[Pkg-bitcoin-devel] Bug#773624: Bug#773624: cgminer: CVE-2014-6251
Shawn L. Djernes
sdjernes at gmail.com
Mon Dec 22 16:17:51 UTC 2014
The CVE specifically says CPUminer which is not used for Bitcoin anymore
(or shouldn't be), not CGminer. Can someone who has the ability to change
CVE Bug Reports fix this?
On Sat, Dec 20, 2014 at 9:22 PM, Michael Gilbert <mgilbert at debian.org>
wrote:
> Package: cgminer
> Severity: important
> Tags: security
>
> Hi,
>
> the following vulnerability was published for cgminer.
>
> CVE-2014-6251[0]:
> | Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote
> | attackers to have an unspecified impact by sending a mining.subscribe
> | response with a large nonce2 length, then triggering the overflow with
> | a mining.notify request.
>
> Details are sparse, and note that the report is about cpuminer rather
> than cgminer, but since the two share a lot of code, I couldn't easily
> rule out cgminer being affected, so some research needs to be done.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2014-6251
>
> Please adjust the affected versions in the BTS as needed.
>
> _______________________________________________
> Pkg-bitcoin-devel mailing list
> Pkg-bitcoin-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-bitcoin-devel
>
--
Shawn L. Djernes
SD Consulting LLC
sdjernes at gmail.com
402.345.7734 | 402.350.6973 Cell
Fax: 888.297.6310
Apple Certified Consultant
Special Deals:
iPad with Retina Display. From $499.
<http://www.anrdoezrs.net/click-6259053-11031064>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-bitcoin-devel/attachments/20141222/1a18cbdb/attachment.html>
More information about the Pkg-bitcoin-devel
mailing list