Re: [Lightning-dev] Full Disclosure: CVE-2021-41591/ CVE-2021-41592 / CVE-2021-41593 "Dust HTLC Exposure Considered Harmful"

I've been informed by Mitre, the correct CVE assignment: * c-lightning : CVE-2021-41592 * lnd: CVE-2021-41593 Not the assignement disclosed in the initial mail. Le lun. 4 oct. 2021 à 11:09, Antoine Riard a écrit : > Hi, > > I'm writing a report to disclose specification-level vulnerabilities >

Re: [Lightning-dev] Full Disclosure: CVE-2021-41591/ CVE-2021-41592 / CVE-2021-41593 "Dust HTLC Exposure Considered Harmful"

> * C-lightning v0.10.2 (CVE-2021-41593) Thanks I was unsure about the exact version number. I'll update the CVE quickly. Le lun. 4 oct. 2021 à 14:16, lisa neigut a écrit : > FYI the next version of c-lightning will contain the proposed > `max_dust_htlc_exposure_msat` as outlined in #919 >

Re: [Lightning-dev] Full Disclosure: CVE-2021-41591/ CVE-2021-41592 / CVE-2021-41593 "Dust HTLC Exposure Considered Harmful"

> In other words, simply not secured. How do you define Bitcoin base-layer security ? How strong are the assumptions we're relying on the base-layer ? Not easy answers :/ > L2s shouldn't build on flawed assumptions. Waiting for your proposal to scale Bitcoin payments relying on pure consensus

Re: [Lightning-dev] Full Disclosure: CVE-2021-41591/ CVE-2021-41592 / CVE-2021-41593 "Dust HTLC Exposure Considered Harmful"

FYI the next version of c-lightning will contain the proposed `max_dust_htlc_exposure_msat` as outlined in #919 ; the given expected vulnerabilities patch table should have reflected this. > The vulnerabilities are expected to be

Re: [Lightning-dev] Full Disclosure: CVE-2021-41591/ CVE-2021-41592 / CVE-2021-41593 "Dust HTLC Exposure Considered Harmful"

On Monday 04 October 2021 16:14:20 Antoine Riard wrote: > > The "dust limit" is arbitrarily decided by each node, and cannot be > > relied upon for security at all. Expecting it to be a given default value > > is in itself a security vulnerability > > Reality is that an increasing number of funds

Re: [Lightning-dev] Full Disclosure: CVE-2021-41591/ CVE-2021-41592 / CVE-2021-41593 "Dust HTLC Exposure Considered Harmful"

> The "dust limit" is arbitrarily decided by each node, and cannot be relied upon for security at all. Expecting it to be a given default value is in itself a security vulnerability Reality is that an increasing number of funds are secured by assumptions around mempool behavior. And sadly that's

Re: [Lightning-dev] Full Disclosure: CVE-2021-41591/ CVE-2021-41592 / CVE-2021-41593 "Dust HTLC Exposure Considered Harmful"

On Monday 04 October 2021 15:09:28 Antoine Riard wrote: > Still during August 2021, the Bitcoin Core dust limit was actively > discussed on the mailing list. Changes of this dust limit would have > affected the ongoing development of the mitigations. The "dust limit" is arbitrarily decided by

[Lightning-dev] Full Disclosure: CVE-2021-41591/ CVE-2021-41592 / CVE-2021-41593 "Dust HTLC Exposure Considered Harmful"

Hi, I'm writing a report to disclose specification-level vulnerabilities affecting the Lightning implementations. The vulnerabilities are expected to be patched in: * Eclair: v0.6.2+ (CVE-2021-41591) * LND: v0.13.3+ (CVE-2021-41592) * LDK: v0.0.102 (not released as production software yet) The