joshua/dash-docs
1
0
Fork 0
mirror of https://github.com/seigler/dash-docs synced 2025-07-27 09:46:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

improve the text a bit

Browse source
This commit is contained in:
Wladimir J. van der Laan 2015-10-12 14:34:32 +02:00
parent 5b4ca428ef
commit 8b4abfdc1f
1 changed files with 11 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

20
_alerts/2015-10-12-upnp-vulnerability.md
View file

@ -16,29 +16,31 @@ bannerclass: "alert"
Either Either
- turn off the checkbox in the GUI under Options → Network → Map port using UPNP (see above) - turn off the checkbox in the GUI under Options → Network → Map port using UPNP (see above)
- add `-upnp=0` to the command line options
- add the line `upnp=0` to your `bitcoin.conf` file - add the line `upnp=0` to your `bitcoin.conf` file
- add `-upnp=0` to the command line options
Alternatively, upgrade to a version of Bitcoin Core at least 0.10.3 or 0.11.1. Alternatively, upgrade to a version of Bitcoin Core at least 0.10.3 or 0.11.1.
These versions upgrade the library to a non-vulnerable version, as well as have These versions upgrade the library to a non-vulnerable version, as well as
upnp disabled by default to prevent this problem in the future. disable UPnP by default to prevent this problem in the future.
## Details ## Details
Version before 1.9.20151008 of the miniupnpc library are vulnerable to a buffer Version before 1.9.20151008 of the miniupnpc library are vulnerable to a buffer
overflow in the XML parser during initial network discovery. The overflow in the XML parser during initial network discovery. The
vulnerable code triggers at startup of Bitcoin Core if upnp is enabled. vulnerable code triggers at startup of Bitcoin Core if UPnP is enabled.
Details of the vulnerability can be found here: http://talosintel.com/reports/TALOS-2015-0035/ Details of the vulnerability can be found here: http://talosintel.com/reports/TALOS-2015-0035/
It has been verified that the vulnerability can be used to crash the application at startup. It has been verified that the vulnerability can be used to crash the
application at startup by running a malicious UPnP server on the local
network.
To have more connectable nodes, the Bitcoin Core executables distributed by To have more connectable nodes, the Bitcoin Core executables distributed by
bitcoin.org include the library and have always had UPnP functionality enabled bitcoin.org include the miniupnpc library and have always had UPnP
by default. functionality enabled by default, to forward the P2P port.
This applies to the distributed executables only, not when building from source or This applies to the distributed executables only, not those built from source or
using distribution provided packages. Self-built executables have UPnP disabled from distribution provided packages. Self-built executables have UPnP disabled
by default, unless `--enable-upnp-default` was provided to the configure script. by default, unless `--enable-upnp-default` was provided to the configure script.
Releases starting from 0.10.3 and 0.11.1, and the upcoming 0.12.0 will still ship Releases starting from 0.10.3 and 0.11.1, and the upcoming 0.12.0 will still ship