Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 760108 (CVE-2020-26240, CVE-2020-26241, CVE-2020-26242, CVE-2020-26264, CVE-2020-26265) - <net-p2p/go-ethereum-1.10.0: Multiple vulnerabilities (CVE-2020-{26240,26241,26242,26264,26265})
Summary: <net-p2p/go-ethereum-1.10.0: Multiple vulnerabilities (CVE-2020-{26240,26241,...
Status: RESOLVED FIXED
Alias: CVE-2020-26240, CVE-2020-26241, CVE-2020-26242, CVE-2020-26264, CVE-2020-26265
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-12-16 06:18 UTC by Sam James
Modified: 2021-07-24 06:04 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-16 06:18:59 UTC
* CVE-2020-26265

A consensus-vulnerability in Geth could cause a chain split, where vulnerable versions refuse to accept the canonical chain.

https://github.com/ethereum/go-ethereum/security/advisories/GHSA-xw37-57qp-9mm4

* CVE-2020-26264

A DoS vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client.

https://github.com/ethereum/go-ethereum/security/advisories/GHSA-r33q-22hv-j29q

* CVE-2020-26242

Denial-of-service (crash) during block processing.

https://github.com/ethereum/go-ethereum/security/advisories/GHSA-jm5c-rv3w-w83m

* CVE-2020-26241

This is a Consensus vulnerability, which can be used to cause a chain-split where vulnerable nodes reject the canonical chain.

https://github.com/ethereum/go-ethereum/security/advisories/GHSA-69v6-xc2j-r2jf

* CVE-2020-26240

An ethash mining DAG generation flaw in Geth could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ETC chain on 2020-11-06. This issue is relevant only for miners, non-mining nodes are unaffected.

https://github.com/ethereum/go-ethereum/security/advisories/GHSA-v592-xf75-856p
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-16 06:20:15 UTC
Please bump.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-05 17:49:12 UTC
Ping Mathy.
Comment 3 Larry the Git Cow gentoo-dev 2021-03-05 17:58:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77ec64563bbc2f428e016c006004cf033e54abc4

commit 77ec64563bbc2f428e016c006004cf033e54abc4
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-03-05 17:56:31 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-03-05 17:57:16 +0000

    net-p2p/go-ethereum: (security) bump to 1.10.0
    
    Bug: https://bugs.gentoo.org/760108
    Closes: https://bugs.gentoo.org/757096
    Signed-off-by: Sam James <sam@gentoo.org>

 net-p2p/go-ethereum/Manifest                  | 492 ++++++++++++++++++
 net-p2p/go-ethereum/go-ethereum-1.10.0.ebuild | 720 ++++++++++++++++++++++++++
 2 files changed, 1212 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-24 06:04:02 UTC
Tree clean, all done!