The CVE specifically says CPUminer which is not used for Bitcoin anymore (or shouldn't be), not CGminer. Can someone who has the ability to change CVE Bug Reports fix this?
On Sat, Dec 20, 2014 at 9:22 PM, Michael Gilbert <mgilb...@debian.org> wrote: > Package: cgminer > Severity: important > Tags: security > > Hi, > > the following vulnerability was published for cgminer. > > CVE-2014-6251[0]: > | Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote > | attackers to have an unspecified impact by sending a mining.subscribe > | response with a large nonce2 length, then triggering the overflow with > | a mining.notify request. > > Details are sparse, and note that the report is about cpuminer rather > than cgminer, but since the two share a lot of code, I couldn't easily > rule out cgminer being affected, so some research needs to be done. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2014-6251 > > Please adjust the affected versions in the BTS as needed. > > _______________________________________________ > Pkg-bitcoin-devel mailing list > pkg-bitcoin-de...@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-bitcoin-devel > -- Shawn L. Djernes SD Consulting LLC sdjer...@gmail.com 402.345.7734 | 402.350.6973 Cell Fax: 888.297.6310 Apple Certified Consultant Special Deals: iPad with Retina Display. From $499. <http://www.anrdoezrs.net/click-6259053-11031064>
