Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

bitcoin: CVE-2013-4165 timing attacc against HTTPAuthorized function

Related Vulnerabilities: CVE-2013-4165   CVE-2013-4627  

Source

Debian Bug report logs - #717828
bitcoin: CVE-2013-4165 timing attacc against HTTPAuthorized function

version graph

Package: bitcoin; Maintainer for bitcoin is Debian Cryptocoin Team <team+cryptocoin@tracker.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Thu, 25 Jul 2013 13:21:01 UTC

Severity: important

Tags: security

Found in version 0.8.1-1

Fixed in version bitcoin/0.8.4-1

Done: Scott Howard <showard@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>:
Bug#717828; Package bitcoin. (Thu, 25 Jul 2013 13:21:05 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>. (Thu, 25 Jul 2013 13:21:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: bitcoin: CVE-2013-4165
Date: Thu, 25 Jul 2013 15:12:26 +0200
Package: bitcoin
Severity: important
Tags: security

This was assigned CVE-2013-4165:
https://github.com/bitcoin/bitcoin/issues/2838

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>:
Bug#717828; Package bitcoin. (Tue, 06 Aug 2013 20:03:11 GMT) (full text, mbox, link).

Acknowledgement sent to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>. (Tue, 06 Aug 2013 20:03:12 GMT) (full text, mbox, link).

Message #10 received at 717828@bugs.debian.org (full text, mbox, reply):

From: Petter Reinholdtsen <pere@hungry.com>
To: 717828@bugs.debian.org
Subject: Re: bitcoin: CVE-2013-4165
Date: Tue, 06 Aug 2013 21:59:13 +0200
Control: found -1 0.8.1-1
Control: retitle -1 bitcoin: CVE-2013-4165 timing attacc against HTTPAuthorized function

According to
<URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4165 >,
the bug is in version 0.8.1.  Is it fixed in version 0.8.3, the latest
version in unstable?  Is it present in versions before 0.8.1?  I do not
know.  Looking at <URL: https://github.com/bitcoin/bitcoin/issues/2838 >
make me believe the problem still exit.

-- 
Happy hacking
Petter Reinholdtsen

Marked as found in versions 0.8.1-1. Request was from Petter Reinholdtsen <pere@hungry.com> to 717828-submit@bugs.debian.org. (Tue, 06 Aug 2013 20:03:12 GMT) (full text, mbox, link).

Changed Bug title to 'bitcoin: CVE-2013-4165 timing attacc against HTTPAuthorized function' from 'bitcoin: CVE-2013-4165' Request was from Petter Reinholdtsen <pere@hungry.com> to 717828-submit@bugs.debian.org. (Tue, 06 Aug 2013 20:03:13 GMT) (full text, mbox, link).

Reply sent to Scott Howard <showard@debian.org>:
You have taken responsibility. (Wed, 04 Sep 2013 15:21:14 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Wed, 04 Sep 2013 15:21:14 GMT) (full text, mbox, link).

Message #19 received at 717828-close@bugs.debian.org (full text, mbox, reply):

From: Scott Howard <showard@debian.org>
To: 717828-close@bugs.debian.org
Subject: Bug#717828: fixed in bitcoin 0.8.4-1
Date: Wed, 04 Sep 2013 15:18:16 +0000
Source: bitcoin
Source-Version: 0.8.4-1

We believe that the bug you reported is fixed in the latest version of
bitcoin, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 717828@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Scott Howard <showard@debian.org> (supplier of updated bitcoin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 03 Sep 2013 22:58:54 -0400
Source: bitcoin
Binary: bitcoind bitcoin-qt
Architecture: source amd64
Version: 0.8.4-1
Distribution: unstable
Urgency: low
Maintainer: Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>
Changed-By: Scott Howard <showard@debian.org>
Description: 
 bitcoin-qt - peer-to-peer network based digital currency - GUI
 bitcoind   - peer-to-peer network based digital currency - daemon
Closes: 717828 721821
Changes: 
 bitcoin (0.8.4-1) unstable; urgency=low
 .
   * New upstream release.
     - Closes password attack (Closes: #717828 CVE-2013-4165)
     - Closes DoS vulnerability (Closes: #721821 CVE-2013-4627)
   * Refreshed patches
Checksums-Sha1: 
 74b97a8b8dbc668fc0529d74da7e3d76093a8418 1708 bitcoin_0.8.4-1.dsc
 88fd951174d736de139dd2bb8b428001e6dce9df 3181671 bitcoin_0.8.4.orig.tar.gz
 cf46adf8357c796dd4c50453caba80659447ecf5 23172 bitcoin_0.8.4-1.debian.tar.gz
 6520b642defe1fdad52c98098f2254d2b99657da 729218 bitcoind_0.8.4-1_amd64.deb
 e1854a355c13b5ac0e422e9dbb2bd3107c6d1853 1839602 bitcoin-qt_0.8.4-1_amd64.deb
Checksums-Sha256: 
 dfeab94f6a1727dd43de33c281758bf9fb271343418acefad4ae7b7a38daacb5 1708 bitcoin_0.8.4-1.dsc
 29ff54ad33d296bbd7d1ffdf9b553500ed71addfb45f2d7e5495c02bbca20f1d 3181671 bitcoin_0.8.4.orig.tar.gz
 04b1d640438fb83c8effc81080afe0395e972a2e50b0f779cd83756917869211 23172 bitcoin_0.8.4-1.debian.tar.gz
 6b3430f1d1f3baba098a23266002142899c35181b0de63bfdb88ef1c747ca80a 729218 bitcoind_0.8.4-1_amd64.deb
 867418cad072c2d7836197f81b3175a19e2ee71f4f487790db3d729b87983d20 1839602 bitcoin-qt_0.8.4-1_amd64.deb
Files: 
 78bdd48c9d9b9cea69708ca516d38712 1708 utils optional bitcoin_0.8.4-1.dsc
 a7d0e414fa964123b834b9d50d72b222 3181671 utils optional bitcoin_0.8.4.orig.tar.gz
 46656d65f4cbb84e5685fc098e8835a2 23172 utils optional bitcoin_0.8.4-1.debian.tar.gz
 051a87624c2609e517c600b22cdd6664 729218 utils optional bitcoind_0.8.4-1_amd64.deb
 e4f2c6b124fa4f86ae56cdeca0b540f5 1839602 utils optional bitcoin-qt_0.8.4-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlInSaAACgkQuqVp0MvxKmoh0wCgjszaxbXI1I4dHXpwdjAcE1tO
Jr4Ani00uXgsmGFSx4672gBhCSzRfpUP
=WXnz
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 03 Oct 2013 07:27:29 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:11:08 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started