Bug#1052211: marked as done (bookworm-pu: package electrum/4.3.4+dfsg1-1+deb12u1)
Your message dated Sat, 07 Oct 2023 09:59:42 +0000
with message-id <E1qp462-00A4HU-Il@coccia.debian.org>
and subject line Released with 12.2
has caused the Debian Bug report #1052211,
regarding bookworm-pu: package electrum/4.3.4+dfsg1-1+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
1052211: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052211
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bookworm-pu: package electrum/4.0.9
- From: Soren Stoutner <soren@stoutner.com>
- Date: Mon, 18 Sep 2023 19:19:29 -0700
- Message-id: <169508996914.515320.9389662509900053816.reportbug@soren-desktop.stoutner.com>
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: electrum@packages.debian.org
Control: affects -1 + src:electrum
[ Reason ]
A bug was discovered in a component known as Lightning of Electrum 4.1.0 - 4.4.5.
https://github.com/spesmilo/electrum/security/advisories/GHSA-8r85-vp7r-hjxf
[ Impact ]
Users who opt to use the Lightning network (an optional component) can have portions
of their Bitcoin transactions stolen by malicious nodes on the network.
[ Tests ]
Upstream has a test framework that I plan to integrate into autotests, but currently
the Debian packages do not include those tests.
[ Risks ]
A cherry-picked fix was provided by upstream that patches 4.3.4 in bookworm.
https://github.com/spesmilo/electrum/commit/11fba68126f82d05de90efd67f2b43dfd1b8f22c
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
The patch fixes the Lightning client to verify that all the components of a transaction are
confirmed before releasing secrets to the Lightning node.
I have also updated the Uploaders field to be myself. If that is inappropriate for a point
release I can revert that change. See:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041171
[ Other info ]
Discussion with upstream is at:
https://github.com/spesmilo/electrum/issues/8588
This was discussed with Debian Security. I was going to attach a link to the public part
of the discussion on the mailing list, but it appears that the list server web interface
is currently down. However, there is some information on the security tracker.
https://security-tracker.debian.org/tracker/TEMP-0000000-1C589C
Note that the security tracker currently says that 4.0.9 in oldstable is affected.
I had initially thought it was and indicated so to the Debian Security team. However,
upstream recently confirmed that the bug wasn't introduced until 4.1.0, which is
documented in the first and third GitHub links above.
--- End Message ---
--- Begin Message ---
Version: 12.2
The upload requested in this bug has been released as part of 12.2.
--- End Message ---
Reply to: