CVE-2021-42219: Go-Ethereum v1.10.9 was discovered to contain an issue which allows attackers to cause a denial of service (DoS) via sending an excessive amount of messages to a node. This is caused by missing memory in the component /ethash/algorithm.go. Yeah, the only reference is a Google Doc. I don't know what to make of this, but filing anyway so it doesn't get lost. CVE and "advisory" mention 1.10.9 and we currently have 1.10.14 in tree.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=95934a6cad470274b7797c1abceabfd66f3dfbf9 commit 95934a6cad470274b7797c1abceabfd66f3dfbf9 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-05-15 02:46:00 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-05-15 02:46:00 +0000 net-p2p/go-ethereum: add 1.10.17 Bug: https://bugs.gentoo.org/844496 Bug: https://bugs.gentoo.org/835610 Bug: https://bugs.gentoo.org/679066 Signed-off-by: Sam James <sam@gentoo.org> net-p2p/go-ethereum/Manifest | 2 ++ net-p2p/go-ethereum/go-ethereum-1.10.17.ebuild | 44 ++++++++++++++++++++++++++ 2 files changed, 46 insertions(+)
Still couldn't find any more info...
CVE-2022-37450 (https://news.ycombinator.com/item?id=32354896): https://github.com/ethereum/go-ethereum/blob/671094279e8d27f4b4c3c94bf8b636c26b473976/core/forkchoice.go#L91-L94 http://dx.doi.org/10.13140/RG.2.2.27813.99043 https://medium.com/@aviv.yaish/uncle-maker-time-stamping-out-the-competition-in-ethereum-d27c1cb62fef Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making (RUM), as exploited in the wild in 2020 through 2022. Unsure if a fixed version exists.
CVE-2023-42319 (https://geth.ethereum.org/docs/fundamentals/security): https://blog.mevsec.com/posts/geth-dos-with-graphql/ Geth (aka go-ethereum) through 1.13.4, when --http --graphql is used, allows remote attackers to cause a denial of service (memory consumption and daemon hang) via a crafted GraphQL query. NOTE: the vendor's position is that the "graphql endpoint [is not] designed to withstand attacks by hostile clients, nor handle huge amounts of clients/traffic.
CVE-2023-40591 (https://github.com/ethereum/go-ethereum/security/advisories/GHSA-ppjg-v974-84cm): go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node, can be made to consume unbounded amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix is included in geth version `1.12.1-stable`, i.e, `1.12.2-unstable` and onwards. Users are advised to upgrade. There are no known workarounds for this vulnerability. https://github.com/ethereum/go-ethereum/releases/tag/v1.12.1
