Package: bitcoind, bitcoin-qt Version: 0.3.24 Severity: serious Tags: security
I found this via <URL: https://security-tracker.debian.org/tracker/CVE-2013-2272 >, and report it here to make sure the package maintainers are aware of the issue, and to get a place to track its status in Debian. It is one of four open CVEs listed in the security tracker. Setting the version found to the one in the stable backport archive. The issue should also be present in the package available in unstable (0.7.2). This is the problem description: The penny-flooding protection mechanism in the CTxMemPool::accept method in bitcoind and Bitcoin-Qt before 0.4.9rc1, 0.5.x before 0.5.8rc1, 0.6.0 before 0.6.0.11rc1, 0.6.1 through 0.6.5 before 0.6.5rc1, and 0.7.x before 0.7.3rc1 allows remote attackers to determine associations between wallet addresses and IP addresses via a series of large Bitcoin transactions with insufficient fees. I expect the issue is fixed in 0.8.1 in experimental. -- Happy hacking Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
