Summary: | <net-p2p/bitcoind-25.0: denial of service | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | normal | CC: | luke-jr+gentoobugs, proxy-maint |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A3 [glsa?] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 902099 | ||
Bug Blocks: |
Description
John Helmert III
2023-06-09 04:24:51 UTC
Bitcoin Core 25.0 is now in the Bitcoin overlay. After some testing it would be good to get it cherry-picked into the main Gentoo repo. # eselect repository enable bitcoin Oops, I forgot to update this bug. net-p2p/bitcoin-core-25.1 (along with transitional packages) is now in the main Gentoo tree. Maybe a Gentoo dev ought to drop the older, vulnerable versions. (In reply to Matt Whitlock from comment #2) > Oops, I forgot to update this bug. > > net-p2p/bitcoin-core-25.1 (along with transitional packages) is now in the > main Gentoo tree. > > Maybe a Gentoo dev ought to drop the older, vulnerable versions. Needs some stabilizing first though, I think? (In reply to John Helmert III from comment #3) > (In reply to Matt Whitlock from comment #2) > > Maybe a Gentoo dev ought to drop the older, vulnerable versions. > > Needs some stabilizing first though, I think? Yes, for sure. I don't really understand Gentoo's stabilization policy, but it seems to me a package usually gets stabilized if all older versions of it have some known vulnerability, which is the case here. (In reply to Matt Whitlock from comment #4) > Yes, for sure. I don't really understand Gentoo's stabilization policy, but > it seems to me a package usually gets stabilized if all older versions of it > have some known vulnerability, which is the case here. The policy is to give the maintainer a lot of room to make a decision that benefits the package. I think in general we like to move packages to stable fairly quickly after a 30 day waiting period, but this can be changed both ways (e.g. wait longer if a new version is still experimental or has other issues, move faster if there are security concerns or a package is broken). |