[Lightning-dev] Partial LND Vulnerability Disclosure, Upgrade to 0.11.x

Conner Fromknecht conner at lightning.engineering
Sat Oct 10 00:32:47 UTC 2020


Hi all,

For those looking to verify the gpg signature, please be sure the
support email is formatted
correctly. For example, the archive replaces "@" with " at ", and
apparently google groups
trims "support" to "sup...". If you run into issues, please double
check the plaintext matches
verbatim with what was sent on lightning-dev.

Cheers,
Conner


On Thu, Oct 8, 2020 at 5:19 PM Conner Fromknecht
<conner at lightning.engineering> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi all,
>
> We are writing to let the Lightning community know about the existence of
> vulnerabilities that affect lnd versions 0.10.x and below. The full details of
> these vulnerabilities will be disclosed on October 20, 2020. The circumstances
> surrounding the discovery resulted in a compressed disclosure timeline compared
> to our usual timeframes. We will be publishing more details about this in the
> coming weeks along with a comprehensive bug bounty program.
>
> While we have no reason to believe these vulnerabilities have been exploited in
> the wild, we strongly urge the community to upgrade to lnd 0.11.0 or above ASAP.
> Please ping us on the #lnd IRC channel, the LND Slack, or at
> support at lightning.engineering if you need any assistance in doing so. Upgrade
> instructions can be found in our installation docs:
> https://github.com/lightningnetwork/lnd/blob/master/docs/INSTALL.md#installing-lnd.
>
> Regards,
> Conner Fromknecht
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCAAdFiEEnI1hhop8SSADsnRO59c3tn+lkscFAl9/ozwACgkQ59c3tn+l
> kscVvBAAk21z6tlHPkOSwfj1lBE0pqc65A6Qa927WEjN5hdUpjjof4Xo2j+GzbnN
> Uoj4HGZu+koakzoVpJ4mzN+vg086zAnv+K668hhl7bbPHsQu6FqA1ALiAyy0nH6H
> 1yukXxpRflq53RTIVPjrEnFVdt6FCLhkCm9LuOk0a/SUf8D4b/N6OaB1Bxupeceu
> QFSCIkb9kvW/Eplwkv7PEnx/IZNGIQP9F11DaKLTAjWY5RnIxmCw/oamvlP8Mxt8
> /AqlzWVtPVqvwgJLhbMziraXNVV05naHrIXvbXrOI2Q7FZjdaxF+S4EKT4feuq1w
> iW7NYSS/u5N2FP3yK8YIdoX0I/nwYQQcpsfbAv2dS4Ql2Td/dyREId4NcchmaKSV
> N3w1jByMPWrgUtinl5WEDDOJdUKS2PHkQ95t3s/1uYDFsPz1kXJR2x37a/1AVz/K
> 6zQ45wFvHEopFR49hu/CV6MUvsvn4XKzPa46Ii7puaBaNqygx0RwuwlxbxCNxPNQ
> v45CaCUEq2Tj3stu7YoYGntFvrXVkxXJocn51eK6D+g0bIEXxaGlPJeTuvifKMTO
> 3T3ZEEbCe9UhDUT8Ja2boP2IIi8wAyExGS59k0tndQGzMSjkzWZ0fzgYyyf+y4nt
> r3nTCGi5WWe4y1i2KpiYZTRrQkbrNkRf+fnVdlnTS4lcgEWFFiY=
> =8t9Q
> -----END PGP SIGNATURE-----


More information about the Lightning-dev mailing list