ZMQ: Update to 4.3.1 #874
Merged
ZMQ: Update to 4.3.1 #874
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is related to the BTC issue bitcoin/bitcoin#15188 and CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6250
justinvforvendetta
added a commit
that referenced
this pull request
Feb 19, 2019
This is related to the BTC issue bitcoin/bitcoin#15188 and CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6250
justinvforvendetta
added a commit
that referenced
this pull request
Feb 24, 2019
* Update randomized authentication for proxy connections * Adds copyrights to torcontroller Resolves #867 * Tor Hidden Services v3 (#872) * Initi v3 tor hidden services * Support hidden services (V3) for new nodes * Remove my laziness * Remove more logs * Add i2p support (#873) * add i2p support if using i2p wrapped daemon. it would be nice to eventually add i2pd as an option as well. * fix shmypo * Update zeromq to 4.3.1 (#874) (#875) This is related to the BTC issue bitcoin/bitcoin#15188 and CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6250 * [WIP] Bugfix block submission (#877) * Remove segwits segments from block template 🥳 * Disabling Segwit components (no pre-segwit) * Remove segwit switch from code 🧐 * Reenable version bit calculations * Enabling Chainparams genesis block and merkle root checks * Improve header parsing and correction for block parsing with older nodes #865 (#870) * Update randomized authentication for proxy connections * Adds copyrights to torcontroller Resolves #867 * Tor Hidden Services v3 (#872) * Initi v3 tor hidden services * Support hidden services (V3) for new nodes * Remove my laziness * Remove more logs * Add i2p support (#873) * add i2p support if using i2p wrapped daemon. it would be nice to eventually add i2pd as an option as well. * Fix testnet chain parameters * Refactor POW a bit for more readability * Include Blocksignatures as part of our generated blocks (also being transferred) * Fix pub-/privkey prefixes for testnet
justinvforvendetta
added a commit
that referenced
this pull request
Feb 24, 2019
* Remove segwits segments from block template 🥳 * Disabling Segwit components (no pre-segwit) * Remove segwit switch from code 🧐 * Reenable version bit calculations * Enabling Chainparams genesis block and merkle root checks * Update randomized authentication for proxy connections * Adds copyrights to torcontroller Resolves #867 * Tor Hidden Services v3 (#872) * Initi v3 tor hidden services * Support hidden services (V3) for new nodes * Remove my laziness * Remove more logs * Add i2p support (#873) * add i2p support if using i2p wrapped daemon. it would be nice to eventually add i2pd as an option as well. * fix shmypo * Update zeromq to 4.3.1 (#874) (#875) This is related to the BTC issue bitcoin/bitcoin#15188 and CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6250 * Improve header parsing and correction for block parsing with older nodes #865 (#870) * Update randomized authentication for proxy connections * Adds copyrights to torcontroller Resolves #867 * Tor Hidden Services v3 (#872) * Initi v3 tor hidden services * Support hidden services (V3) for new nodes * Remove my laziness * Remove more logs * Add i2p support (#873) * add i2p support if using i2p wrapped daemon. it would be nice to eventually add i2pd as an option as well. * Fix testnet chain parameters * Refactor POW a bit for more readability * Include Blocksignatures as part of our generated blocks (also being transferred) * Fix pub-/privkey prefixes for testnet * [WIP] Bugfix block submission (#877) * Remove segwits segments from block template 🥳 * Disabling Segwit components (no pre-segwit) * Remove segwit switch from code 🧐 * Reenable version bit calculations * Enabling Chainparams genesis block and merkle root checks * Improve header parsing and correction for block parsing with older nodes #865 (#870) * Update randomized authentication for proxy connections * Adds copyrights to torcontroller Resolves #867 * Tor Hidden Services v3 (#872) * Initi v3 tor hidden services * Support hidden services (V3) for new nodes * Remove my laziness * Remove more logs * Add i2p support (#873) * add i2p support if using i2p wrapped daemon. it would be nice to eventually add i2pd as an option as well. * Fix testnet chain parameters * Refactor POW a bit for more readability * Include Blocksignatures as part of our generated blocks (also being transferred) * Fix pub-/privkey prefixes for testnet * Remove previous invalidation schemes and replace them with our ones * Transfer methods into cpp file rather than inline methods * Enabling full mining capabilities * Fix compiling issues * Revert "Merge branch 'bench_tests' into develop" This reverts commit 3969482, reversing changes made to 33ce10b.
justinvforvendetta
pushed a commit
that referenced
this pull request
Feb 28, 2019
* Remove segwits segments from block template 🥳 * Disabling Segwit components (no pre-segwit) * Remove segwit switch from code 🧐 * Reenable version bit calculations * Enabling Chainparams genesis block and merkle root checks * Update randomized authentication for proxy connections * Adds copyrights to torcontroller Resolves #867 * Tor Hidden Services v3 (#872) * Initi v3 tor hidden services * Support hidden services (V3) for new nodes * Remove my laziness * Remove more logs * Add i2p support (#873) * add i2p support if using i2p wrapped daemon. it would be nice to eventually add i2pd as an option as well. * fix shmypo * Update zeromq to 4.3.1 (#874) (#875) This is related to the BTC issue bitcoin/bitcoin#15188 and CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6250 * Improve header parsing and correction for block parsing with older nodes #865 (#870) * Update randomized authentication for proxy connections * Adds copyrights to torcontroller Resolves #867 * Tor Hidden Services v3 (#872) * Initi v3 tor hidden services * Support hidden services (V3) for new nodes * Remove my laziness * Remove more logs * Add i2p support (#873) * add i2p support if using i2p wrapped daemon. it would be nice to eventually add i2pd as an option as well. * fix init/for bench * add chain to interfaces * add optional header * close def * add walletinit to makefile * add chain header to init * add int chain * update rpc util * move rawtx to node/tx * remove header dup * add zmq headers * remove zmqrpc hdr * remove unused boost deps * add zmqrpc * add zmq rpc to makefile * zmqheader * add zmqrpc to automake * update walletiinitinterface header * updates to node txs * Update init.cpp * updates * Update strencodings.h * add assumptions to compat * update banman * update addrdb * update addrman * update getcheaphash * add chain interface * update net_processing header * updates to node interface * updates to zmq notification interface * update zmq abstract notifier * update net header * move handlers to header * update cclientUIinterface * clean up, remove regtest * update logging * update logger on http server * isbindany * vaddednodes * remove dupe * close()) * SetLimited -> SetReachable * add argument * add arg * add arg * update to net * fixes * update w header parsing * update validation header ugh * fixes * fix torcontrol * loginstance * +}-( hue * pita * remove arg * update rest api * update blockchain rpc header * cblockindex updates * more cblockindex * Fix testnet chain parameters * Refactor POW a bit for more readability * Include Blocksignatures as part of our generated blocks (also being transferred) * Fix pub-/privkey prefixes for testnet * [WIP] Bugfix block submission (#877) * Remove segwits segments from block template 🥳 * Disabling Segwit components (no pre-segwit) * Remove segwit switch from code 🧐 * Reenable version bit calculations * Enabling Chainparams genesis block and merkle root checks * Improve header parsing and correction for block parsing with older nodes #865 (#870) * Update randomized authentication for proxy connections * Adds copyrights to torcontroller Resolves #867 * Tor Hidden Services v3 (#872) * Initi v3 tor hidden services * Support hidden services (V3) for new nodes * Remove my laziness * Remove more logs * Add i2p support (#873) * add i2p support if using i2p wrapped daemon. it would be nice to eventually add i2pd as an option as well. * Fix testnet chain parameters * Refactor POW a bit for more readability * Include Blocksignatures as part of our generated blocks (also being transferred) * Fix pub-/privkey prefixes for testnet * Develop (#878) * Update randomized authentication for proxy connections * Adds copyrights to torcontroller Resolves #867 * Tor Hidden Services v3 (#872) * Initi v3 tor hidden services * Support hidden services (V3) for new nodes * Remove my laziness * Remove more logs * Add i2p support (#873) * add i2p support if using i2p wrapped daemon. it would be nice to eventually add i2pd as an option as well. * fix shmypo * Update zeromq to 4.3.1 (#874) (#875) This is related to the BTC issue bitcoin/bitcoin#15188 and CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6250 * [WIP] Bugfix block submission (#877) * Remove segwits segments from block template 🥳 * Disabling Segwit components (no pre-segwit) * Remove segwit switch from code 🧐 * Reenable version bit calculations * Enabling Chainparams genesis block and merkle root checks * Improve header parsing and correction for block parsing with older nodes #865 (#870) * Update randomized authentication for proxy connections * Adds copyrights to torcontroller Resolves #867 * Tor Hidden Services v3 (#872) * Initi v3 tor hidden services * Support hidden services (V3) for new nodes * Remove my laziness * Remove more logs * Add i2p support (#873) * add i2p support if using i2p wrapped daemon. it would be nice to eventually add i2pd as an option as well. * Fix testnet chain parameters * Refactor POW a bit for more readability * Include Blocksignatures as part of our generated blocks (also being transferred) * Fix pub-/privkey prefixes for testnet * add isbindany back to netaddress header * update blockchain rpc * update blockchain rpc header * fix blockchain rpc header * Move versionbits info out of versionbits.o * Remove previous invalidation schemes and replace them with our ones * Transfer methods into cpp file rather than inline methods * Enabling full mining capabilities * Fix compiling issues * Revert "Merge branch 'bench_tests' into develop" This reverts commit 3969482, reversing changes made to 33ce10b. * Revert "Merge branch 'bench_tests' into develop" This reverts commit efc7e3b, reversing changes made to b508db7. * Fix linking issues for wallet signing * Update README.md * Remove the useless rest of a merge conflict 🙉
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
XVG has a vulnerable version of the dependency zeromq, and puts the users which have this feature enabled at risk for a remote-code-execution bug related to CVE-2019-6250 .
This bug can also be triggered via a malicious website talking to localhost via a browser that is on the same computer as a full node with zeromq enabled, using a "DNS rebinding attack". Many
automated tools to perform these attacks now exist, some written by Google Project Zero researchers.
Many block explorers and mining pools use zeromq and are particularly at risk. Exchanges may also have this feature enabled. This vulnerability can lead to exfiltration of private keys, loss of funds and potentially backdooring of servers.
Example Scenarios
Remote Node attack
Local Node attack
Any application which uses a XVG node with zeromq enabled is vulnerable, Insight explorers are just a common and well-known example.
All versions of zeromq from 4.2.0 to 4.3.0 are vulnerable, so this Pull Request upgrades XVG to 4.3.1, bringing XVG in sync with BTC upstream.
Block explorers and mining pools should be updated with this new dependency, as well as any other applications that enable zeromq. Changing configurations to add authentication to zeromq and specifically not trust all connections from localhost is also highly encouraged.
A bounty would be greatly appreciated at this address:
and will help fund my future security research in XVG.
My GPG keys can be obtained from Keybase if desired.
Thanks,
Duke Leto
Motivation and Context
Maintain the security of full nodes with zeromq enabled.
Types of changes
Checklist: