Bitcoin Core 0.20.0 allows remote denial of service.
The issue is fixed upstream in 0.20.1.
Bitcoin Core 0.20.0 allows remote denial of service. =>
bitcoin new security issue CVE-2020-14198
Hi, thanks for reporting this bug.
I added the committers in CC.
(Please set the status to 'assigned' if you are working on it)
geiger.david68210, joequant, smelror
Doesn't seem to be an issue. Cauldron has 0.20.1 and M7 has 0.17.1
Thus Mageia 7 is affected.
Ouch. Is the thing to do to just package 0.20.1 for MGA7?
Yes, unless you can find patches. There is also CVE-2019-15947:
bitcoin new security issue CVE-2020-14198 =>
bitcoin new security issues CVE-2019-15947 and CVE-2020-14198
Bitcoin 0.20.1 built for mageia 7. Better to just bump everything up to latest release than mess with patches.
No installation issues. Referenced Bug 23681 for test procedure. (Thank you, Claire)
Ensured bitcoin-qt started loading the block chain. As it said it would need two weeks to complete the download, I stopped it after a while.
As root, altered /etc/bitcoin.conf to use testnet=1, removing the preceding #
Started bitcoin daemon and checked status.
# systemctl start bitcoin.service
# systemctl status bitcoin.service
● bitcoin.service - Bitcoin
Loaded: loaded (/usr/lib/systemd/system/bitcoin.service; enabled; vendor preset: disabled)
Active: inactive (dead) since Sun 2020-12-13 18:09:47 EST; 22s ago
Process: 6578 ExecStart=/usr/bin/bitcoind $BITCOIND_PARAMS (code=exited, status=0/SUCCESS)
Main PID: 6578 (code=exited, status=0/SUCCESS)
Dec 13 18:09:47 localhost.localdomain systemd: Started Bitcoin.
Dec 13 18:09:47 localhost.localdomain systemd: bitcoin.service: Succeeded.
Seems to be OK.
Validating. Needs an advisory yet.
This update addresses the following CVE:
Updated bitcoin packages fix security vulnerabilities
Multiple vulnerabilities have been discovered in Bitcoin.
In Bitcoin Core 0.18.0, bitcoin-qt stores wallet.dat data unencrypted in memory. Upon a crash, it may dump a core file. If a user were to mishandle a core file, an attacker can reconstruct the user's wallet.dat file, including their private keys, via a grep "6231 0500" command (CVE-2019-15947)
Bitcoin Core 0.20.0 allows remote denial of service (CVE-2020-14198)
Updated packages in core/updates_testing:
from SRPM: bitcoin-0.20.1-1.mga7.src.rpm
An update for this issue has been pushed to the Mageia Updates repository.