From 7a643511b474d53f952d3cd403af51aabd104044 Mon Sep 17 00:00:00 2001 From: "Wladimir J. van der Laan" Date: Wed, 7 Jun 2017 13:06:11 +0200 Subject: doc: Fill in details about miniupnp CVE-2017-8798 --- doc/release-notes.md | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/doc/release-notes.md b/doc/release-notes.md index 1fbade55a7..defec1696d 100644 --- a/doc/release-notes.md +++ b/doc/release-notes.md @@ -33,7 +33,17 @@ Notable changes miniupnp CVE-2017-8798 ---------------------------- -[todo] +Bundled miniupnpc was updated to 2.0.20170509. This fixes an integer signedness error +(present in MiniUPnPc v1.4.20101221 through v2.0) that allows remote attackers +(within the LAN) to cause a denial of service or possibly have unspecified +other impact. + +This only affects users that have explicitly enabled UPnP through the GUI +setting or through the `-upnp` option, as since the last UPnP vulnerability +(in Bitcoin Core 0.10.3) it has been disabled by default. + +If you use this option, it is recommended to upgrade to this version as soon as +possible. 0.14.2 Change log ================= @@ -48,10 +58,10 @@ git merge commit are mentioned. ### P2P protocol and network code - #10424 `37a8fc5` Populate services in GetLocalAddress (morcos) -- #10441 `9e3ad50` net: only enforce expected services for half of outgoing connections (theuni) +- #10441 `9e3ad50` Only enforce expected services for half of outgoing connections (theuni) ### Build system -- #10414 `ffb0c4b` [depends] miniupnpc 2.0.20170509 (fanquake) +- #10414 `ffb0c4b` miniupnpc 2.0.20170509 (fanquake) - #10228 `ae479bc` Regenerate bitcoin-config.h as necessary (theuni) ### Miscellaneous -- cgit v1.2.3