[Lightning-dev] CVEs assigned for lightning projects: please upgrade!

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 We've confirmed instances of the CVE being exploited in the wild. If you’re not on the following versions of either of these implementations (these versions are fully patched), then you need to upgrade now to avoid risk of funds loss: * lnd v0.7.1 -- anything 0.7 and below is vulnerable * c-lightning v0.7.1 -- anything 0.7 and below is vulnerable * eclair v0.3.1 -- anything 0.3 and below is vulnerable We'd also like to remind the community that we still have limits in place on the network to mitigate widespread funds loss, and please keep that in mind when putting funds onto the network at this early stage. If you have trouble updating for whatever reason, feel free to reach out to the developers of the respective implementations referenced above. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE+AN+cMEseiY8AyUIzlj3+OIP2aIFAl13vxQACgkQzlj3+OIP 2aIUABAAxrXvdyNcrNeerEFgYjqshXXhZVJXUcQwpHrrd4UX7weqS+UakOE4NP/b EBDnMlOoqN5X4UhiV8EVR0QMnznXGYJ5ZNws8OCvGg8QCUMbkHRg7rVNEnd4zZJU oE9c75Vg02E5riNcMT9B+gBkcTppUeZiM/PboDoU6HWvXzdIAhRD3ZXHZaAJj35H SRcAD7ehUQ1WRmXH9wfvF6jCX5GZMb731EfVPEvcyA3EiYG/P0GBNXrUKsFzknab DE8txA31728iojydnQxesKcMmXZhZqS0IJfeqacBXiyzUNWcgWpTui0QhtPZzV9x 0yVseqcMWaONagIGRSZ2zrnBbU3aVXSbGQRSy4qvhljQjqrQgvoHCgshROr1JbvU jqsNI5ZT2v3mRNLQMKQZM6O84ULLAvyIk17/ZiLVoLp018G/5ZI2p8npe/he01Wm cClrag2F6a1POWiByd4bQDps/XfBh4yLRxFUCFDZhOPEHf2P7N8ydqmjcGTGh9oZ iWIX7pHZYqMM9UwdIorgUQlm1K4PQA+0lKjB97pR5Vhj+Nt41bm4+S7UqvCQSalK t0B8csNISrqGtA02jjXiNqpOnkRnRoiwiOwsB5wpL3w5cagIgrsE4wNpNsIQC1ZY HhVts3uc299TtS8eMwl5WjKiY2zgKHILvIs0WcyEGqpVLV0hjyw= =Q5CI -----END PGP SIGNATURE----- On Fri, Aug 30, 2019 at 2:34 AM Rusty Russell <rusty at rustcorp.com.au> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Security issues have been found in various lightning projects which > could cause loss of funds. > > Full details will be released in 4 weeks (2019-09-27), please uprade > well before then. > > Effected releases: > > CVE-2019-12998 c-lightning < 0.7.1 > CVE-2019-12999 lnd < 0.7 > CVE-2019-13000 eclair <= 0.3 > > Cheers, > Rusty. > -----BEGIN PGP SIGNATURE----- > > iQIzBAEBCAAdFiEEFe6NbKsOfwz5mb/L2SAObNGtuPEFAl1o7UAACgkQ2SAObNGt > uPFR7xAAqlcY/gCzfx5Sl49BwLIvr5EZlKYxasIoU4FoiAxLN0sRMksBLY+gUA3L > 7XuPi7oJSsnJc0Gvq6DnWo8W/jqAETgK0XeCyESdtX1tLeXMEiCoAXccRBT/hNbr > aHRiyeRO6YnrfzJN2CKStzXUvoVEvyB4lpMZ+dTJYdulOUs20ELU/zzSQe/syGnD > 7kujvBVyk4LJIYQ9piGl1pc4Y8mORK2ttYCVk4HCy+eu1RGHRVze135ve2MhQVOd > Mzs57lqXM8k+ZUumD5eB6pgvENlFzgFVaywYvf7+RSZIx185qosHTbQU84icyunp > W68FhCk9DMUYlhU8lBVyX1qS1+YhBYvm79zK4lCSJ9CQBZ2Oox2tz9RuO/3DPSol > RCZ3+h8SCKai8ZASXhz4dL4nXSpdKNjJrQdRvp7I1e2netkZpaF2Dyd7FDvFnhad > SWP/juo/n9rmkyfbuxQYj5sdixV9G9cpV85BnQDX558r+AMRPVin/xs5NBZMknkN > S7Wc9aq8nlVUeoTV5+TnGbz8NPXyYLNSotJdwBnA+RWTD9emCBah3UOxVlJR7N5e > nZuumPauLJyZESzxvRDgQ0Hca7hMCMBh+xJ/OFDy+n4oHxFLihCtY3EktSE43v2N > +PXbLFXw9w7jSPxn5FgqzB9D/E/eqkLe/+UKsnQ0ji8trEd36DU= > =Z6RL > -----END PGP SIGNATURE----- > _______________________________________________ > Lightning-dev mailing list > Lightning-dev at lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20190910/f1277c15/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: warn.txt.asc Type: application/octet-stream Size: 1659 bytes Desc: not available URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20190910/f1277c15/attachment.obj>