openSUSE has issued an advisory on October 4: https://lists.opensuse.org/opensuse-updates/2018-10/msg00012.html The issue is fixed upstream in 0.16.3. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Done for Cauldron and mga6!
Advisory: ======================== Updated bitcoin packages fix security vulnerability: Remote denial of service (application crash) exploitable by miners via duplicate input (CVE-2018-17144). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17144 https://lists.opensuse.org/opensuse-updates/2018-10/msg00012.html ======================== Updated packages in core/updates_testing: ======================== bitcoind-0.16.3-1.mga6 bitcoin-qt-0.16.3-1.mga6 libbitcoinconsensus0-0.16.3-1.mga6 libbitcoinconsensus-devel-0.16.3-1.mga6 from bitcoin-0.16.3-1.mga6.src.rpm
Assignee: geiger.david68210 => qa-bugsWhiteboard: MGA6TOO => (none)CC: (none) => geiger.david68210Version: Cauldron => 6
David, I'm thinking that dogecoin is vulnerable to this too since it's based on the same code IIRC.
(In reply to David Walser from comment #3) > David, I'm thinking that dogecoin is vulnerable to this too since it's based > on the same code IIRC. I just checked if dogecoin is also affected but our version is now too old and does not contains the vulnerable code/file. https://github.com/dogecoin/dogecoin/pull/1526 https://github.com/dogecoin/dogecoin/commit/696b936aa3ab6f459d0e16f9805eaeb747a0036c No "src/validation.cpp" and "test/functional/p2p_invalid_block.py" files found!
Cool, thanks David!
Testing complete mga6 64 Ensured bitcoin-qt began downloading the blockchain. There's too much of it to complete the download for this purpose so stopped after a while. As root, altered /etc/bitcoin.conf to use testnet=1, removing the preceding # Started bitcoin daemon and checked status. # systemctl start bitcoin.service # systemctl status bitcoin.service ● bitcoin.service - Bitcoin Loaded: loaded (/usr/lib/systemd/system/bitcoin.service; disabled; vendor preset: enabled) Active: active (running) since Thu 2018-10-25 09:25:58 BST; 17s ago Main PID: 13886 (bitcoind) CGroup: /system.slice/bitcoin.service └─13886 /usr/bin/bitcoind -datadir=/var/lib/bitcoin -daemon -pid=/run/bitcoin/bitcoin.pid -conf=/etc/bitcoin.conf Oct 25 09:25:58 localhost.localdomain systemd[1]: Started Bitcoin.
Whiteboard: (none) => mga6-64-okKeywords: (none) => has_procedure
Thank you, Claire. The whole thing is beyond me, but your tests sound good. Validating with a 64-bit only test, as I believe that few would use 32-bit systems with Bitcoin, anyway. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0415.html
Status: NEW => RESOLVEDResolution: (none) => FIXED