"Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with nSequence = 0xff_ff_ff_ff, spending an unconfirmed parent with nSequence <= 0xff_ff_ff_fd, should be replaceable because there is inherited signaling by the child transaction. However, the actual PreChecks implementation does not enforce this. Instead, mempool rejects the replacement attempt of the unconfirmed child transaction."
It's not clear to me if this is an actual vulnerability or if it's possible for it to be fixed without great difficulty. Luke?
It's arguably a bug, but definitely not a security issue in Bitcoin Core.
It may be a real security issue in other software - as I understand it, some Lightning implementations and similar layer-2 software are affected.
If Bitcoin Core is where the vulnerability needs to be fixed (and it's not going to be fixed elsewhere) then it needs to be handled as a vulnerability in Bitcoin Core.
(In reply to John Helmert III from comment #3)
> If Bitcoin Core is where the vulnerability needs to be fixed
It's not and can't be.
Package list is empty or all packages have requested keywords.
I'm not sure what, if any, packages exist in Gentoo actually affected by this CVE.
Only possibility I can see at a glance is net-misc/electrum, but I am not certain of it.