CVE-2013-4627 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4627): Unspecified vulnerability in bitcoind and Bitcoin-Qt 0.8.x allows remote attackers to cause a denial of service (memory consumption) via a large amount of tx message data. CVE-2013-3220 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3220): bitcoind and Bitcoin-Qt before 0.4.9rc2, 0.5.x before 0.5.8rc2, 0.6.x before 0.6.5rc2, and 0.7.x before 0.7.3rc2, and wxBitcoin, do not properly consider whether a block's size could require an excessive number of database locks, which allows remote attackers to cause a denial of service (split) and enable certain double-spending capabilities via a large block that triggers incorrect Berkeley DB locking. CVE-2013-3219 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3219): bitcoind and Bitcoin-Qt 0.8.x before 0.8.1 do not enforce a certain block protocol rule, which allows remote attackers to bypass intended access restrictions and conduct double-spending attacks via a large block that triggers incorrect Berkeley DB locking in older product versions. CVE-2012-4684 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4684): The alert functionality in bitcoind and Bitcoin-Qt before 0.7.0 supports different character representations of the same signature data, but relies on a hash of this signature, which allows remote attackers to cause a denial of service (resource consumption) via a valid modified signature for a circulating alert. Couldn't find existing bugs for any of these CVEs, so filing here.
I probably could have split that up a bit better. Summary: CVE-2013-4627: <bitcoind-0.8.1. No action needed except maybe a GLSA. CVE-2013-3220: 0.4.9rc2 in tree and nothing else in the 0.4 branch in tree. 0.5.8rc2, 0.7.3rc2 likewise. 0.6.5rc2 needs to be stabilized. CVE-2013-3219: same as 2013-4627. CVE-2012-4684: Affects 0.6.3. 0.6.5rc2 can be stabilized. @maintainers: okay to stabilize 0.6.5rc2?
0.6.5rc2 is too old (it won't work at all); rc4 would, but I don't think I made an ebuild for it yet.
Will clean affected versions after the latest goes stable.
Closing as noglsa as per comment #1 in bug #484546