Debian Bug report logs -
#886683
electrum: CVE-2018-1000022
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, daniel.koszta@gmail.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>
:
Bug#886683
; Package electrum
.
(Mon, 08 Jan 2018 22:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Koszta <daniel.koszta@gmail.com>
:
New Bug report received and forwarded. Copy sent to daniel.koszta@gmail.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>
.
(Mon, 08 Jan 2018 22:21:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: electrum
Version: 3.0.3-1
Severity: grave
Tags: security
Justification: user security hole
Dear Maintainer,
Many Electrum versions are vulnerable, see
https://github.com/spesmilo/electrum/issues/3374.
A new, fixed version is already available in debian unstable, but it
should be included in stable and testing as soon as possible.
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (800, 'testing'), (500, 'stable'), (200, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=hu_HU.utf8, LC_CTYPE=hu_HU.utf8 (charmap=UTF-8), LANGUAGE=hu_HU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages electrum depends on:
ii python3 3.6.4-1
ii python3-electrum 3.0.3-1
Versions of packages electrum recommends:
ii python3-pyqt5 5.9.2+dfsg-1
Versions of packages electrum suggests:
pn python3-btchip <none>
pn python3-trezor <none>
pn python3-zbar <none>
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>
:
Bug#886683
; Package electrum
.
(Tue, 09 Jan 2018 03:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Tristan Seligmann <mithrandi@mithrandi.net>
:
Extra info received and forwarded to list. Copy sent to Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>
.
(Tue, 09 Jan 2018 03:27:03 GMT) (full text, mbox, link).
Message #10 received at 886683@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: found -1 2.4.2+dfsg1-1
Control: fixed -1 3.0.5-1
On Tue, 9 Jan 2018 at 00:21 Daniel Koszta <daniel.koszta@gmail.com> wrote:
> A new, fixed version is already available in debian unstable, but it
> should be included in stable and testing as soon as possible.
>
Unfortunately the version in stable is too old to be able to connect to the
current Electrum servers due to protocol incompatibilities; thus I do not
think there is a need to backport this fix to stable (if you are still
using this version successfully, it is most likely on an offline machine
that is not vulnerable to this exploit).
Testing should be updated shortly as nothing blocks the migration from
unstable: https://qa.debian.org/excuses.php?package=electrum
[Message part 2 (text/html, inline)]
Marked as found in versions electrum/2.4.2+dfsg1-1.
Request was from Tristan Seligmann <mithrandi@mithrandi.net>
to 886683-submit@bugs.debian.org
.
(Tue, 09 Jan 2018 03:27:03 GMT) (full text, mbox, link).
Marked as fixed in versions electrum/3.0.5-1.
Request was from Tristan Seligmann <mithrandi@mithrandi.net>
to 886683-submit@bugs.debian.org
.
(Tue, 09 Jan 2018 03:27:04 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Tue, 09 Jan 2018 06:21:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>
:
Bug#886683
; Package electrum
.
(Mon, 15 Jan 2018 20:21:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>
.
(Mon, 15 Jan 2018 20:21:08 GMT) (full text, mbox, link).
Message #23 received at 886683@bugs.debian.org (full text, mbox, reply):
On Tue, Jan 09, 2018 at 03:22:41AM +0000, Tristan Seligmann wrote:
> Control: found -1 2.4.2+dfsg1-1
> Control: fixed -1 3.0.5-1
>
> On Tue, 9 Jan 2018 at 00:21 Daniel Koszta <daniel.koszta@gmail.com> wrote:
>
> > A new, fixed version is already available in debian unstable, but it
> > should be included in stable and testing as soon as possible.
> >
>
> Unfortunately the version in stable is too old to be able to connect to the
> current Electrum servers due to protocol incompatibilities; thus I do not
> think there is a need to backport this fix to stable (if you are still
> using this version successfully, it is most likely on an offline machine
> that is not vulnerable to this exploit).
Ok, I'll update the Debian Security Tracker accordingly, but we also should
remove the package in the next stable point release.
Can you please also file a bug? (reportbug release.debian.org -> "rm")
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>
:
Bug#886683
; Package electrum
.
(Tue, 16 Jan 2018 07:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Tristan Seligmann <mithrandi@mithrandi.net>
:
Extra info received and forwarded to list. Copy sent to Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>
.
(Tue, 16 Jan 2018 07:00:03 GMT) (full text, mbox, link).
Message #28 received at 886683@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Mon, 15 Jan 2018 at 22:21 Moritz Mühlenhoff <jmm@inutil.org> wrote:
> Ok, I'll update the Debian Security Tracker accordingly, but we also should
> remove the package in the next stable point release.
> Can you please also file a bug? (reportbug release.debian.org -> "rm")
>
Yes, good point; I have filed this as #887412.
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>
:
Bug#886683
; Package electrum
.
(Tue, 16 Jan 2018 07:12:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>
.
(Tue, 16 Jan 2018 07:12:03 GMT) (full text, mbox, link).
Message #33 received at 886683@bugs.debian.org (full text, mbox, reply):
Hi,
On Tue, Jan 16, 2018 at 06:56:19AM +0000, Tristan Seligmann wrote:
> On Mon, 15 Jan 2018 at 22:21 Moritz Mühlenhoff <jmm@inutil.org> wrote:
>
> > Ok, I'll update the Debian Security Tracker accordingly, but we also should
> > remove the package in the next stable point release.
> > Can you please also file a bug? (reportbug release.debian.org -> "rm")
> >
>
> Yes, good point; I have filed this as #887412.
Does the same reasoning as well apply to the version in
oldstable/jessie? If so we might want to remove it from there as well
(just fill a second RM bug specific for the jessie version).
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>
:
Bug#886683
; Package electrum
.
(Tue, 16 Jan 2018 07:36:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Tristan Seligmann <mithrandi@mithrandi.net>
:
Extra info received and forwarded to list. Copy sent to Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>
.
(Tue, 16 Jan 2018 07:36:07 GMT) (full text, mbox, link).
Message #38 received at 886683@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tue, 16 Jan 2018 at 09:09 Salvatore Bonaccorso <carnil@debian.org> wrote:
> Hi,
>
> On Tue, Jan 16, 2018 at 06:56:19AM +0000, Tristan Seligmann wrote:
> > On Mon, 15 Jan 2018 at 22:21 Moritz Mühlenhoff <jmm@inutil.org> wrote:
> >
> > > Ok, I'll update the Debian Security Tracker accordingly, but we also
> should
> > > remove the package in the next stable point release.
> > > Can you please also file a bug? (reportbug release.debian.org -> "rm")
> > >
> >
> > Yes, good point; I have filed this as #887412.
>
> Does the same reasoning as well apply to the version in
> oldstable/jessie? If so we might want to remove it from there as well
> (just fill a second RM bug specific for the jessie version).
>
Done (#887415). The jessie version is too old to be affected by the
security issue, but otherwise has the same problem (cannot connect to the
network) as well as probably calculating fees for offline transacting that
are way too low for the current situation.
[Message part 2 (text/html, inline)]
Changed Bug title to 'electrum: CVE-2018-1000022' from 'electrum: Security vulnerability in electrum'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 28 Jan 2018 11:54:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>
:
Bug#886683
; Package electrum
.
(Sun, 18 Feb 2018 01:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to melisa.mehmedt@gmail.com
:
Extra info received and forwarded to list. Copy sent to Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>
.
(Sun, 18 Feb 2018 01:39:03 GMT) (full text, mbox, link).
Message #45 received at 886683@bugs.debian.org (full text, mbox, reply):
Hello Greetings to you i need your collaboration to invest in your region
i have some funds under my management please get back to me asap thanks
Regards
Melisa Mehmet
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>
:
Bug#886683
; Package electrum
.
(Wed, 21 Feb 2018 23:27:02 GMT) (full text, mbox, link).
Acknowledgement sent
to <melisa.mehmedt@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>
.
(Wed, 21 Feb 2018 23:27:03 GMT) (full text, mbox, link).
Message #50 received at 886683@bugs.debian.org (full text, mbox, reply):
Hello
Greetings to you and everyone around you please did you get my previous email regarding my proposal ?
please let me know if we can work together on this.
Best Reagrds
Marked Bug as done
Request was from Tristan Seligmann <mithrandi@debian.org>
to control@bugs.debian.org
.
(Mon, 30 Jul 2018 01:39:02 GMT) (full text, mbox, link).
Notification sent
to Daniel Koszta <daniel.koszta@gmail.com>
:
Bug acknowledged by developer.
(Mon, 30 Jul 2018 01:39:04 GMT) (full text, mbox, link).
Message sent on
to Daniel Koszta <daniel.koszta@gmail.com>
:
Bug#886683.
(Mon, 30 Jul 2018 01:39:05 GMT) (full text, mbox, link).
Message #57 received at 886683-submitter@bugs.debian.org (full text, mbox, reply):
close 886683 3.0.5-1
thanks
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 27 Aug 2018 07:32:19 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:59:31 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.