Summary: | net-p2p/bitcoind: Timing leak (CVE-2013-4165) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | blueness, flow, luke-jr+gentoobugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/bitcoin/bitcoin/issues/2838 | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-07-26 20:02:40 UTC
CVE-2013-4165 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4165): The HTTPAuthorized function in bitcoinrpc.cpp in bitcoind 0.8.1 provides information about authentication failure upon detecting the first incorrect byte of a password, which makes it easier for remote attackers to determine passwords via a timing side-channel attack. Not a real concern, as RPC is not exposed to any untrusted interfaces (the options exist, but it is not recommended or supported). Closing fixed, 0.8.5 has been stabilized in the meantime. |