[bitcoindev] Public disclosure of 10 vulnerabilities affecting Bitcoin Core

public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed

* [bitcoindev] Public disclosure of 10 vulnerabilities affecting Bitcoin Core < 0.21.0
@ 2024-07-03 16:34 'Antoine Poinsot' via Bitcoin Development Mailing List
  2024-07-03 17:12 ` [bitcoindev] " Antoine Riard
  0 siblings, 1 reply; 3+ messages in thread
From: 'Antoine Poinsot' via Bitcoin Development Mailing List @ 2024-07-03 16:34 UTC (permalink / raw)
  To: Bitcoin Development Mailing List

Hi everyone,

Today we are releasing 10 security advisories for the Bitcoin Core project. Those bugs affect versions of Bitcoin Core before (and not including) 0.21.0.

This is part of the gradual adoption by the project of a new vulnerability disclosure policy.

The policy and the 10 security advisories can be found on the project's website at https://bitcoincore.org/en/security-advisories .

We will follow up later in july to publicly disclose vulnerabilities fixed in version 22.0. And then in august to disclose those fixed in version 23.0, and so on until we run out of old unmaintained versions to disclose vulnerabilities for. The announced policy will then start to be observed for new versions.

Antoine Poinsot

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/xsylfaVvODFtrvkaPyXh0mIc64DWMCchxiVdTApFqJ_0Q5v0bOoDpS_36HwDKmzdDO9U2RKMzESEiVaq47FTamegi2kCNtVZeDAjSR4G7Ic%3D%40protonmail.com.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [bitcoindev] Re: Public disclosure of 10 vulnerabilities affecting Bitcoin Core < 0.21.0
  2024-07-03 16:34 [bitcoindev] Public disclosure of 10 vulnerabilities affecting Bitcoin Core < 0.21.0 'Antoine Poinsot' via Bitcoin Development Mailing List
@ 2024-07-03 17:12 ` Antoine Riard
  2024-07-10  7:40   ` 'Antoine Poinsot' via Bitcoin Development Mailing List
  0 siblings, 1 reply; 3+ messages in thread
From: Antoine Riard @ 2024-07-03 17:12 UTC (permalink / raw)
  To: Bitcoin Development Mailing List


[-- Attachment #1.1: Type: text/plain, Size: 1810 bytes --]

Hello Antoine,

Nothing really new in those 10 security advisories, I think one thing that 
could be a benefit could be to assign a unique numeric identifier to each 
sec advisory.

As openssh showed this week this could be good to minimize risks of 
regressions by favoring methodic screen of old vulnerabilities at review of 
new changes.

On the security researcher / handler-side, having unique numeric 
identifiers make it also easier to coordinate mitigation patches 
development and deployment.

Best,
Antoine (the other one).

Le mercredi 3 juillet 2024 à 17:36:02 UTC+1, Antoine Poinsot a écrit :

> Hi everyone,
>
> Today we are releasing 10 security advisories for the Bitcoin Core 
> project. Those bugs affect versions of Bitcoin Core before (and not 
> including) 0.21.0.
>
> This is part of the gradual adoption by the project of a new vulnerability 
> disclosure policy.
>
> The policy and the 10 security advisories can be found on the project's 
> website at https://bitcoincore.org/en/security-advisories .
>
> We will follow up later in july to publicly disclose vulnerabilities fixed 
> in version 22.0. And then in august to disclose those fixed in version 
> 23.0, and so on until we run out of old unmaintained versions to disclose 
> vulnerabilities for. The announced policy will then start to be observed 
> for new versions.
>
> Antoine Poinsot
>

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/a3a30a30-a28b-4348-a0bd-5a70714997e7n%40googlegroups.com.

[-- Attachment #1.2: Type: text/html, Size: 2656 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [bitcoindev] Re: Public disclosure of 10 vulnerabilities affecting Bitcoin Core < 0.21.0
  2024-07-03 17:12 ` [bitcoindev] " Antoine Riard
@ 2024-07-10  7:40   ` 'Antoine Poinsot' via Bitcoin Development Mailing List
  0 siblings, 0 replies; 3+ messages in thread
From: 'Antoine Poinsot' via Bitcoin Development Mailing List @ 2024-07-10  7:40 UTC (permalink / raw)
  To: Antoine Riard; +Cc: Bitcoin Development Mailing List

[-- Attachment #1: Type: text/plain, Size: 2621 bytes --]

Hey Antoine,

> I think one thing that could be a benefit could be to assign a unique numeric identifier to each sec advisory.

Those are underway. We retro-actively requested CVE numbers for historical issues from Mitre.

Best,
Antoine (the other other one).
On Tuesday, July 9th, 2024 at 3:16 AM, Antoine Riard <antoine.riard@gmail•com> wrote:

> Hello Antoine,
>
> Nothing really new in those 10 security advisories, I think one thing that could be a benefit could be to assign a unique numeric identifier to each sec advisory.
>
> As openssh showed this week this could be good to minimize risks of regressions by favoring methodic screen of old vulnerabilities at review of new changes.
>
> On the security researcher / handler-side, having unique numeric identifiers make it also easier to coordinate mitigation patches development and deployment.
>
> Best,
> Antoine (the other one).
> Le mercredi 3 juillet 2024 à 17:36:02 UTC+1, Antoine Poinsot a écrit :
>
>> Hi everyone,
>>
>> Today we are releasing 10 security advisories for the Bitcoin Core project. Those bugs affect versions of Bitcoin Core before (and not including) 0.21.0.
>>
>> This is part of the gradual adoption by the project of a new vulnerability disclosure policy.
>>
>> The policy and the 10 security advisories can be found on the project's website at https://bitcoincore.org/en/security-advisories .
>>
>> We will follow up later in july to publicly disclose vulnerabilities fixed in version 22.0. And then in august to disclose those fixed in version 23.0, and so on until we run out of old unmaintained versions to disclose vulnerabilities for. The announced policy will then start to be observed for new versions.
>>
>> Antoine Poinsot
>
> --
> You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/a3a30a30-a28b-4348-a0bd-5a70714997e7n%40googlegroups.com.

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/kIhV8zCjV9UxkbWZQRWCiQPj9viUYzO4xAeWBiRCio4w0BeIqAi1weUgs7E7Ftv7w94igEJZtXEmnKMpfHM4VtmPnLrJa8Im26P0QRsWLjI%3D%40protonmail.com.

[-- Attachment #2: Type: text/html, Size: 4813 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2024-07-10  8:09 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-07-03 16:34 [bitcoindev] Public disclosure of 10 vulnerabilities affecting Bitcoin Core < 0.21.0 'Antoine Poinsot' via Bitcoin Development Mailing List
2024-07-03 17:12 ` [bitcoindev] " Antoine Riard
2024-07-10  7:40   ` 'Antoine Poinsot' via Bitcoin Development Mailing List

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox