Bitcoin Core 0.20.0 allows remote denial of service.
CVE: (none) => CVE-2020-14198
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14198 The issue is fixed upstream in 0.20.1.
Source RPM: bitcoin => bitcoin-0.17.1-2.mga7.src.rpmSummary: Bitcoin Core 0.20.0 allows remote denial of service. => bitcoin new security issue CVE-2020-14198
Hi, thanks for reporting this bug. I added the committers in CC. (Please set the status to 'assigned' if you are working on it)
Assignee: bugsquad => mageiaCC: (none) => geiger.david68210, joequant, smelror
Doesn't seem to be an issue. Cauldron has 0.20.1 and M7 has 0.17.1
Status: NEW => UNCONFIRMEDEver confirmed: 1 => 0
Thus Mageia 7 is affected.
Status: UNCONFIRMED => NEWEver confirmed: 0 => 1
Ouch. Is the thing to do to just package 0.20.1 for MGA7?
Yes, unless you can find patches. There is also CVE-2019-15947: https://security.gentoo.org/glsa/202009-18
Summary: bitcoin new security issue CVE-2020-14198 => bitcoin new security issues CVE-2019-15947 and CVE-2020-14198
Bitcoin 0.20.1 built for mageia 7. Better to just bump everything up to latest release than mess with patches.
bitcoind-0.20.1-1.mga7 bitcoin-qt-0.20.1-1.mga7 libbitcoinconsensus0-0.20.1-1.mga7 libbitcoinconsensus-devel-0.20.1-1.mga7 from bitcoin-0.20.1-1.mga7.src.rpm
Assignee: mageia => qa-bugs
No installation issues. Referenced Bug 23681 for test procedure. (Thank you, Claire) Ensured bitcoin-qt started loading the block chain. As it said it would need two weeks to complete the download, I stopped it after a while. As root, altered /etc/bitcoin.conf to use testnet=1, removing the preceding # Started bitcoin daemon and checked status. # systemctl start bitcoin.service # systemctl status bitcoin.service ● bitcoin.service - Bitcoin Loaded: loaded (/usr/lib/systemd/system/bitcoin.service; enabled; vendor preset: disabled) Active: inactive (dead) since Sun 2020-12-13 18:09:47 EST; 22s ago Process: 6578 ExecStart=/usr/bin/bitcoind $BITCOIND_PARAMS (code=exited, status=0/SUCCESS) Main PID: 6578 (code=exited, status=0/SUCCESS) Dec 13 18:09:47 localhost.localdomain systemd[1]: Started Bitcoin. Dec 13 18:09:47 localhost.localdomain systemd[1]: bitcoin.service: Succeeded. Seems to be OK. Validating. Needs an advisory yet.
Whiteboard: (none) => MGA7-64-OKKeywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Suggested Advisory: ======================== This update addresses the following CVE: - CVE-2019-15947 - CVE-2020-14198 Updated bitcoin packages fix security vulnerabilities Multiple vulnerabilities have been discovered in Bitcoin. In Bitcoin Core 0.18.0, bitcoin-qt stores wallet.dat data unencrypted in memory. Upon a crash, it may dump a core file. If a user were to mishandle a core file, an attacker can reconstruct the user's wallet.dat file, including their private keys, via a grep "6231 0500" command (CVE-2019-15947) Bitcoin Core 0.20.0 allows remote denial of service (CVE-2020-14198) references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15947 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14198 - https://security.gentoo.org/glsa/202009-18 ======================== Updated packages in core/updates_testing: ======================== bitcoind-0.20.1-1.mga7 bitcoin-qt-0.20.1-1.mga7 libbitcoinconsensus0-0.20.1-1.mga7 libbitcoinconsensus-devel-0.20.1-1.mga7 from SRPM: bitcoin-0.20.1-1.mga7.src.rpm
Keywords: (none) => advisoryCC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0458.html
Status: NEW => RESOLVEDResolution: (none) => FIXED