CVE-2023-33297 (https://github.com/bitcoin/bitcoin/blob/master/doc/release-notes/release-notes-24.1.md Bitcoin Core before 24.1, when debug mode is not used, allows attackers to cause a denial of service (CPU consumption) because draining the inventory-to-send queue is inefficient, as exploited in the wild in May 2023. Please bump to 24.1.
Bitcoin Core 25.0 is now in the Bitcoin overlay. After some testing it would be good to get it cherry-picked into the main Gentoo repo. # eselect repository enable bitcoin
Oops, I forgot to update this bug. net-p2p/bitcoin-core-25.1 (along with transitional packages) is now in the main Gentoo tree. Maybe a Gentoo dev ought to drop the older, vulnerable versions.
(In reply to Matt Whitlock from comment #2) > Oops, I forgot to update this bug. > > net-p2p/bitcoin-core-25.1 (along with transitional packages) is now in the > main Gentoo tree. > > Maybe a Gentoo dev ought to drop the older, vulnerable versions. Needs some stabilizing first though, I think?
(In reply to John Helmert III from comment #3) > (In reply to Matt Whitlock from comment #2) > > Maybe a Gentoo dev ought to drop the older, vulnerable versions. > > Needs some stabilizing first though, I think? Yes, for sure. I don't really understand Gentoo's stabilization policy, but it seems to me a package usually gets stabilized if all older versions of it have some known vulnerability, which is the case here.
(In reply to Matt Whitlock from comment #4) > Yes, for sure. I don't really understand Gentoo's stabilization policy, but > it seems to me a package usually gets stabilized if all older versions of it > have some known vulnerability, which is the case here. The policy is to give the maintainer a lot of room to make a decision that benefits the package. I think in general we like to move packages to stable fairly quickly after a 30 day waiting period, but this can be changed both ways (e.g. wait longer if a new version is still experimental or has other issues, move faster if there are security concerns or a package is broken).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=469a89192ca5a7b1e10407b5bcaa401d65b7b403 commit 469a89192ca5a7b1e10407b5bcaa401d65b7b403 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-08-07 12:34:53 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-08-07 12:35:04 +0000 [ GLSA 202408-12 ] Bitcoin: Denial of Service Bug: https://bugs.gentoo.org/908084 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202408-12.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)