[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Fwd: Re: bitcoind: 0.3.24~dfsg-1~bpo60+1 policy on backports?

No reply on these, what should happen to get backports to carry secure
versions of bitcoin?

Thank you!

-------- Original Message --------
Subject: Re: bitcoind: 0.3.24~dfsg-1~bpo60+1 policy on backports?
Date: Sun, 22 Jul 2012 22:52:20 +0000
From: Luke-Jr <luke@dashjr.org>
To: Mike Mestnik <cheako+debian-security@mikemestnik.net>
CC: debian-security@lists.debian.org

On Sunday, July 22, 2012 10:27:21 PM Mike Mestnik wrote:
> It seams as though packaging this may have been premature as the
> software is still in development and Debian would continually have an
> outdated version.

Beginning with 0.4, I have been maintaining stable branches with only
bugfixes. Currently, that is 0.4.x, 0.5.x, 0.6.0.x, and 0.6.x.
If Debian were using one of these, staying secure would be simple.

FWIW, 0.3.24 is very close to 0.4.x.
The only major addition to 0.4.x was wallet encryption/security.

> What say us about providing security support?  It seams that some of the
> fixes needed are being kept a secret, though I'm not sure if our source
> packages would get the kind of attention that at this point would be
> undesirable...  Who reads debian/patch files anyway, right?

The fixes themselves are part of the public git, but information on which
commits fix the major security vulnerabilities (at least, the recent
ones that
are easily exploited) are delayed (along with the details on the
vulnerability) until a significant portion of the network has upgraded to
secure versions. Currently, CVE-2012-2459 and CVE-2012-3789 are
non-disclosed.

All of these are of course included in the stable branches also.

Luke

-------- Original Message --------
Subject: Re: bitcoind: 0.3.24~dfsg-1~bpo60+1 policy on backports?
Resent-Date: Sun, 22 Jul 2012 22:27:47 +0000 (UTC)
Resent-From: debian-security@lists.debian.org
Date: Sun, 22 Jul 2012 17:27:21 -0500
From: Mike Mestnik <cheako+debian-security@mikemestnik.net>
To: debian-security@lists.debian.org
CC: luke+bitcoin@dashjr.org

I've not got more of the story, every release of bitcoin is BETA currently.

>From doc/README:
Bitcoin 0.3.24 BETA

CC luke+bitcoin@dashjr.org on discussions.

It seams as though packaging this may have been premature as the
software is still in development and Debian would continually have an
outdated version.

What say us about providing security support?  It seams that some of the
fixes needed are being kept a secret, though I'm not sure if our source
packages would get the kind of attention that at this point would be
undesirable...  Who reads debian/patch files anyway, right?

At the vary least I'd like to see these being tracked, if that's
appropriate.

Thank you.

On 07/22/12 16:55, Mike Mestnik wrote:
> What's the policy(or usual outcome) on security issues in
> squeeze-backports/main?
> 
> I'm told that 0.3.24 may be vulnerable to these at the vary least...
> CVE-2012-1909, BIP-0016, CVE-2012-2459, and CVE-2012-3789
> 
> https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures
> 
> It doesn't look like this version has anything in the way of fixes:
> http://anonscm.debian.org/gitweb/?p=collab-maint/bitcoin.git;a=tree;f=debian/patches;hb=refs/tags/debian/0.3.24_dfsg-1
> 
> 


-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
Archive: http://lists.debian.org/500C7E49.9030801@mikemestnik.net
Reply to: