1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
|
Delivery-date: Mon, 08 Jul 2024 18:16:19 -0700
Received: from mail-yb1-f192.google.com ([209.85.219.192])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBC3PT7FYWAMRBWU6WK2AMGQEZLY6OFA@googlegroups.com>)
id 1sQzSs-0005J1-JS
for bitcoindev@gnusha.org; Mon, 08 Jul 2024 18:16:18 -0700
Received: by mail-yb1-f192.google.com with SMTP id 3f1490d57ef6-e032d4cf26asf8903759276.3
for <bitcoindev@gnusha.org>; Mon, 08 Jul 2024 18:16:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1720487772; x=1721092572; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:sender:from
:to:cc:subject:date:message-id:reply-to;
bh=OQdwbuRy6Mv0rzjZ0OT0g6asSsrpO5hhixwPOSuk9zg=;
b=fROGi3RHYCxT7aL2chGE24HUra4IyS1gjx38hnkML2L2X6Fkb3grRsyOHE5guFPCT2
7MXZ9/g0Nr7rUGox9t6tixZUnRR1T4xlZmdwklwwd6KPuUppN7YDMrNg8sKqXdDa0hZr
KyU3YxVbq2aMInht7tp2uyLtkZ7xNOpp68teFzx18c7b8+wPR4T4APrTvmZUdRwPpydO
5ptTdEEAA7mtUPFxJZ9nqo8iCw2trFNplB9tXBkTYReDeqNtNPH2mG7rTe1IRYP8xQVV
/6/YIlcEilMxD1r9Aak7fqf+x5Tk2nLfaPzEiWC1+UEylJk0e3wUYq/9Ess58Myy+kWn
XfpA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1720487772; x=1721092572; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:from:to:cc
:subject:date:message-id:reply-to;
bh=OQdwbuRy6Mv0rzjZ0OT0g6asSsrpO5hhixwPOSuk9zg=;
b=NSuZ9NG19jwrBGNT5l+zZWEIoJMSvyaQOpkH8Ssv9+48TnIDBwZOC3RSQmvBqz9WV+
T2avNie0jLAmxIt9dnn31k5fTnBC8ttEOVeSPsiT9KlWjmO1Xm9lJO8f8yvwQRIeqRUC
v9EAEYjqCtQci2VjPawyPBATst5CZnw972dWzBwuKJR9/hDm0WhRvzzoERbe3vs2+Aqt
G9u6dbDYoFsrGiGSHgS/Bo96NTOh+nZG+BHwQ9rqoKeOQ7hRhPqCimJPG2J44EtVv+Zb
O6fIDMqalqvfVm1jAjl/2ZlKVWImaVFtLlZMhYWaArcwCKQcFS4IwyuXuNQBq8OLNXsR
S+UQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1720487772; x=1721092572;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:x-beenthere
:x-gm-message-state:sender:from:to:cc:subject:date:message-id
:reply-to;
bh=OQdwbuRy6Mv0rzjZ0OT0g6asSsrpO5hhixwPOSuk9zg=;
b=prJRApVCeGiN2BTOftO4yaF4hwoe/eilBuSyra6eTW1G8cfRl8tpKYCYrPfpN6pjNC
GPpP1ZgktSo0XDtndycIXNgcC8BbnSXk900a7iEJfQb3n7/W0TPHLCnKa3ROspDIuiSF
Q+YmnjzBRSMKgUOwAz22cLLi2EqKp6u8AX7yofx3aK23HxMLDLhmZzfmEc9WhCs8Uy3g
7+OkURlaLpgQAxrLdEuCBqz0ELE3eNoTyuCRUxTxO+z7u1rJMhi5qS1O/+D3aHCMoZ90
bjR6xP1bBpAlFKnFYk3tmgsdAKkDoNjQPR1S6ETl0NN/+bVmz8PtkeyrvoqHVmY4PwW7
KYVw==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=1; AJvYcCWdzDh51trEdFvJFAXe+X3okJftr9jVCg0e39GcK7ovRvAm+5/u0p9hs40TdlWUSwqb/iuh9xgMSg9pkZP3PI/Rhu/QPJs=
X-Gm-Message-State: AOJu0YxfNnKkTVQ8P4gmCmQkTMEM5HiPWAPmCQiANGJ06KCeEwkvAZyP
hW9gIty4s9YHWkToeljAcrLdAW6G9BaRUVuvvC/SqpSTs7gbC6mj
X-Google-Smtp-Source: AGHT+IHUN6OrvWJuGLJYlXyKNAoUAronb9nE5NL/ZoRAI7ygjoHRsUL8a1MdgggVVdiPG1/r4Am29g==
X-Received: by 2002:a25:b19d:0:b0:e03:4f47:aada with SMTP id 3f1490d57ef6-e041b060f59mr1539773276.25.1720487772242;
Mon, 08 Jul 2024 18:16:12 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:a05:6902:120d:b0:e02:b40e:8e90 with SMTP id
3f1490d57ef6-e03bd1d5d32ls1490676276.2.-pod-prod-09-us; Mon, 08 Jul 2024
18:16:10 -0700 (PDT)
X-Received: by 2002:a05:690c:380e:b0:62d:a29:537e with SMTP id 00721157ae682-658ef53b41dmr326147b3.4.1720487770773;
Mon, 08 Jul 2024 18:16:10 -0700 (PDT)
Received: by 2002:a05:690c:4289:b0:63b:c3b0:e1c with SMTP id 00721157ae682-6514011671ams7b3;
Wed, 3 Jul 2024 10:12:56 -0700 (PDT)
X-Received: by 2002:a05:6902:727:b0:e03:52c8:ad30 with SMTP id 3f1490d57ef6-e03ad9005e7mr132034276.3.1720026775866;
Wed, 03 Jul 2024 10:12:55 -0700 (PDT)
Date: Wed, 3 Jul 2024 10:12:55 -0700 (PDT)
From: Antoine Riard <antoine.riard@gmail.com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Message-Id: <a3a30a30-a28b-4348-a0bd-5a70714997e7n@googlegroups.com>
In-Reply-To: <xsylfaVvODFtrvkaPyXh0mIc64DWMCchxiVdTApFqJ_0Q5v0bOoDpS_36HwDKmzdDO9U2RKMzESEiVaq47FTamegi2kCNtVZeDAjSR4G7Ic=@protonmail.com>
References: <xsylfaVvODFtrvkaPyXh0mIc64DWMCchxiVdTApFqJ_0Q5v0bOoDpS_36HwDKmzdDO9U2RKMzESEiVaq47FTamegi2kCNtVZeDAjSR4G7Ic=@protonmail.com>
Subject: [bitcoindev] Re: Public disclosure of 10 vulnerabilities affecting
Bitcoin Core < 0.21.0
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_122502_1618442064.1720026775642"
X-Original-Sender: antoine.riard@gmail.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.5 (/)
------=_Part_122502_1618442064.1720026775642
Content-Type: multipart/alternative;
boundary="----=_Part_122503_1220747874.1720026775642"
------=_Part_122503_1220747874.1720026775642
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hello Antoine,
Nothing really new in those 10 security advisories, I think one thing that=
=20
could be a benefit could be to assign a unique numeric identifier to each=
=20
sec advisory.
As openssh showed this week this could be good to minimize risks of=20
regressions by favoring methodic screen of old vulnerabilities at review of=
=20
new changes.
On the security researcher / handler-side, having unique numeric=20
identifiers make it also easier to coordinate mitigation patches=20
development and deployment.
Best,
Antoine (the other one).
Le mercredi 3 juillet 2024 =C3=A0 17:36:02 UTC+1, Antoine Poinsot a =C3=A9c=
rit :
> Hi everyone,
>
> Today we are releasing 10 security advisories for the Bitcoin Core=20
> project. Those bugs affect versions of Bitcoin Core before (and not=20
> including) 0.21.0.
>
> This is part of the gradual adoption by the project of a new vulnerabilit=
y=20
> disclosure policy.
>
> The policy and the 10 security advisories can be found on the project's=
=20
> website at https://bitcoincore.org/en/security-advisories .
>
> We will follow up later in july to publicly disclose vulnerabilities fixe=
d=20
> in version 22.0. And then in august to disclose those fixed in version=20
> 23.0, and so on until we run out of old unmaintained versions to disclose=
=20
> vulnerabilities for. The announced policy will then start to be observed=
=20
> for new versions.
>
> Antoine Poinsot
>
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/=
bitcoindev/a3a30a30-a28b-4348-a0bd-5a70714997e7n%40googlegroups.com.
------=_Part_122503_1220747874.1720026775642
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hello Antoine,<div><br /></div><div>Nothing really new in those 10 security=
advisories, I think one thing that could be a benefit could be to assign a=
unique numeric identifier to each sec advisory.</div><div><br /></div><div=
>As openssh showed this week this could be good to minimize risks of regres=
sions by favoring methodic screen of old vulnerabilities at review of new c=
hanges.</div><div><br /></div><div>On the security researcher / handler-sid=
e, having unique numeric identifiers make it also easier to coordinate miti=
gation patches development and deployment.</div><div><br /></div><div>Best,=
</div><div>Antoine (the other one).<br /><br /></div><div class=3D"gmail_qu=
ote"><div dir=3D"auto" class=3D"gmail_attr">Le mercredi 3 juillet 2024 =C3=
=A0 17:36:02 UTC+1, Antoine Poinsot a =C3=A9crit=C2=A0:<br/></div><blockquo=
te class=3D"gmail_quote" style=3D"margin: 0 0 0 0.8ex; border-left: 1px sol=
id rgb(204, 204, 204); padding-left: 1ex;">Hi everyone,
<br>
<br>Today we are releasing 10 security advisories for the Bitcoin Core proj=
ect. Those bugs affect versions of Bitcoin Core before (and not including) =
0.21.0.
<br>
<br>This is part of the gradual adoption by the project of a new vulnerabil=
ity disclosure policy.
<br>
<br>The policy and the 10 security advisories can be found on the project&#=
39;s website at <a href=3D"https://bitcoincore.org/en/security-advisories" =
target=3D"_blank" rel=3D"nofollow" data-saferedirecturl=3D"https://www.goog=
le.com/url?hl=3Dfr&q=3Dhttps://bitcoincore.org/en/security-advisories&a=
mp;source=3Dgmail&ust=3D1720112766726000&usg=3DAOvVaw0ZIGVGNIhgpYTc=
1sZGwO_d">https://bitcoincore.org/en/security-advisories</a> .
<br>
<br>We will follow up later in july to publicly disclose vulnerabilities fi=
xed in version 22.0. And then in august to disclose those fixed in version =
23.0, and so on until we run out of old unmaintained versions to disclose v=
ulnerabilities for. The announced policy will then start to be observed for=
new versions.
<br>
<br>Antoine Poinsot
<br></blockquote></div>
<p></p>
-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List" group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion on the web visit <a href=3D"https://groups.google.c=
om/d/msgid/bitcoindev/a3a30a30-a28b-4348-a0bd-5a70714997e7n%40googlegroups.=
com?utm_medium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msg=
id/bitcoindev/a3a30a30-a28b-4348-a0bd-5a70714997e7n%40googlegroups.com</a>.=
<br />
------=_Part_122503_1220747874.1720026775642--
------=_Part_122502_1618442064.1720026775642--
|
