Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 760108 (CVE-2020-26240, CVE-2020-26241, CVE-2020-26242, CVE-2020-26264, CVE-2020-26265)

Summary: <net-p2p/go-ethereum-1.10.0: Multiple vulnerabilities (CVE-2020-{26240,26241,26242,26264,26265})
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: maintainer-needed
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-16 06:18:59 UTC 
* CVE-2020-26265

A consensus-vulnerability in Geth could cause a chain split, where vulnerable versions refuse to accept the canonical chain.

https://github.com/ethereum/go-ethereum/security/advisories/GHSA-xw37-57qp-9mm4

* CVE-2020-26264

A DoS vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client.

https://github.com/ethereum/go-ethereum/security/advisories/GHSA-r33q-22hv-j29q

* CVE-2020-26242

Denial-of-service (crash) during block processing.

https://github.com/ethereum/go-ethereum/security/advisories/GHSA-jm5c-rv3w-w83m

* CVE-2020-26241

This is a Consensus vulnerability, which can be used to cause a chain-split where vulnerable nodes reject the canonical chain.

https://github.com/ethereum/go-ethereum/security/advisories/GHSA-69v6-xc2j-r2jf

* CVE-2020-26240

An ethash mining DAG generation flaw in Geth could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ETC chain on 2020-11-06. This issue is relevant only for miners, non-mining nodes are unaffected.

https://github.com/ethereum/go-ethereum/security/advisories/GHSA-v592-xf75-856p
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-16 06:20:15 UTC 
Please bump.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-05 17:49:12 UTC 
Ping Mathy.
Comment 3 Larry the Git Cow gentoo-dev 2021-03-05 17:58:05 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77ec64563bbc2f428e016c006004cf033e54abc4

commit 77ec64563bbc2f428e016c006004cf033e54abc4
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-03-05 17:56:31 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-03-05 17:57:16 +0000

    net-p2p/go-ethereum: (security) bump to 1.10.0
    
    Bug: https://bugs.gentoo.org/760108
    Closes: https://bugs.gentoo.org/757096
    Signed-off-by: Sam James <sam@gentoo.org>

 net-p2p/go-ethereum/Manifest                  | 492 ++++++++++++++++++
 net-p2p/go-ethereum/go-ethereum-1.10.0.ebuild | 720 ++++++++++++++++++++++++++
 2 files changed, 1212 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-24 06:04:02 UTC 
Tree clean, all done!