No reply on these, what should happen to get backports to carry secure versions of bitcoin?
Thank you! -------- Original Message -------- Subject: Re: bitcoind: 0.3.24~dfsg-1~bpo60+1 policy on backports? Date: Sun, 22 Jul 2012 22:52:20 +0000 From: Luke-Jr <[email protected]> To: Mike Mestnik <[email protected]> CC: [email protected] On Sunday, July 22, 2012 10:27:21 PM Mike Mestnik wrote: > It seams as though packaging this may have been premature as the > software is still in development and Debian would continually have an > outdated version. Beginning with 0.4, I have been maintaining stable branches with only bugfixes. Currently, that is 0.4.x, 0.5.x, 0.6.0.x, and 0.6.x. If Debian were using one of these, staying secure would be simple. FWIW, 0.3.24 is very close to 0.4.x. The only major addition to 0.4.x was wallet encryption/security. > What say us about providing security support? It seams that some of the > fixes needed are being kept a secret, though I'm not sure if our source > packages would get the kind of attention that at this point would be > undesirable... Who reads debian/patch files anyway, right? The fixes themselves are part of the public git, but information on which commits fix the major security vulnerabilities (at least, the recent ones that are easily exploited) are delayed (along with the details on the vulnerability) until a significant portion of the network has upgraded to secure versions. Currently, CVE-2012-2459 and CVE-2012-3789 are non-disclosed. All of these are of course included in the stable branches also. Luke -------- Original Message -------- Subject: Re: bitcoind: 0.3.24~dfsg-1~bpo60+1 policy on backports? Resent-Date: Sun, 22 Jul 2012 22:27:47 +0000 (UTC) Resent-From: [email protected] Date: Sun, 22 Jul 2012 17:27:21 -0500 From: Mike Mestnik <[email protected]> To: [email protected] CC: [email protected] I've not got more of the story, every release of bitcoin is BETA currently. >From doc/README: Bitcoin 0.3.24 BETA CC [email protected] on discussions. It seams as though packaging this may have been premature as the software is still in development and Debian would continually have an outdated version. What say us about providing security support? It seams that some of the fixes needed are being kept a secret, though I'm not sure if our source packages would get the kind of attention that at this point would be undesirable... Who reads debian/patch files anyway, right? At the vary least I'd like to see these being tracked, if that's appropriate. Thank you. On 07/22/12 16:55, Mike Mestnik wrote: > What's the policy(or usual outcome) on security issues in > squeeze-backports/main? > > I'm told that 0.3.24 may be vulnerable to these at the vary least... > CVE-2012-1909, BIP-0016, CVE-2012-2459, and CVE-2012-3789 > > https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures > > It doesn't look like this version has anything in the way of fixes: > http://anonscm.debian.org/gitweb/?p=collab-maint/bitcoin.git;a=tree;f=debian/patches;hb=refs/tags/debian/0.3.24_dfsg-1 > > -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected] -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
