| Summary: | bitcoin new security issues CVE-2019-15947 and CVE-2020-14198 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Zombie Ryushu <zombie_ryushu> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, geiger.david68210, joequant, ouaurelien, smelror, sysadmin-bugs |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://nvd.nist.gov/vuln/detail/CVE-2020-14198 | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | bitcoin-0.17.1-2.mga7.src.rpm | CVE: | CVE-2020-14198 |
| Status comment: | |||
|
Description
Zombie Ryushu
2020-12-04 08:48:30 CET
Zombie Ryushu
2020-12-04 08:48:46 CET
CVE:
(none) =>
CVE-2020-14198 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14198 The issue is fixed upstream in 0.20.1. Source RPM:
bitcoin =>
bitcoin-0.17.1-2.mga7.src.rpm Hi, thanks for reporting this bug. I added the committers in CC. (Please set the status to 'assigned' if you are working on it) Assignee:
bugsquad =>
mageia Doesn't seem to be an issue. Cauldron has 0.20.1 and M7 has 0.17.1 Status:
NEW =>
UNCONFIRMED Thus Mageia 7 is affected. Status:
UNCONFIRMED =>
NEW Ouch. Is the thing to do to just package 0.20.1 for MGA7? Yes, unless you can find patches. There is also CVE-2019-15947: https://security.gentoo.org/glsa/202009-18 Summary:
bitcoin new security issue CVE-2020-14198 =>
bitcoin new security issues CVE-2019-15947 and CVE-2020-14198 Bitcoin 0.20.1 built for mageia 7. Better to just bump everything up to latest release than mess with patches. bitcoind-0.20.1-1.mga7 bitcoin-qt-0.20.1-1.mga7 libbitcoinconsensus0-0.20.1-1.mga7 libbitcoinconsensus-devel-0.20.1-1.mga7 from bitcoin-0.20.1-1.mga7.src.rpm Assignee:
mageia =>
qa-bugs No installation issues. Referenced Bug 23681 for test procedure. (Thank you, Claire) Ensured bitcoin-qt started loading the block chain. As it said it would need two weeks to complete the download, I stopped it after a while. As root, altered /etc/bitcoin.conf to use testnet=1, removing the preceding # Started bitcoin daemon and checked status. # systemctl start bitcoin.service # systemctl status bitcoin.service ● bitcoin.service - Bitcoin Loaded: loaded (/usr/lib/systemd/system/bitcoin.service; enabled; vendor preset: disabled) Active: inactive (dead) since Sun 2020-12-13 18:09:47 EST; 22s ago Process: 6578 ExecStart=/usr/bin/bitcoind $BITCOIND_PARAMS (code=exited, status=0/SUCCESS) Main PID: 6578 (code=exited, status=0/SUCCESS) Dec 13 18:09:47 localhost.localdomain systemd[1]: Started Bitcoin. Dec 13 18:09:47 localhost.localdomain systemd[1]: bitcoin.service: Succeeded. Seems to be OK. Validating. Needs an advisory yet. Whiteboard:
(none) =>
MGA7-64-OK Suggested Advisory: ======================== This update addresses the following CVE: - CVE-2019-15947 - CVE-2020-14198 Updated bitcoin packages fix security vulnerabilities Multiple vulnerabilities have been discovered in Bitcoin. In Bitcoin Core 0.18.0, bitcoin-qt stores wallet.dat data unencrypted in memory. Upon a crash, it may dump a core file. If a user were to mishandle a core file, an attacker can reconstruct the user's wallet.dat file, including their private keys, via a grep "6231 0500" command (CVE-2019-15947) Bitcoin Core 0.20.0 allows remote denial of service (CVE-2020-14198) references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15947 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14198 - https://security.gentoo.org/glsa/202009-18 ======================== Updated packages in core/updates_testing: ======================== bitcoind-0.20.1-1.mga7 bitcoin-qt-0.20.1-1.mga7 libbitcoinconsensus0-0.20.1-1.mga7 libbitcoinconsensus-devel-0.20.1-1.mga7 from SRPM: bitcoin-0.20.1-1.mga7.src.rpm Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0458.html Status:
NEW =>
RESOLVED |