████████▀
▄███████████████████▄
█████▀▀▀▀▀▀▀▀▀▀▀█████
███░░░▄▄▄▄▄▄▄▄▄░░░███
██░░▄█████████▀▀▄░░██
██░░███▀▀░░░▀▀▄▄█░░██
██░░██▀░▄███▄░▀██░░██
██░░██░░█████░░██░░██
██░░██▄░▀███▀░▄██░░██

██░░███▄▄░░░▄▄███░░██

██░░▀███████████▀░░██

███░░░▀▀▀▀▀▀▀▀▀░░░███

█████▄▄▄▄▄▄▄▄▄▄▄█████

▀███████████████████▀
▄███████████████████▄
█████████████████████
█████████████████████
██████████████▀▀▀████
██████████▀▀░░░░▐████
██████▀▀░░░▄▀░░░█████
████░░░░▄▄▀░░░░▐█████
██████▄▐█░░░░░░██████

███████▌▌░░░░░▐██████

████████▄██▄▄░███████

█████████████████████

█████████████████████

▀███████████████████▀
.
HeRetiK
Legendary
*
Offline Offline

Activity: 1428
Merit: 1253


the forkings will continue until morale improves


View Profile
June 24, 2019, 04:12:39 PM
 #3

Is there a reason for people running a node to be concerned? Are stored funds at risk?

We'll know more once said vulnerabilities have been officially disclosed, at this point we can only guess. However since luke has been referring to those vulnerabilities as "minor" I doubt that any funds are at risk.

ETFbitcoin
Legendary
*
Offline Offline

Activity: 1960
Merit: 2304

Use SegWit and enjoy lower fees.


View Profile WWW
June 24, 2019, 05:17:20 PM
 #4

If stored funds is at risks, they wouldn't say they found minor vulnerabilities, but high or critical vulnerabilities.

But if you have serious concern about security, privacy or ease-of-use, you should be concerned.

LFC_Bitcoin
Legendary
*
Offline Offline

Activity: 2030
Merit: 2955


One of the world's leading Bitcoin-powered casinos


View Profile
June 24, 2019, 05:22:53 PM
 #5

theymos is usually pretty quick to tell us about this kind of stuff.

Royse777
Legendary
*
Offline Offline

Activity: 980
Merit: 1185


Office and WIN listed on https://bit.ly/33NdWDW


View Profile
June 25, 2019, 09:49:53 AM
 #6

theymos is usually pretty quick to tell us about this kind of stuff.
achow101  as well is one of the best person to assist you here.

.
.
.
▄███████████████████▄
█████████████████████
████████████▀▀░░░░███
███████████▌░░░░░░███
███████████░░░░██████
███████████░░░░██████
████████░░░░░░░░░░▐██
████████░░░░░░░░░░███

███████████░░░░██████

███████████░░░░██████

███████████░░░░██████

███████████░░░░██████

▀██████████░░░░█████▀
▄███████████████████▄
█████████████████████
█████████████████████
████▀██████▀░░░▀▀▄███
████░░▀▀███░░░░░░▄███
████▀░░░░░░░░░░░▐████
████▄░░░░░░░░░░░█████
█████▀░░░░░░░░░▄█████

████▀█▄░░░░░░░▄██████

█████▄░░░░░▄▄████████

█████████████████████

█████████████████████

▀███████████████████▀
▄███████████████████▄
█████▀▀▀▀▀▀▀▀▀▀▀█████
███░░░▄▄▄▄▄▄▄▄▄░░░███
██░░▄█████████▀▀▄░░██
██░░███▀▀░░░▀▀▄▄█░░██
██░░██▀░▄███▄░▀██░░██
██░░██░░█████░░██░░██
██░░██▄░▀███▀░▄██░░██

██░░███▄▄░░░▄▄███░░██

██░░▀███████████▀░░██

███░░░▀▀▀▀▀▀▀▀▀░░░███

█████▄▄▄▄▄▄▄▄▄▄▄█████

▀███████████████████▀
▄███████████████████▄
█████████████████████
█████████████████████
██████████████▀▀▀████
██████████▀▀░░░░▐████
██████▀▀░░░▄▀░░░█████
████░░░░▄▄▀░░░░▐█████
██████▄▐█░░░░░░██████

███████▌▌░░░░░▐██████

████████▄██▄▄░███████

█████████████████████

█████████████████████

▀███████████████████▀
.
achow101
Moderator
Legendary
*
Offline Offline

Activity: 2086
Merit: 3213


bc1qshxkrpe4arppq89fpzm6c0tpdvx5cfkve2c8kl


View Profile WWW
June 25, 2019, 02:19:59 PM
Merited by Foxpup (4), bones261 (2)
 #7

I am actually unsure about the details of these two vulnerabilities. However I think that they don't effect coin storage or security (that would be considered a major vulnerability and probably be announced by some other method). It is likely that these vulns are related to DoS attacks.

Even so, I would recommend that you upgrade your node as soon as possible just to be safe.

seoincorporation
Legendary
*
Offline Offline

Activity: 1666
Merit: 1565


BtcBoss


View Profile
June 25, 2019, 03:29:20 PM
 #8

We have already discussed this in the spanish section and is crazy to how can devs say things like this, i mean, if they find a vulnerability then should give precise information about it, but if they say a vulnerability will come is like a crazy prediction.

If someone has info about these vulns please share it with us.

.BitDice.               ▄▄███▄▄
           ▄▄██▀▀ ▄ ▀▀██▄▄
      ▄▄█ ▀▀  ▄▄█████▄▄  ▀▀ █▄▄
  ▄▄██▀▀     ▀▀ █████ ▀▀     ▀▀██▄▄
██▀▀ ▄▄██▀      ▀███▀      ▀██▄▄ ▀▀██
██  ████▄▄       ███       ▄▄████  ██
██  █▀▀████▄▄  ▄█████▄  ▄▄████▀▀█  ██
██  ▀     ▀▀▀███████████▀▀▀     ▀  ██
             ███████████
██  ▄     ▄▄▄███████████▄▄▄     ▄  ██
██  █▄▄████▀▀  ▀█████▀  ▀▀████▄▄█  ██
██  ████▀▀       ███       ▀▀████  ██
██▄▄ ▀▀██▄      ▄███▄      ▄██▀▀ ▄▄██
  ▀▀██▄▄     ▄▄ █████ ▄▄     ▄▄██▀▀
      ▀▀█ ▄▄  ▀▀█████▀▀  ▄▄ █▀▀
           ▀▀██▄▄ ▀ ▄▄██▀▀
               ▀▀███▀▀
        ▄▄███████▄▄
     ▄███████████████▄
    ████▀▀       ▀▀████
   ████▀           ▀████
   ████             ████
   ████ ▄▄▄▄▄▄▄▄▄▄▄ ████
▄█████████████████████████▄
██████████▀▀▀▀▀▀▀██████████
████                   ████
████                   ████
████                   ████
████                   ████
████                   ████
████▄                 ▄████
████████▄▄▄     ▄▄▄████████
  ▀▀▀█████████████████▀▀▀
        ▀▀▀█████▀▀▀
▄▄████████████████████████████████▄▄
██████████████████████████████████████
█████                            █████
█████                            █████
█████                            █████
█████                            █████
█████                     ▄▄▄▄▄▄▄▄▄▄
█████                   ▄█▀▀▀▀▀▀▀▀▀▀█▄
█████                   ██          ██
█████                   ██          ██
█████                   ██          ██
██████████████████▀▀███ ██          ██
 ████████████████▄  ▄██ ██          ██
   ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ██          ██
             ██████████ ██          ██
           ▄███████████ ██████▀▀██████
          █████████████  ▀████▄▄████▀
[/]
achow101
Moderator
Legendary
*
Offline Offline

Activity: 2086
Merit: 3213


bc1qshxkrpe4arppq89fpzm6c0tpdvx5cfkve2c8kl


View Profile WWW
June 25, 2019, 03:48:44 PM
Merited by Foxpup (2), bones261 (2), seoincorporation (1)
 #9

We have already discussed this in the spanish section and is crazy to how can devs say things like this, i mean, if they find a vulnerability then should give precise information about it, but if they say a vulnerability will come is like a crazy prediction.
It isn't a prediction. Luke-jr knows exactly what the vulnerabilities are and is letting everyone know that there exist vulnerabilities and that people should upgrade before he discloses what those vulnerabilities are. By informing everyone that there are vulnerabilities in certain versions, he gives people time (and a reason) to upgrade before malicious actors are able to know what the vulnerabilities are and exploit them.

The whole point of the pre-announcement is so that when the vulnerability details are available (and thus anyone technical could understand and exploit them), everyone will already be upgraded so that it is safe to reveal what the vulnerabilities are.

seoincorporation
Legendary
*
Offline Offline

Activity: 1666
Merit: 1565


BtcBoss


View Profile
June 25, 2019, 05:25:25 PM
 #10

...

You are right, thank for sharing your point of view, at the end we don't want the bad guys to know the vulnerability before the coders team, and is a smart way to warn the community by a public way, than try to solve the bug alone while the hackers could take advantage of it.

You really change my way to see the race between hackers and crackers, is about who find the vuln first, one to fix it and another one to exploit it, thanks.

.BitDice.               ▄▄███▄▄
           ▄▄██▀▀ ▄ ▀▀██▄▄
      ▄▄█ ▀▀  ▄▄█████▄▄  ▀▀ █▄▄
  ▄▄██▀▀     ▀▀ █████ ▀▀     ▀▀██▄▄
██▀▀ ▄▄██▀      ▀███▀      ▀██▄▄ ▀▀██
██  ████▄▄       ███       ▄▄████  ██
██  █▀▀████▄▄  ▄█████▄  ▄▄████▀▀█  ██
██  ▀     ▀▀▀███████████▀▀▀     ▀  ██
             ███████████
██  ▄     ▄▄▄███████████▄▄▄     ▄  ██
██  █▄▄████▀▀  ▀█████▀  ▀▀████▄▄█  ██
██  ████▀▀       ███       ▀▀████  ██
██▄▄ ▀▀██▄      ▄███▄      ▄██▀▀ ▄▄██
  ▀▀██▄▄     ▄▄ █████ ▄▄     ▄▄██▀▀
      ▀▀█ ▄▄  ▀▀█████▀▀  ▄▄ █▀▀
           ▀▀██▄▄ ▀ ▄▄██▀▀
               ▀▀███▀▀
        ▄▄███████▄▄
     ▄███████████████▄
    ████▀▀       ▀▀████
   ████▀           ▀████
   ████             ████
   ████ ▄▄▄▄▄▄▄▄▄▄▄ ████
▄█████████████████████████▄
██████████▀▀▀▀▀▀▀██████████
████                   ████
████                   ████
████                   ████
████                   ████
████                   ████
████▄                 ▄████
████████▄▄▄     ▄▄▄████████
  ▀▀▀█████████████████▀▀▀
        ▀▀▀█████▀▀▀
▄▄████████████████████████████████▄▄
██████████████████████████████████████
█████                            █████
█████                            █████
█████                            █████
█████                            █████
█████                     ▄▄▄▄▄▄▄▄▄▄
█████                   ▄█▀▀▀▀▀▀▀▀▀▀█▄
█████                   ██          ██
█████                   ██          ██
█████                   ██          ██
██████████████████▀▀███ ██          ██
 ████████████████▄  ▄██ ██          ██
   ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ██          ██
             ██████████ ██          ██
           ▄███████████ ██████▀▀██████
          █████████████  ▀████▄▄████▀
[/]
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!