diff options
author | Wladimir J. van der Laan <laanwj@gmail.com> | 2017-06-07 13:06:11 +0200 |
---|---|---|
committer | Wladimir J. van der Laan <laanwj@gmail.com> | 2017-06-07 13:06:11 +0200 |
commit | 7a643511b474d53f952d3cd403af51aabd104044 (patch) | |
tree | bc939008fc60ca87430e4f5b6ee66904088ce365 | |
parent | 5e408d99a219f80e3dab06d3ba03f102d404b886 (diff) |
doc: Fill in details about miniupnp CVE-2017-8798
-rw-r--r-- | doc/release-notes.md | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/doc/release-notes.md b/doc/release-notes.md index 1fbade55a7..defec1696d 100644 --- a/doc/release-notes.md +++ b/doc/release-notes.md @@ -33,7 +33,17 @@ Notable changes miniupnp CVE-2017-8798 ---------------------------- -[todo] +Bundled miniupnpc was updated to 2.0.20170509. This fixes an integer signedness error +(present in MiniUPnPc v1.4.20101221 through v2.0) that allows remote attackers +(within the LAN) to cause a denial of service or possibly have unspecified +other impact. + +This only affects users that have explicitly enabled UPnP through the GUI +setting or through the `-upnp` option, as since the last UPnP vulnerability +(in Bitcoin Core 0.10.3) it has been disabled by default. + +If you use this option, it is recommended to upgrade to this version as soon as +possible. 0.14.2 Change log ================= @@ -48,10 +58,10 @@ git merge commit are mentioned. ### P2P protocol and network code - #10424 `37a8fc5` Populate services in GetLocalAddress (morcos) -- #10441 `9e3ad50` net: only enforce expected services for half of outgoing connections (theuni) +- #10441 `9e3ad50` Only enforce expected services for half of outgoing connections (theuni) ### Build system -- #10414 `ffb0c4b` [depends] miniupnpc 2.0.20170509 (fanquake) +- #10414 `ffb0c4b` miniupnpc 2.0.20170509 (fanquake) - #10228 `ae479bc` Regenerate bitcoin-config.h as necessary (theuni) ### Miscellaneous |