Your message dated Thu, 26 Nov 2020 20:59:11 +0100
with message-id <160642075119.3174893.12889989194053987...@auryn.jones.dk>
and subject line Re: Bug#939608: bitcoin: CVE-2019-15947
has caused the Debian Bug report #939608,
regarding bitcoin: CVE-2019-15947
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
939608: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939608
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: bitcoin
Version: 0.18.1~dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerability was published for bitcoin.
CVE-2019-15947[0]:
| In Bitcoin Core 0.18.0, bitcoin-qt stores wallet.dat data unencrypted
| in memory. Upon a crash, it may dump a core file. If a user were to
| mishandle a core file, an attacker can reconstruct the user's
| wallet.dat file, including their private keys, via a grep "6231 0500"
| command.
The severity is a bit exagerated here, but given the package is only
in testing and unstable, before the buster release this might be
considered RC and needed to fix. But it's a long road to there.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-15947
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15947
Please adjust the affected versions in the BTS as needed.
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.2.0-2-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Version: 0.20.1~dfsg-1
Quoting Salvatore Bonaccorso (2019-09-06 21:18:30)
> The following vulnerability was published for bitcoin.
>
> CVE-2019-15947[0]:
> | In Bitcoin Core 0.18.0, bitcoin-qt stores wallet.dat data unencrypted
> | in memory. Upon a crash, it may dump a core file. If a user were to
> | mishandle a core file, an attacker can reconstruct the user's
> | wallet.dat file, including their private keys, via a grep "6231 0500"
> | command.
>
> The severity is a bit exagerated here, but given the package is only
> in testing and unstable, before the buster release this might be
> considered RC and needed to fix. But it's a long road to there.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2019-15947
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15947
>
> Please adjust the affected versions in the BTS as needed.
This issue was fixed upstream since Debian release 0.20.1~dfsg-1.
I forgot to list the CVE in the changelog - that will be solved with
next release.
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
--- End Message ---
