[Pkg-bitcoin-devel] Bug#890003: electrum: CVE-2018-6353
Salvatore Bonaccorso
carnil at debian.org
Fri Feb 9 21:49:41 UTC 2018
Source: electrum
Version: 3.0.5-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/spesmilo/electrum/issues/3678
Hi,
the following vulnerability was published for electrum.
CVE-2018-6353[0]:
| The Python console in Electrum through 2.9.4 and 3.x through 3.0.5
| supports arbitrary Python code without considering (1)
| social-engineering attacks in which a user pastes code that they do not
| understand and (2) code pasted by a physically proximate attacker at an
| unattended workstation, which makes it easier for attackers to steal
| Bitcoin via hook code that runs at a later time when the wallet
| password has been entered, a different vulnerability than
| CVE-2018-1000022.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-6353
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6353
[1] https://github.com/spesmilo/electrum/issues/3678
Regards,
Salvatore
More information about the Pkg-bitcoin-devel
mailing list