Security advisories for bugs fixed as of Bitcoin Core 0.21.0

[darosior]

This publicly discloses 10 security vulnerabilities fixed in Bitcoin Core 0.21.0 or earlier versions.

These writeups result from a common effort to dig up and document past vulnerabilities with achow101 ajtowns fanquake dergoegge and sipa.

[darosior]

Thanks everyone for the review. Addressed all comments in the latest push.

[sipa]

*  8455:192: ERROR: Invalid first character of tag name '='.
        <h2><a href="/en/2024/06/10/disclose-getdata-cpu/" title="Disclosure of CPU DoS due to malicious P2P message (<= version 0.19.2)">Disclosure of CPU DoS due to malicious P2P message (<= version 0.19.2)</a></h2>
                                                                                                                                                                                               ^ (line 8455)

[darosior]

*  8455:192: ERROR: Invalid first character of tag name '='.
        <h2><a href="/en/2024/06/10/disclose-getdata-cpu/" title="Disclosure of CPU DoS due to malicious P2P message (<= version 0.19.2)">Disclosure of CPU DoS due to malicious P2P message (<= version 0.19.2)</a></h2>
                                                                                                                                                                                               ^ (line 8455)

Looks like the CI doesn't like <=, can i just use ≤ with Jekyll?

[darosior]

I noticed that all of the advisories share the same excerpt " Public disclosure of a DoS vulnerability affecting old versions of Bitcoin Core". Should these perhaps be individualized to actually summarize the content of each advisory?

They are not. It depends on the nature of the vulnerability. For some it's DoS, for other it's RCE or even "censorship". Nonetheless i've now added an excerpt with more details about the content for each post.

*  8455:192: ERROR: Invalid first character of tag name '='.
        <h2><a href="/en/2024/06/10/disclose-getdata-cpu/" title="Disclosure of CPU DoS due to malicious P2P message (<= version 0.19.2)">Disclosure of CPU DoS due to malicious P2P message (<= version 0.19.2)</a></h2>
                                                                                                                                                                                               ^ (line 8455)

I've updated with using ≤ instead of using <=. Let's see what the linter says.

[achow101]

The blog published dates and the disclosure timeline don't match. The dates for the blog section are pulled from the dates in file name.

[darosior]

Alright, did one last push to:

• update the date in the filename to match today's instead of when i starting writing those up
• address a couple nits
• correct the type of the first post

[darosior]

The blog published dates and the disclosure timeline don't match. The dates for the blog section are pulled from the dates in file name.

Yeah i think this should be fixed now.

[achow101]

ACK 0a549fa737e720abee89431aa05a92e1ffdec4ee

[sipa]

ACK 0a549fa737e720abee89431aa05a92e1ffdec4ee

[ariard]

@darosior @fanquake @ajtowns @sipa @achow101 @dergoegge

As I suggested on your gist here, I think it would be a good idea to PGP-signed the security advisories to minimize infrastructure compromise risks like the website or github.com being tampered with. Especially, github their 2FA authentication is not great.