Bug#886683: [Pkg-bitcoin-devel] Bug#886683: electrum: Security vulnerability in electrum
On Tue, 16 Jan 2018 at 09:09 Salvatore Bonaccorso wrote: > Hi, > > On Tue, Jan 16, 2018 at 06:56:19AM +, Tristan Seligmann wrote: > > On Mon, 15 Jan 2018 at 22:21 Moritz Mühlenhoff wrote: > > > > > Ok, I'll update the Debian Security Tracker accordingly, but we also > should > > > remove the package in the next stable point release. > > > Can you please also file a bug? (reportbug release.debian.org -> "rm") > > > > > > > Yes, good point; I have filed this as #887412. > > Does the same reasoning as well apply to the version in > oldstable/jessie? If so we might want to remove it from there as well > (just fill a second RM bug specific for the jessie version). > Done (#887415). The jessie version is too old to be affected by the security issue, but otherwise has the same problem (cannot connect to the network) as well as probably calculating fees for offline transacting that are way too low for the current situation.
Bug#886683: [Pkg-bitcoin-devel] Bug#886683: electrum: Security vulnerability in electrum
Hi, On Tue, Jan 16, 2018 at 06:56:19AM +, Tristan Seligmann wrote: > On Mon, 15 Jan 2018 at 22:21 Moritz Mühlenhoff wrote: > > > Ok, I'll update the Debian Security Tracker accordingly, but we also should > > remove the package in the next stable point release. > > Can you please also file a bug? (reportbug release.debian.org -> "rm") > > > > Yes, good point; I have filed this as #887412. Does the same reasoning as well apply to the version in oldstable/jessie? If so we might want to remove it from there as well (just fill a second RM bug specific for the jessie version). Regards, Salvatore
Bug#886683: [Pkg-bitcoin-devel] Bug#886683: electrum: Security vulnerability in electrum
On Mon, 15 Jan 2018 at 22:21 Moritz Mühlenhoff wrote: > Ok, I'll update the Debian Security Tracker accordingly, but we also should > remove the package in the next stable point release. > Can you please also file a bug? (reportbug release.debian.org -> "rm") > Yes, good point; I have filed this as #887412.
Bug#886683: [Pkg-bitcoin-devel] Bug#886683: electrum: Security vulnerability in electrum
On Tue, Jan 09, 2018 at 03:22:41AM +, Tristan Seligmann wrote: > Control: found -1 2.4.2+dfsg1-1 > Control: fixed -1 3.0.5-1 > > On Tue, 9 Jan 2018 at 00:21 Daniel Koszta wrote: > > > A new, fixed version is already available in debian unstable, but it > > should be included in stable and testing as soon as possible. > > > > Unfortunately the version in stable is too old to be able to connect to the > current Electrum servers due to protocol incompatibilities; thus I do not > think there is a need to backport this fix to stable (if you are still > using this version successfully, it is most likely on an offline machine > that is not vulnerable to this exploit). Ok, I'll update the Debian Security Tracker accordingly, but we also should remove the package in the next stable point release. Can you please also file a bug? (reportbug release.debian.org -> "rm") Cheers, Moritz
Bug#886683: [Pkg-bitcoin-devel] Bug#886683: electrum: Security vulnerability in electrum
Control: found -1 2.4.2+dfsg1-1 Control: fixed -1 3.0.5-1 On Tue, 9 Jan 2018 at 00:21 Daniel Koszta wrote: > A new, fixed version is already available in debian unstable, but it > should be included in stable and testing as soon as possible. > Unfortunately the version in stable is too old to be able to connect to the current Electrum servers due to protocol incompatibilities; thus I do not think there is a need to backport this fix to stable (if you are still using this version successfully, it is most likely on an offline machine that is not vulnerable to this exploit). Testing should be updated shortly as nothing blocks the migration from unstable: https://qa.debian.org/excuses.php?package=electrum
Processed: Re: [Pkg-bitcoin-devel] Bug#886683: electrum: Security vulnerability in electrum
Processing control commands: > found -1 2.4.2+dfsg1-1 Bug #886683 [electrum] electrum: Security vulnerability in electrum Marked as found in versions electrum/2.4.2+dfsg1-1. > fixed -1 3.0.5-1 Bug #886683 [electrum] electrum: Security vulnerability in electrum Marked as fixed in versions electrum/3.0.5-1. -- 886683: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886683 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#886683: electrum: Security vulnerability in electrum
Package: electrum Version: 3.0.3-1 Severity: grave Tags: security Justification: user security hole Dear Maintainer, Many Electrum versions are vulnerable, see https://github.com/spesmilo/electrum/issues/3374. A new, fixed version is already available in debian unstable, but it should be included in stable and testing as soon as possible. -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (800, 'testing'), (500, 'stable'), (200, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=hu_HU.utf8, LC_CTYPE=hu_HU.utf8 (charmap=UTF-8), LANGUAGE=hu_HU.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages electrum depends on: ii python3 3.6.4-1 ii python3-electrum 3.0.3-1 Versions of packages electrum recommends: ii python3-pyqt5 5.9.2+dfsg-1 Versions of packages electrum suggests: pn python3-btchip pn python3-trezor pn python3-zbar -- no debconf information