Newsletters: add 378 (2025-10-31) #2536
Conversation
|
I will take a look at this: Bitcoin Core security advisories https://groups.google.com/g/bitcoindev/c/sBpCgS_yGws |
|
|
||
| - **Disclosure of four low severity vulnerabilities in Bitcoin Core:** | ||
| Antoine Poinsot recently [posted][poinsot disc] to the Bitcoin Development Mailing List four Bitcoin Core security advisories for low severity vulnerabilities that were fixed in [Bitcoin Core 30.0][]. According to the [disclosure policy][disc pol], a low severity vulnerability is disclosed two weeks after the release of a major version containing the fix. | ||
| The four disclosed vulnerabilities are the following: |
There was a problem hiding this comment.
This was intended to be on a new line
| - [CVE-2025-46597][]: Highly unlikely remote crash on 32-bit systems. This bug may cause a node to crash when receiving a pathological block, in a rare edge case. | ||
|
|
||
| - [CVE-2025-46598][]: CPU DoS from unconfirmed transaction processing. This bug would cause resource exhaustion when processing an unconfirmed transaction. | ||
| Patches for the first three vulnerabilities have been included also in [Bitcoin Core 29.1][] and later minor releases. |
There was a problem hiding this comment.
This, too, should be on a new line.
There was a problem hiding this comment.
@TumaBitcoiner can you update accordingly? Also, you can run make production to run the same sort of checks done here separate from make preview
There was a problem hiding this comment.
Yes, I'll do it.
Is it possible to run a similar make production code from Docker? I'm having issues running the needed version of Ruby on the latest Debian.
| weeks after the release of a major version containing the fix. The four | ||
| disclosed vulnerabilities are the following: | ||
|
|
||
| - [CVE-2025-54604][]: Disk filling from spoofed self connections. This bug |
There was a problem hiding this comment.
Im not strong on it, but we could follow the format of previous disclosures here in terms of bullets: https://bitcoinops.org/en/newsletters/2024/07/05/#disclosure-of-vulnerabilities-affecting-bitcoin-core-versions-before-0-21-0
There was a problem hiding this comment.
Ok, I'll follow the format of previous newsletters!
| Antoine Poinsot recently [posted][poinsot disc] to the Bitcoin Development | ||
| Mailing List four Bitcoin Core security advisories for low severity | ||
| vulnerabilities that were fixed in [Bitcoin Core 30.0][]. According to the | ||
| [disclosure policy][disc pol], a low severity vulnerability is disclosed two |
There was a problem hiding this comment.
alternative link could be our coverage of that policy in the newsletter previously
|
|
||
| - **Disclosure of four low severity vulnerabilities in Bitcoin Core:** | ||
| Antoine Poinsot recently [posted][poinsot disc] to the Bitcoin Development | ||
| Mailing List four Bitcoin Core security advisories for low severity |
There was a problem hiding this comment.
| Mailing List four Bitcoin Core security advisories for low severity | |
| Mailing List four Bitcoin Core security advisories for low-severity |
There was a problem hiding this comment.
Feedback for @TumaBitcoiner
Added some suggestions to give credit to whoever discovered the CVE's and merged the mitigations.
Feel free to add or leave as is
| weeks after the release of a major version containing the fix. The four | ||
| disclosed vulnerabilities are the following: | ||
|
|
||
| - [CVE-2025-54604][]: Disk filling from spoofed self connections. This bug |
There was a problem hiding this comment.
I think it makes sense to work in credit to whoever found the venuralbility if you can.
In this case, Niklas Goegge and both Eugene Siegel and Niklas Goegge worked on the mitigation
Maybe adding
The vulnerability was disclosed responsibly by Niklas Goegge in March 2022. Eugene Siegel and Niklas Goegge merged a mitigation in July 2025.
| - [CVE-2025-46598][]: CPU DoS from unconfirmed transaction processing. This | ||
| bug would cause resource exhaustion when processing an unconfirmed | ||
| transaction. Patches for the first three vulnerabilities have been included | ||
| also in [Bitcoin Core 29.1][] and later minor releases. |
There was a problem hiding this comment.
| also in [Bitcoin Core 29.1][] and later minor releases. | |
| edge case. This bug was reported to the mailing list by Antoine Poinsot in April 2025. Pieter Wuille, Anthony Towns, and Antoine Poinsot implemented and merged the mitigation in August 2025. |
bitschmidty
force-pushed
the
2025-10-31-newsletter
branch
from
21740e5 to
e3ccc55
Compare
|
Force pushed some updates (I had begun making final changes already but took in changes recently made by @TumaBitcoiner). Added topic entries for the disclosures topic related to the news item. |
bitschmidty
force-pushed
the
2025-10-31-newsletter
branch
from
e3ccc55 to
a722c9e
Compare
bitschmidty
force-pushed
the
2025-10-31-newsletter
branch
4 times, most recently
from
5ac8daf to
a266742
Compare
bitschmidty
force-pushed
the
2025-10-31-newsletter
branch
from
a266742 to
7d5f57c
Compare
|
Noticed the notable code segment still had an errant PR, so removed it. Tweaked the topic entries and the lede. Squashed. Thank you @TumaBitcoiner and @Gustavojfe for authoring this week. Thanks to @LarryRuane for the review and @kevkevinpal for the review and suggestions in the news section. 🚀 |
5 participants
Uh oh!
There was an error while loading. Please reload this page.