Source: bitcoin X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerability was published for bitcoin. CVE-2021-31876[0]: | Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the | replacement policy specified in BIP125, which makes it easier for | attackers to trigger a loss of funds, or a denial of service attack | against downstream projects such as Lightning network nodes. An | unconfirmed child transaction with nSequence = 0xff_ff_ff_ff, spending | an unconfirmed parent with nSequence <= 0xff_ff_ff_fd, should be | replaceable because there is inherited signaling by the child | transaction. However, the actual PreChecks implementation does not | enforce this. Instead, mempool rejects the replacement attempt of the | unconfirmed child transaction. https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures#CVE-2021-31876 https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-May/018893.html If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-31876 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31876 Please adjust the affected versions in the BTS as needed.
