https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14198

The issue is fixed upstream in 0.20.1.

Source RPM: bitcoin => bitcoin-0.17.1-2.mga7.src.rpm
Summary: Bitcoin Core 0.20.0 allows remote denial of service. => bitcoin new security issue CVE-2020-14198

Hi, thanks for reporting this bug.
I added the committers in CC.

(Please set the status to 'assigned' if you are working on it)

Assignee: bugsquad => mageia
CC: (none) => geiger.david68210, joequant, smelror

Doesn't seem to be an issue.  Cauldron has 0.20.1 and M7 has 0.17.1

Status: NEW => UNCONFIRMED
Ever confirmed: 1 => 0

Thus Mageia 7 is affected.

Status: UNCONFIRMED => NEW
Ever confirmed: 0 => 1

Ouch.  Is the thing to do to just package 0.20.1 for MGA7?

Yes, unless you can find patches.  There is also CVE-2019-15947:
https://security.gentoo.org/glsa/202009-18

Summary: bitcoin new security issue CVE-2020-14198 => bitcoin new security issues CVE-2019-15947 and CVE-2020-14198

Bitcoin 0.20.1 built for mageia 7.  Better to just bump everything up to latest release than mess with patches.

bitcoind-0.20.1-1.mga7
bitcoin-qt-0.20.1-1.mga7
libbitcoinconsensus0-0.20.1-1.mga7
libbitcoinconsensus-devel-0.20.1-1.mga7

from bitcoin-0.20.1-1.mga7.src.rpm

Assignee: mageia => qa-bugs

No installation issues. Referenced Bug 23681 for test procedure. (Thank you, Claire)

Ensured bitcoin-qt started loading the block chain. As it said it would need two weeks to complete the download, I stopped it after a while.

As root, altered /etc/bitcoin.conf to use testnet=1, removing the preceding #

Started bitcoin daemon and checked status.

# systemctl start bitcoin.service
# systemctl status bitcoin.service
● bitcoin.service - Bitcoin
   Loaded: loaded (/usr/lib/systemd/system/bitcoin.service; enabled; vendor preset: disabled)
   Active: inactive (dead) since Sun 2020-12-13 18:09:47 EST; 22s ago
  Process: 6578 ExecStart=/usr/bin/bitcoind $BITCOIND_PARAMS (code=exited, status=0/SUCCESS)
 Main PID: 6578 (code=exited, status=0/SUCCESS)

Dec 13 18:09:47 localhost.localdomain systemd[1]: Started Bitcoin.
Dec 13 18:09:47 localhost.localdomain systemd[1]: bitcoin.service: Succeeded.

Seems to be OK.

Validating. Needs an advisory yet.

Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Suggested Advisory:
========================
This update addresses the following CVE:
-  CVE-2019-15947
-  CVE-2020-14198

Updated bitcoin packages fix security vulnerabilities

Multiple vulnerabilities have been discovered in Bitcoin.

In Bitcoin Core 0.18.0, bitcoin-qt stores wallet.dat data unencrypted in memory. Upon a crash, it may dump a core file. If a user were to mishandle a core file, an attacker can reconstruct the user's wallet.dat file, including their private keys, via a grep "6231 0500" command (CVE-2019-15947)

Bitcoin Core 0.20.0 allows remote denial of service (CVE-2020-14198)

references:
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15947
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14198
 - https://security.gentoo.org/glsa/202009-18
========================

Updated packages in core/updates_testing:
========================
bitcoind-0.20.1-1.mga7
bitcoin-qt-0.20.1-1.mga7
libbitcoinconsensus0-0.20.1-1.mga7
libbitcoinconsensus-devel-0.20.1-1.mga7

from SRPM: bitcoin-0.20.1-1.mga7.src.rpm

Keywords: (none) => advisory
CC: (none) => ouaurelien

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0458.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED