bitcoind: CVE-2012-4683 and CVE-2012-4682

Debian Bug report logs - #688813
bitcoind: CVE-2012-4683 and CVE-2012-4682

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: bitcoind: CVE-2012-4683 and CVE-2012-4682

Date: Tue, 25 Sep 2012 23:15:12 +0200

Package: bitcoind
Severity: grave
Tags: security
Justification: user security hole

Hi,

it seems that two DoS CVEs were allocated for bitcoind, although it's
not clear how it's affected, nor if there's a patch or anything. The
only detail I was able to get was
https://en.bitcoin.it/wiki/CVE.

Could you please investigate with upstream and fix this? As bitcoind is
not in Squeeze nor Wheezy, you should be able to upload a fix to
unstable without issue.

Regards,
-- 
Yves-Alexis

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-grsec-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Message #10 received at 688813@bugs.debian.org (full text, mbox, reply):

From: Scott Howard <showard314@gmail.com>

To: 688813@bugs.debian.org

Subject: bitcoind: CVE-2012-4683 and CVE-2012-4682, fixed in 0.7r1

Date: Sun, 2 Dec 2012 19:50:18 -0500

Fixed in version 0.7r1
https://bitcointalk.org/index.php?topic=104173.70;wap2

Message #15 received at 688813-close@bugs.debian.org (full text, mbox, reply):

From: Jonas Smedegaard <dr@jones.dk>

To: 688813-close@bugs.debian.org

Subject: Bug#688813: fixed in bitcoin 0.7.2-1

Date: Tue, 18 Dec 2012 00:47:30 +0000

Source: bitcoin
Source-Version: 0.7.2-1

We believe that the bug you reported is fixed in the latest version of
bitcoin, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 688813@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated bitcoin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 10 Nov 2012 23:22:04 +0100
Source: bitcoin
Binary: bitcoind
Architecture: source i386
Version: 0.7.2-1
Distribution: unstable
Urgency: low
Maintainer: Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description: 
 bitcoind   - peer-to-peer network based digital currency - daemon
Closes: 660286 677524 682676 688813 689917
Changes: 
 bitcoin (0.7.2-1) unstable; urgency=low
 .
   * New upstream source. (Closes: #689917)
     - DoS vulnerabillities:
       CVE-2012-3789 closed (Closes: #682676)
       CVE-2012-4683 and CVE-2012-4682 closed (Closes: #688813)
     - Block database no longer stored alongside wallet.dat
       (Closes: #660286)
 .
   [ Jonas Smedegaard ]
   * Update watch file to directly use github.com (not
     githubredir.debian.net).
   * Update copyright file:
     + Update list of main upstream authors.
     + Drop obsolete Files section for sha256.cpp.
     + Add Files section for newly introduced bash-completion.
     + Fix use pseudo-comment section to obey silly restrictions of
       copyright format 1.0.
   * Bump debhelper compatibility level to 8.
   * Update package relations:
     + Relax to build-depend unversioned on cdbs: Needed version
       satisfied in stable, and oldstable no longer supported.
 .
   [ Scott Howard ]
   * debian/control
     - Changed maintainer to: Debian Bitcoin Packaging Team
   * Added myself as uploader.
   * Enabled parallel building DEB_BUILD_PARALLEL
   * Updated debian/control description of bitcoind to state that the
     blockchain now is "several GB" large (Closes: #677524)
Checksums-Sha1: 
 0211e6800ff875b34ebe0c3e9eacf9aacba6a43f 1826 bitcoin_0.7.2-1.dsc
 6afb648f273a52934a65d8a127a08dccdb74db48 1643002 bitcoin_0.7.2.orig.tar.gz
 4462afc41ae2fa1cec1e7ef104fb03047b46c08f 24924 bitcoin_0.7.2-1.debian.tar.gz
 d9df75dcf61fda6bd6749eeb3c6bc3d53ab829a0 882784 bitcoind_0.7.2-1_i386.deb
Checksums-Sha256: 
 580c8ce6d4b5a1d4878a18d7a251ebe66f7103d5b5b684d2887b22460292b640 1826 bitcoin_0.7.2-1.dsc
 510e12608251b8f361595a6dcb0308db9cfc7b7c33b2fafa4fc4e5b9541b60d3 1643002 bitcoin_0.7.2.orig.tar.gz
 e87247c0f7c07818665e6b2bc107066b8b02bad4b48fffc45d52cc98fb7a6c53 24924 bitcoin_0.7.2-1.debian.tar.gz
 055600a684a53645ed0c837e0c84f4c25002e7ab04de314bcff528df1ac2931c 882784 bitcoind_0.7.2-1_i386.deb
Files: 
 b02e494d30df55b851d86aa06328403e 1826 utils optional bitcoin_0.7.2-1.dsc
 e019911ef8c6d7c33915560e98c188a5 1643002 utils optional bitcoin_0.7.2.orig.tar.gz
 8b79a84cc9691f2606d8be71ee110b72 24924 utils optional bitcoin_0.7.2-1.debian.tar.gz
 c4bf544c793805bb4f98701ef8a1f95e 882784 utils optional bitcoind_0.7.2-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAlDPuP4ACgkQuqVp0MvxKmolAwCgnKmZ0M3NwX+WRpJIXeinkkha
v/0AoJPJMJSQjrh8+HeMHyNFLJc4064n
=cs6B
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.