Bug#1052211: marked as done (bookworm-pu: package electrum/4.3.4+dfsg1-1+deb12u1)

To: Soren Stoutner <soren@stoutner.com>
Subject: Bug#1052211: marked as done (bookworm-pu: package electrum/4.3.4+dfsg1-1+deb12u1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Fri, 29 Sep 2023 21:06:18 +0000
Message-id: <[🔎] handler.1052211.D1052211.16960213552871576.ackdone@bugs.debian.org>
Reply-to: 1052211@bugs.debian.org
References: <E1qmKd5-006b1s-GR@fasolo.debian.org> <[🔎] 169508996914.515320.9389662509900053816.reportbug@soren-desktop.stoutner.com>

Your message dated Fri, 29 Sep 2023 21:02:31 +0000
with message-id <E1qmKd5-006b1s-GR@fasolo.debian.org>
and subject line Bug#1052211: fixed in electrum 4.3.4+dfsg1-1+deb12u1
has caused the Debian Bug report #1052211,
regarding bookworm-pu: package electrum/4.3.4+dfsg1-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1052211: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052211
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: bookworm-pu: package electrum/4.0.9
From: Soren Stoutner <soren@stoutner.com>
Date: Mon, 18 Sep 2023 19:19:29 -0700
Message-id: <[🔎] 169508996914.515320.9389662509900053816.reportbug@soren-desktop.stoutner.com>

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: electrum@packages.debian.org
Control: affects -1 + src:electrum

[ Reason ]
A bug was discovered in a component known as Lightning of Electrum 4.1.0 - 4.4.5.

https://github.com/spesmilo/electrum/security/advisories/GHSA-8r85-vp7r-hjxf

[ Impact ]
Users who opt to use the Lightning network (an optional component) can have portions
of their Bitcoin transactions stolen by malicious nodes on the network.

[ Tests ]
Upstream has a test framework that I plan to integrate into autotests, but currently
the Debian packages do not include those tests.

[ Risks ]
A cherry-picked fix was provided by upstream that patches 4.3.4 in bookworm.

https://github.com/spesmilo/electrum/commit/11fba68126f82d05de90efd67f2b43dfd1b8f22c

[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable

[ Changes ]
The patch fixes the Lightning client to verify that all the components of a transaction are
confirmed before releasing secrets to the Lightning node.

I have also updated the Uploaders field to be myself. If that is inappropriate for a point
release I can revert that change. See:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041171

[ Other info ]
Discussion with upstream is at:

https://github.com/spesmilo/electrum/issues/8588

This was discussed with Debian Security. I was going to attach a link to the public part
of the discussion on the mailing list, but it appears that the list server web interface
is currently down. However, there is some information on the security tracker.

https://security-tracker.debian.org/tracker/TEMP-0000000-1C589C

Note that the security tracker currently says that 4.0.9 in oldstable is affected.
I had initially thought it was and indicated so to the Debian Security team. However,
upstream recently confirmed that the bug wasn't introduced until 4.1.0, which is
documented in the first and third GitHub links above.

--- End Message ---

--- Begin Message ---

To: 1052211-close@bugs.debian.org
Subject: Bug#1052211: fixed in electrum 4.3.4+dfsg1-1+deb12u1
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Fri, 29 Sep 2023 21:02:31 +0000
Message-id: <E1qmKd5-006b1s-GR@fasolo.debian.org>
Reply-to: Soren Stoutner <soren@stoutner.com>

Source: electrum
Source-Version: 4.3.4+dfsg1-1+deb12u1
Done: Soren Stoutner <soren@stoutner.com>

We believe that the bug you reported is fixed in the latest version of
electrum, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1052211@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Soren Stoutner <soren@stoutner.com> (supplier of updated electrum package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 18 Sep 2023 19:30:21 -0700
Source: electrum
Architecture: source
Version: 4.3.4+dfsg1-1+deb12u1
Distribution: bookworm
Urgency: high
Maintainer: Debian Cryptocoin Team <team+cryptocoin@tracker.debian.org>
Changed-By: Soren Stoutner <soren@stoutner.com>
Closes: 1041171 1052211
Changes:
 electrum (4.3.4+dfsg1-1+deb12u1) bookworm; urgency=high
 .
   * Add debian/patches/Lightning-security-fix.patch to fix a Lightning security
     problem fixed upstream in 4.4.6.  (Closes: #1052211)
   * Add myself to uploaders and remove Tristan Seligmann <mithrandi@debian.org>.
     (Closes: #1041171).
Checksums-Sha1:
 77e52be56650b8559da2116e1d3bf048a34d46b2 2597 electrum_4.3.4+dfsg1-1+deb12u1.dsc
 523fa860f0fbc8a027f089c56d5ccc379b33fc7d 19160 electrum_4.3.4+dfsg1-1+deb12u1.debian.tar.xz
 b6656d631e49732e1e03e6b756ce2d5d0765effe 15818 electrum_4.3.4+dfsg1-1+deb12u1_amd64.buildinfo
Checksums-Sha256:
 558dbf309ea93cf68a03965fee18a6c5945479ada8b2d71bd4965957792bf910 2597 electrum_4.3.4+dfsg1-1+deb12u1.dsc
 62bb3b283dc2b79aa6e9aa6bfcf495ccdd480d9c396f1ec16e6ba8a894a2b114 19160 electrum_4.3.4+dfsg1-1+deb12u1.debian.tar.xz
 1e7805490a5ce42cf89706f7c1c03a9fbbaf70678dae8fc371c495fab27eb888 15818 electrum_4.3.4+dfsg1-1+deb12u1_amd64.buildinfo
Files:
 f4d1fb059c32ce65422ac7a99e1dfa6c 2597 utils optional electrum_4.3.4+dfsg1-1+deb12u1.dsc
 cf0c4f6c749f94ea707d1ddaea856de8 19160 utils optional electrum_4.3.4+dfsg1-1+deb12u1.debian.tar.xz
 71315f922f0246cd2b76780c9fa91b05 15818 utils optional electrum_4.3.4+dfsg1-1+deb12u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEJKVN2yNUZnlcqOI+wufLJ66wtgMFAmUV5lsACgkQwufLJ66w
tgN3bQ//USF7XiTmoiO/s9Om4Lf3Af5n5twM6NGhwU0OAinQmNnhe7bGtu5Ep6IX
y+gUUJ82RArcLNn/SzaKO18azum6WqaZRfPRMVm/vtCIB9DFDiEkmI9W7HuSygxV
S2NDr1gvy442Ow5177LmPd3R18XQiqsJV8O/eGNMlIDQVC3WXSFh9zmtO8w+fJ7S
NEr9pTuyKWjfJG37VKR3+mZcyQZ9dZ7VlJLlDe/WmWVH0Mlml2rAvhjkEPrMCRYJ
glxPjLuQ+R9B8EzSK1PhGv8Jr+r9Pe99EJCEVOrZHbxbluARBeZo9xCct0D5Q1q8
5BQqox5wwpPOUi+f/sTIMlzVc9MqbazyoLh0Tqgm6iV5whvk1J5khkmTYa9q8TVk
YcBrtEwV8rM8J1r5emxO4rNoUqpsW/H8qztyIV3b+Z1gSR9uB/ncKyO9G+zbe+GE
LWYs4Y1loqbd1LrPyJiq4VSdeW0hK7Bxq34mqJwlgP6CVa8sJf8F0ySQr4Xyikv5
NodR6OB0Kmvxn4mNJEC7aNB4DnKZu/JztyfVYqMVJLVC5Ko4jLS3DvfUvtEUWifw
2CItzjYpGw4w6aN5jF0O+d8Of6KDt3S2LwjTYZmvXaieFuHCxFOJEbmoep9gf3J5
zoNABnVBaqHuHnjb9xPbI9kB2OLrEzOt5gvZF375CKbfm/fBT+s=
=6ymV
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Follow-Ups:
- Bug#1052211: marked as done (bookworm-pu: package electrum/4.3.4+dfsg1-1+deb12u1)
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- Bug#1052211: bookworm-pu: package electrum/4.0.9
  - From: Soren Stoutner <soren@stoutner.com>

Prev by Date: NEW changes in stable-new
Next by Date: Bug#1052211: marked as done (bookworm-pu: package electrum/4.3.4+dfsg1-1+deb12u1)
Previous by thread: Processed: electrum 4.3.4+dfsg1-1+deb12u1 flagged for acceptance
Next by thread: Bug#1052211: marked as done (bookworm-pu: package electrum/4.3.4+dfsg1-1+deb12u1)
Index(es):
- Date
- Thread