[Lightning-dev] CVEs assigned for lightning projects: please upgrade!
Olaoluwa Osuntokun
laolu32 at gmail.com
Tue Sep 10 15:25:31 UTC 2019
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
We've confirmed instances of the CVE being exploited in the wild. If you’re
not on the following versions of either of these implementations (these
versions are fully patched), then you need to upgrade now to avoid risk of
funds loss:
* lnd v0.7.1 -- anything 0.7 and below is vulnerable
* c-lightning v0.7.1 -- anything 0.7 and below is vulnerable
* eclair v0.3.1 -- anything 0.3 and below is vulnerable
We'd also like to remind the community that we still have limits in place on
the network to mitigate widespread funds loss, and please keep that in mind
when putting funds onto the network at this early stage.
If you have trouble updating for whatever reason, feel free to reach out to
the developers of the respective implementations referenced above.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE+AN+cMEseiY8AyUIzlj3+OIP2aIFAl13vxQACgkQzlj3+OIP
2aIUABAAxrXvdyNcrNeerEFgYjqshXXhZVJXUcQwpHrrd4UX7weqS+UakOE4NP/b
EBDnMlOoqN5X4UhiV8EVR0QMnznXGYJ5ZNws8OCvGg8QCUMbkHRg7rVNEnd4zZJU
oE9c75Vg02E5riNcMT9B+gBkcTppUeZiM/PboDoU6HWvXzdIAhRD3ZXHZaAJj35H
SRcAD7ehUQ1WRmXH9wfvF6jCX5GZMb731EfVPEvcyA3EiYG/P0GBNXrUKsFzknab
DE8txA31728iojydnQxesKcMmXZhZqS0IJfeqacBXiyzUNWcgWpTui0QhtPZzV9x
0yVseqcMWaONagIGRSZ2zrnBbU3aVXSbGQRSy4qvhljQjqrQgvoHCgshROr1JbvU
jqsNI5ZT2v3mRNLQMKQZM6O84ULLAvyIk17/ZiLVoLp018G/5ZI2p8npe/he01Wm
cClrag2F6a1POWiByd4bQDps/XfBh4yLRxFUCFDZhOPEHf2P7N8ydqmjcGTGh9oZ
iWIX7pHZYqMM9UwdIorgUQlm1K4PQA+0lKjB97pR5Vhj+Nt41bm4+S7UqvCQSalK
t0B8csNISrqGtA02jjXiNqpOnkRnRoiwiOwsB5wpL3w5cagIgrsE4wNpNsIQC1ZY
HhVts3uc299TtS8eMwl5WjKiY2zgKHILvIs0WcyEGqpVLV0hjyw=
=Q5CI
-----END PGP SIGNATURE-----
On Fri, Aug 30, 2019 at 2:34 AM Rusty Russell <rusty at rustcorp.com.au> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Security issues have been found in various lightning projects which
> could cause loss of funds.
>
> Full details will be released in 4 weeks (2019-09-27), please uprade
> well before then.
>
> Effected releases:
>
> CVE-2019-12998 c-lightning < 0.7.1
> CVE-2019-12999 lnd < 0.7
> CVE-2019-13000 eclair <= 0.3
>
> Cheers,
> Rusty.
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCAAdFiEEFe6NbKsOfwz5mb/L2SAObNGtuPEFAl1o7UAACgkQ2SAObNGt
> uPFR7xAAqlcY/gCzfx5Sl49BwLIvr5EZlKYxasIoU4FoiAxLN0sRMksBLY+gUA3L
> 7XuPi7oJSsnJc0Gvq6DnWo8W/jqAETgK0XeCyESdtX1tLeXMEiCoAXccRBT/hNbr
> aHRiyeRO6YnrfzJN2CKStzXUvoVEvyB4lpMZ+dTJYdulOUs20ELU/zzSQe/syGnD
> 7kujvBVyk4LJIYQ9piGl1pc4Y8mORK2ttYCVk4HCy+eu1RGHRVze135ve2MhQVOd
> Mzs57lqXM8k+ZUumD5eB6pgvENlFzgFVaywYvf7+RSZIx185qosHTbQU84icyunp
> W68FhCk9DMUYlhU8lBVyX1qS1+YhBYvm79zK4lCSJ9CQBZ2Oox2tz9RuO/3DPSol
> RCZ3+h8SCKai8ZASXhz4dL4nXSpdKNjJrQdRvp7I1e2netkZpaF2Dyd7FDvFnhad
> SWP/juo/n9rmkyfbuxQYj5sdixV9G9cpV85BnQDX558r+AMRPVin/xs5NBZMknkN
> S7Wc9aq8nlVUeoTV5+TnGbz8NPXyYLNSotJdwBnA+RWTD9emCBah3UOxVlJR7N5e
> nZuumPauLJyZESzxvRDgQ0Hca7hMCMBh+xJ/OFDy+n4oHxFLihCtY3EktSE43v2N
> +PXbLFXw9w7jSPxn5FgqzB9D/E/eqkLe/+UKsnQ0ji8trEd36DU=
> =Z6RL
> -----END PGP SIGNATURE-----
> _______________________________________________
> Lightning-dev mailing list
> Lightning-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20190910/f1277c15/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: warn.txt.asc
Type: application/octet-stream
Size: 1659 bytes
Desc: not available
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20190910/f1277c15/attachment.obj>
More information about the Lightning-dev
mailing list