From 68586b6a69a3a6291dd81a8fa1ca6660e09d6537 Mon Sep 17 00:00:00 2001 From: "Wladimir J. van der Laan" Date: Mon, 12 Oct 2015 13:56:56 +0200 Subject: [PATCH 1/6] add warning about UPnP vulnerability --- _alerts/2015-10-12-upnp-vulnerability.md | 54 +++++++++++++++++++++++ _alerts/disable_upnp.png | Bin 0 -> 18819 bytes 2 files changed, 54 insertions(+) create mode 100644 _alerts/2015-10-12-upnp-vulnerability.md create mode 100644 _alerts/disable_upnp.png diff --git a/_alerts/2015-10-12-upnp-vulnerability.md b/_alerts/2015-10-12-upnp-vulnerability.md new file mode 100644 index 00000000..bb0ff59e --- /dev/null +++ b/_alerts/2015-10-12-upnp-vulnerability.md @@ -0,0 +1,54 @@ +--- +## This file is licensed under the MIT License (MIT) available on +## http://opensource.org/licenses/MIT. + +title: "Vulnerability in UPnP library used by Bitcoin Core" +shorturl: "upnp-vulnerability" +active: true +#banner: "WARNING: serious vulnerability in UPnP library used by Bitcoin Core (click here to read)" +bannerclass: "alert" +--- + +## Summary + +![Disabling UPnP in the GUI](disable_upnp.png) + +Either + +- turn off the checkbox in the GUI under Options → Network → Map port using UPNP (see above) +- add `-upnp=0` to the command line options +- add the line `upnp=0` to your `bitcoin.conf` file + +Alternatively, upgrade to a version of Bitcoin Core at least 0.10.3 or 0.11.1. +These versions upgrade the library to a non-vulnerable version, as well as have +upnp disabled by default to prevent this problem in the future. + +## Details + +Version before 1.9.20151008 of the miniupnpc library are vulnerable to a buffer +overflow in the XML parser during initial network discovery. The +vulnerable code triggers at startup of Bitcoin Core if upnp is enabled. + +Details of the vulnerability can be found here: http://talosintel.com/reports/TALOS-2015-0035/ + +It has been verified that the vulnerability can be used to crash the application at startup. + +To have more connectable nodes, the Bitcoin Core executables distributed by +bitcoin.org include the library and have always had UPnP functionality enabled +by default. + +This applies to the distributed executables only, not when building from source or +using distribution provided packages. Self-built executables have UPnP disabled +by default, unless `--enable-upnp-default` was provided to the configure script. + +Releases starting from 0.10.3 and 0.11.1, and the upcoming 0.12.0 will still ship +with (a patched version) of the library, but no longer enable the functionality by default. + +## Mitigation + +Bitcoin Core executables are compiled with Address Space Layout Randomization (ASLR), +Stack Smashing Protection (SSP), and non-executable stack and heap (DEP) enabled. This +makes it harder to use this vulnerability for remote code execution or private +key leaks. However, it is still advised to upgrade, or if not possible, disable +UPnP as soon as possible. + diff --git a/_alerts/disable_upnp.png b/_alerts/disable_upnp.png new file mode 100644 index 0000000000000000000000000000000000000000..d069d7e0ad91bc4cbd083460e5daf031b4c37c60 GIT binary patch literal 18819 zcmeIaby$>L`!+h*A|WLups2KfbYsv+cS}fj!w@P`5+gY@0@B?uq#}&8k$A`Nf}4b(s<1$W2=b4F?G17Qw|o3`kr82{?G&QBp?q`XnaS zEm~~<<9F^5$UTUp$TMZv5%jo=HlbR>wT($jeHV>aDsflMTJ9(mi=gg2d_|}$di8$z zZ5d@{^rKC(kklT!=ufEzavZ8xt^|sO&}Gq?GYu6f;^P&4Ql=kWqcY?och*qAc$U1r zP*>fKj%7FLB3+p3z^du!Y3ixjZ@CSDJYD@!qo$Vf^pz=OM`tx*U1{JAvsq9qm z(x5cOoF6g}h&=TBoPD)+!NoICirI?vDhx#N+9DzhM4RZi%9IyK^9%~M*q1aBt#kHo zpWX|TU=@HsKIQ8hY7r0+C@Cp{#}_YNgh@QSedEAG2%Lv~^<5l)m;J$k<TfxlCOjkEao{r-7~9N=^<7d*X~9 za@(HYJoIqZ*VK$V+LdkkIuoG8t^ne9PkV5$4? zkBE3iud%ZOQ7QVDcSqFOL^?+}=Ea2`KEk;Tc{3uO?G?9?{JuBgb@tHp+4j!LkxCn3 z;|>x6f{3fP?i4AdgU6Vdm|#-&4A0{|FdI>mCo@RcDjF>yAV7#Ix+%=Y&d$iY5+2KQ z_>yc2l^Y9&5)gnV5m&K}-X2$m(PSjR1$0uW{nE~BFnRdgXZ zsNSocn)o#{&lVFrDGv`152fIrUs%XhX1ILW2b?Wl*xR?y6cq59SSk3O1-#EZ9q%>8!FA0 z?|1q<*~xp~1#7l;UU9u%&`L%o-SR=ss#qptA%dd$zFn%ogKjk zSYg!bXLS)Zdx@Qo<)4UnSd+6fc;#!xk$ud`W8Ln}w!+KA#J0`CfGArz;we-Pk#h&uk$)R^0|(? zwYBASI0qldRU^K0N67Q2jIBq-xHnBt`Vn3frDomA*BSBV^w+S$L~Pt3&$j#coNGNL zl-ZF2?YP30mex!^>0ZCa6f>Pj&0jc|amK&Nv8*7#^1Zv;J6em55ycrS*>pyL+&43R z{p~)Hos6aCUNYD4z|cpD)>6xHL|8RmvO;THsfv;fVab&iX6B!m zI^4oDZx0Yew({_FK_EF?H31UM#w1Hs#_B@PuUvXtS9gkVS~)pA<#$G_tE#pzH#jc! zf-Q+&T^+v8-A4cT@nc3tf}m!wj}z52G&S*iP7b$^ca~m=#G+ zmi8KMM^H-^M8?O(RU5xOmL=)w7r=I=-C%I8gke{G_bRSGDdcICTp(p5nB z^k|n6wMD#{p&T90sw%G;8z1J%86R*(Mr#0iDE^+VQ@HG5YA=6aYdRZ4ryL^knaEg6 zKKaSQ3ySJC@yb3Uk#B`8Qv{n1U3%Sy0eJ|oQrn!uZDjPp6$!|j-^?b8T{ghveIdeN5TINeE`5wbkHsITg+4c$sE}*8+2_Yi|HbYaM4r8`kQhV3 zS~da>C%%1KUQsbTK3+>x(|vQgIf$4Ad~bLU!qO+{Q&r^y(@M<-RI`1<~Jm?NZtJ^iCIaI<% zM>x2q@S=!}C#oY3j;Y|ubByN>8ifzndG)AiM7{QW7h@*bw*%YhD7D9+Ma3@NYZYRb z@Cwn{3CPp#lW>K(*CK@)$?H!f%twEGRJddOIVm()^1G+3JLP?Sp2*|H>}*dTcVh#^ zJFhbnM~NLmzUW_p$VbHJj8=YYNo20vnQHPM9v*(IS@vpOfryxRvf3e2zsV2n;4>%S zwlxbDeW6-m5+8z$!?ehH9MRjWmj2$04B`QCOVP9Pwqb7L{f=Thoz*Xs54c7=Qud>7M}ow_@j=ehWV2r{LRaJb)k(;6rZffQJjT_0$odn*IP{ITG1;4l+;h z9~&Lp?_wR`ML%_X76D`xAqFo^y#*e6uKxC(KM(!!F%Uu5#di#-3{Mnd2u-fmrH=+L z-%XlVrRaQfQ^~kMgY-S#l{YTzh>5|x=j{0As~s6@T{`ajYl8Z19aU9Td?ROkcCN49 z-P&+YU3uKa(BJn?lfN`O4URb(Qfj^`EWrBZY8FG`UQElVAbnBaI|Nh|$JW)9i|EBQ z`4<=CdUG+Go@3Xn4qw+urBkPljS1k&>8-LgH$Mt`=hfEH=GA27=6W>I?fORO zIz&XxS1cs9%4xK#x0j7tk&aN|7}tZ7?Nh3f`R;13+Jno?v^tNdqokbB2RE;aFRcmU zSt_6Gq9%pvo1C~ZG#`9U_?{KBv(vCkNcZ@$AoT3r^OP)K@eb*l{d6BKg;yvNT4L_& z;`GN2042ut(Bv$kgVy&qm}jJ1_}YkbFXW7f^Om4?G=e;OG|vxE$C4l&zk;{ z=IfQ#lM30&n7-6&-&$c%Ct5A#+P7Mlaeo=)veAFTj@poO;YhJGu0dON= zFFqZ?*JIOKUOL)Fx*r}qnyi%(S)-hgh8HT*mPw_55RPRvnSgN))(!AgsXV97c3FHn zTizbX=;JeJGlqYsz7PSEgk;tA0I197vTS?UrUGW`xJz&)L*|>o18Ri(svm6K7K|w( zXtZ0)CCl5!X@4V$-y83kabvA0Ajez`i4)2lZo?4OmMNE`46!E^mFHVt*`OJjZgdbcLB zih1zmiBdf5PQ6ueOA~vmBdQ!#q_}JiWTZc5rzWU zy-1zPtiz{QlccRm!+*ZuYu(E%KnV*_^?Q#)$@6o%IwJQSTnu?vnK-)Dh&tsS4TEL# zRx^4jO^U;2f{FiF!Om`TV1+v`Kfc0zI8{j;$sV}S-e#1Yy(B5A=EOChj;B~oD!jGA zQn@}B5g*^q%vV?Nhc=VP@V6|K1UC>zUgrtMHwArz1R;UUYQJ)$b zN5l3zROr!~h=30tFass{U3M27qo_`?nmqce(?k^I>K>X7e@Ggy(GhSl*m_^QGH64S zT3b8znGyBX<$QS%<K~4Qi%AR|6*=WPTaBVa0*t*mo^XxSKv#A@m!cxN zl6agYN{y5l8DG3mI0<|o9*(aDp8#dU@yz1pyLaz!LRZ@dS{Lkwi7&lwZTeui6O-3Gu_^ z={`E2(m6I|;A&N}adWTq=pa0r&5?VnLvB$aAx`QC^$7`?AY2AC8>}vkt2H&eBAIV1 zU*YVl!w(Eh`l6B(Nu<&~Z$0OLkjhfd5oXcuJ;62(KsBZZ5f2Spb=%lxBcsv|c>`sOS8Nk=UYI0ouNkZXJ^umA7Lnv7%CN^rk**>ZsJqmqVrJv~|$aS|{=LJDsH^R7+;TNjI|X=Z!P; zu#ew)3cl{GitOhAyP*i(>2*21Y#8*!p7uM>sPOra|kr{YY z4l}=e`3za-ZaGvgW4{N17Pl<>@>p#Sqi|iz_E5WPxSR~<5eSgEaV(> z9w0Q!4nBc|;3@2+KibIpvYT?8jMIE^s6Ia>MMBOn<0aYt>DblYq=FDKPHmoZsMCAp zDXf>L56PQY*Q}EfHJ(x;gEIMEr>}jCi&efz_ZJGA8W&nOUhhQ1C_kKWTja;Doj8?t z9Ss!b$7{Mlv2$YARB#a$k~7GTq?%XD+@&eQfBLA|-M0^J0Sh zIF48<9%&uL<1Ay63~=o7wMBNO4h{|g zcF;V&?-aE}1@g?^*A+>VN%xuIwfq{YTUs)J49Q#{`8X$&AE#_g<}x)s2lB-Vs(^!w z%iX_*?33nIe@n~%EjWXNikc@OC&6h+fF2dTU6Ld=XuEB$VxzqJ6ct60moZ7XwY5#m zq`5aooJ>j@Xt#%vrK&=z<23#G1n1%PqavD7y+dJ@0@|>j>v0(7*9yL0hBWf?ttfg2 zPHUZTHFK@j05+nRe={VsTy=bPl+V#MD;{&B-p<*%AiSowwxc6Y>P|DUK>es6)-tz| zyl^lZL^&d0u}MXR$p3VP2w)z>yNHbaQEmXu%yk@Fjb1MTAe8k&cYEr9%l*9My7>gQ zzz!~Cy*n?coBJsXz(+bCn6)e{b^uiBzb`4*>#6RY)T!Pu2pp^bUBAU`|n=Ab$No{S-^Ow7zk@j!k68>XI&R6akR znVDIGa7W2lbuYJIacb$9EO)HiwXwddv(wPR*51y+HjzpuA1*QqZ(J>8^RPo9pj5Mj_!Kd#aX3H&^f zaybmeOxtzpH9x55Qm;rVK!pq0*fY_g4$E@L#DN!Tt7I#KbX#gYBErN)otlfXJ~+TJ z$)pgr8UNDtiaO08L3>Of`%GkhxB%}!vh?u zMNSS*&Q6;Hy2QQ*yJL$(n*`{7@KtEF>Uig&$MdV>b zD-%-(w~czKusy7T!E$vnyVzo!Fd+TW8pL=SS{ir?Ek4(?&6ZY2d5dnrSu|qw zwDdu?IxKn zf=~&Wm%)s~UlsIlrFkNFpk41kIQLr}$$L7ex@!e-&}~E_BJNSI}QgD zdBtI2zSX=nwu1>&;0Sw1H(Woak?KxEfCf&J@tb*(*>sz1_>C*?;9O`oyJBr-+SL2H zm#wVwyU*S1=Fx7aTaVENwoEP-lMy`yCWuJ9*OENI+3IFE0*ND_!@~AA0n{Q@~rDWL9uT z`t8$3U0;Hr5I!fz9V-4OQ;yTYHfN=XJ*|JHSuBe|Q3>SwaY_TKj=Gc}SmMeyT(nh>gp=%k5q zB<;BHS_F7%zqCGoOj6iZ4G}iH`$8ZO={j#Ftu%=cT zsOUd2i^5^uuYRS1^u-eM-YdV}BoXE5rw=kKJo+XUmdC1G=yfo*X;8Nu9JmUuuZ>re zj$;FvhY=A#$IM)iT1jb=@u>y_gzABB$n~6tV|Cg;3g*y6eTJwHIv_abo~>Izn+7cM zx^fh?wM*z0GduFoniH}h>Qm|*IRpjF+8<5{8$kCKodwQ}>?9?LtPy)WKAo!Wy z1(cMOAY~Hff6}eaaM7I^z3Y;3bv-J$Ilc($Kv2vk*6f1{x_CuZ*#v}feLa|+y`5Hx zWqOT&rSUOiDeo#~Io!zDIAnur{U_b-#*PfaUZ!ULt?mmYrM?qCm||rq8#x~+7?0Cx z{9VwSt|t+YH~Wr*%{0+`mHlvxa-f90?+a8_mC>v;@A*jHuhzO^LWO5 zXS}H2Dk~d4F%gkD*C)34KI_kW;XknBh3%aA;&1Z{z3OlKD8CxFFTPe>Sqb7(X;ML7 z0oOlr!HfbK#8odXH@sR@@*mYE_45C9d8&5y zg&<5~_E)_(o7P3~DBN8nGCX{Fzgo`c+V1hLQ^;7&iv=3MqpeTWp;s*fvvfwedJCwE zSC;d({}JmAio=XAGgMdGhxF^(ubni590y=>UqfPIbW%a-Jlr|axje0>N5LZZF{~ zfX`T?(c^VJ_o@iG+=4iO`qnL~h4Jq!_v(PS>^`BifD2@qu|NL#) ziZ~!rJckfb)zuoXwca^KRsISa69WV7*!khnQD1Sfg}DW)kdW=I&A#eDH3K^Qa?>6G zfs1R@KkPspS@TL=CBC${7zY->%)}Ht;r%LW@q=t0>mv^#Z;vVE)3e9k)(7u#|KHeBv0Z8^4N79qC60(ece)8r{aJWtnz zhU7D;4svd2rSOfMmo)sgKYt|Eg+X0xnu@PN|9)29E5@IpI?59kqnkcwKg-nX-avxuAs58ao<@$N?O_{y5I&Zn1&h(ttm2fh3&ywf9o{K=JqeDI44zMxO#33AZvSPxQh8_HgS^mcrr;13Sgqy`0m z6WXniqQKY*PBf^(oU ze|kDx^qKH$e^IYMKvJv@1sK!*w>M%sSA9$GBVOG_I8HEAPx@<{mfC$x!gc? zXxy?Ncgw+H8{lk425&&u(h^q=Sa2(sK+BP3aZI{febIUqYV$P>7(d5h1(Uc`;}mzQ zJzBrMClDX0bWpE-SanpP0%W7TldHbZQ%od7G^$KBz`E;B6go38sNMhgMfjvDGC-Cl zL8IPacQ(+FK(3iN;rw(jQU5sAU}ryEF?)<04kYc?xtBr%t1MCdN>-J()Bf=i|CG*7EF02VAuz~u> z@#oK};#)FLkcm^%MD57j+R(w8T#?|;uh=TOalZEASCH@|H_;${|ivEv~F)#Mak{O6>dtV}$>diwvhvfx`$ zW~8S-{COGr%P?_wcC#VIvnJ4VvOZ=L<188BWngL9KbIy863fu}=sM9ZJ{~>M2OTK& zwA{m&i2}NGgsRG`pt=EYZ+6p_kCr)1;fXA>H5ehPfVRQ0aDnBu1|Nsh9UGCD^kRqi3F)A`X%Y3R5#kIj>WqL zvSRN5AgYBtcGTs{)e0vAM!bux{H=9`yogyIow}q(#5>Mu9<1q&A0Z0V%lFcug6{ol z-ggC^xB6o#_?uc_yR_7qFzC1DWFU2z;CBxXkEqAQXEO>z*8pu)W5;usT9W`#{5lAC zZ*{!YIjCz>5m#I(mxl4h^Xs^GZ8yhS0Yj8#h@ESoM&k8iW_c& zTtuz|qFR|X)#vm~+}%y!@SqSV@&@C>3lyPVzwh&ihK9;%jV`ReuX=XuFzA`IPr9H^ zrZ+$TW5L7#MMcF^p?$L-pS&9C3qUkovJOLst-TTRHorddEU? zuCkM@pcJsh(4)w74R(I&W#(1)2Z!@b;xI#4vaQonK5u1vYpdB<)%{~WPEMc&O?qlWcN_sNNKZUboSaNFS5KJU*_X|LJW6>!T^%wC&#d`?K6jC`#J zDg=9*C@lj6%QE0g0-V->iz6XG3oqx$AKb1tBAAQ&jPuypK24rZ`LltGh+LxiH4iU; zoK@t3H$|;wPs)R0k^U@&rWI7g@PG=#z&Mn?MQr+myCiisH*=#N6W0#OPcOEqm$F@b zA97T#>%Wk0PfbnT5{LNf=MMA@j6fepv=0%7kaL%ml^vY!Kd5$dqo5eI$ltXIr&p0W zok=$X^)4Z1Gpq2V=&kt@h0O7(Bb*iUA$m%(Fb2kMf_%3HADuJ&$WGV+DF8RQ*CIy$Dx)II#f zD7Z!VUklZs51810FH0}&#l=wSVUZINdw-~lj*5%x5{vA<-5sJ;k;vnOC@b3m7)Ls~ zknG1~eyT1t^`2%zh*RG@6-SUDWuaoWqbfgok7^tg`@4ZMCAnllLmRqFjiayv!1z`2u9y#xITVREzNgng@X}7!a+*Dd z;K?MB*scsx&=T)g9Yg?Rmv5w^L=z${DHE~hs8i#$4G7f$)3$GKp!C^-LT8R(5A?SZ z0F;-Q?*u+*S)~lFEK(!cmk~T!v}9s}ItwAw_|Po&545DXw)LrkxAdHa&AcHZNXsAQ zp0824d0w9=B?3s5Oc_$DT6?R^0$Bifk3AMY-cP#BxSZ~tiQ`cZHcSK6QCd-vgh@H5 zUEH7+g|D%W?y6MQGDIAC%-HFjo0Wv8XReftTP z%TAtdu2bX47vUP3C?ZQHJimTSs?-q6iEi&6{xy$(V-va%ZBA85czL0Tz(+{TtXol9 zdS4&|L;e;k2sS?|bo~Ff_-)}I_$~J|ACzo5jvkby=|m9OKp;4MHjXtunhj_B?1^o#K^{md*wW%juvU4>vi@{w7vdhn*BlA7Tg(F zo;>`paC91Y7m;pGo|zRVC3Vos0zjSpL|>L?G}gfnEQZ7PfLpBP45hDr{=3 zo9^r}dIkpQ$Gmy+U|?lJT2hdVJX0~7#BXUR#S_Jx$haN7CzgT?C{r=lvz9t|MXOf9olKH*A6nkoM0r%lR>^BEq zUO7&+^X;#X7;|a5>Y$1I-cv^*@o^^1f;MJ0ggLeW($do1Nevt6lRwl(M9`ZA`C8?R zG^_SN3^GK{_#e5N!CtlaybMeE-i`7{&eSd0BApPtut7 zzcJx9@s-t~aEUgW$kiR{96$Wx_diNWObyXhw1R=vw6UF0Dne$^#*YBfP+u)gD6HkvXmJZ55e?KslcdL zABcNuWABi~#l_8Yd-O9>+pkGUQD5swU&#N!g&8IMp$v9+*RK2zQd@6H0{D5) zPxnuIOGm7;LLhq5-nrN z@K!oY?p2y`#%j0Jn~qh5rKdNqH&C^9wyyvcF+ASY3cR0oVQI4}VjSUIT*hhwAFHzK z>*(nJ@uNsvpBb*DsQp#fngMR^KJku$_hL2^kt&adM~6c<&*K8l&iH4(_ZYg1ebguE zyM_%Qj2P*sitLn8RxYkV{i$Pn`y{bd;YQuW_Aaj~hy4lP?S&S~pazG1O6a478C}7O z^^utiwcJ2)Tn6DaGk-RTvxmN4URtUTk8Cx9Q3_XBo2PraNHKBMCV6awbqdTRQSms- zZntt~zSH~H>8ZHIS6K4L+Rh(tPebYHvB~;Tyzk<@&vpS80G^!Ih`X0BUk+w#gp%p} zlYtI2ote)+JwkvlJlzWFevYy+_HJG6@9AlL`U5#o9S-ACKAW$t0EPuA0G|wT{0b&( zL1>~5kBS17U~K&90_CWmOv7!3V`nRNHcHD=Cse0at2}kSXK2dDiNRrw6DP`9(tg3G?|z=fAV0v$Iz}W(Os3J4YEH&V8)IZkDrub9oOU0cic(D8I63V0H1)U^PE3w+R15i92TWIUKZamGUXCXrM-}RI4-F0dkbj7eiGAf7P}-3f{(2mLr66X{*|`Nk zvZLEsgxJ{_ymh{RQII;gGO!Qf{}IQ!2we4dMAZZXKc|W(*qyn{z50aliERT_a^c4M zTDbA%0R|+ekN-Hv=GCivV#FX7+(Rtm3zS^t!G}z!RG|RvaN$7vH#gaZ=j>m6YJVL1 zkK607491^_{_v{(I`luYul@0=KOJrV{}}$fJbz65pPs=#4*fatzYhJyj0Y~y{|Bx` zBY%k6VJbjpJ$iuBGD&S89wto$YtM-uF_?$-+yn!NE^jWhn*T>mR4%dQq^}g`JFZ}h zTAU2i6rzJ{M5jqJ!>P_5RG7f5ku!34;E{_=O23m=&qP2nY>-Y=r>IdXA5YiN8n{y+ zD5!dQV#<)@r)O{hs7(}=`dUIM71Y&T*L4|cSQ#0iW8chhLVJa*eWvATuzpYHkw@Hv zJs1()50f6G0(C`Dz>`YgJ8-Cz{YKqQEdjbAZl0!XKn(b^*u+C(7lGulwJBZi7N74d zvnci(1&1E1Ljj%IMg4u!oLb@d#wNwuPdX=iyJNQ%9BTVtX27tBpm?9O$j1?z_qKDx zFaSMNv-ci2F9aQKtUB$YL%UkU#hQ7ltH31b)+FVP>x|@@+H78k<1nCo7b9l|;`{Ps znBnKnKR*H?#y#Ku^pl3VoDU6 zytQ!rdmI&E#}H(~%kf|J7fF%(7Tf?OCJK0&9!1{FMdeLWRU;=RtdSL+%S6I!12f9c zQ=g~s>@WBNw-ji_xG`RINMMp#db4=uvRFRW&4Dqg>X87`xg2>5i`;`Dp91DCKz;;f zRaL3e-M+%21qhv5b*3}xmYrSl%0-QO5XUzfF^IbpwTWsu_~!57wHmR7$=@a*sxUY- zsOX6M5%O5eqsV4mmKrb{{e8G2E6c+at1Sz2b2K{Dcj}MTD(edvRr3edm{(QGDoM&L zMZ4F=nUnaRxP2XRS~=HIE3HUP{fdMopB!zw?`qB+J%je~RqDo0MYI~-xicTnokzbP zmp)#3!ILa0 z5TC5~RD_;B8(=XGQ~3rxJ=FI){xUW6M1DKSeGc|XG)aP!m9SedB>!KXiL%miD5g9e zElu|$c`6{r_kFp1yf8lp#GZ%CKyt22e2iCaF)B8)`ylXhQW9u#V(MU_ixDy$tYlx9 zotrCpRQJ28|3Hi8uPjVJvzR+LJsrWCv~kye+6M~s7S5tar?U$EA0mdneIQ`oc$J2w76baT3;Wyh*=Ff(pNCa$gHG2~cBM_R*ZpGh@X zNh7RagG#yD=!#02n@gE51GUDuD+$S54Ft$)7Z%^=Uv8(FG}DBTbDGMZ{|Fm8IeCXe zF@hHsSlpBIGoPx$I$cNI+scCy?s@U zm^BLQK~vme+HX~qQr{76CdrMc+*8GSx0M~A*!CVg@t*9CIqJ;Q*YoPqJOWSo|T;lAaV(bk*xRRSXr?hPUo#=1w!UCQ6B(EPD>d=)!4v#3bmLR7o zZnTJExA(V=NA0Q!k^AKCsvhSVn_GLa?zxkK>Q0uNoJ&-2l7WK3Aml2qa3r_x{XTk2V@P zu3d#N+ys83-`WWNZ$g3%Sy5C}F6y`n8;~D+cI1wW8$BOBOvQh^Fo>0lx*GL2VytD# zojo~e?{0dK_QW3G#ey7AxdJH(18;7AzL?-1;0*q1x(@t4-UMAc5d~QUq%@#O@wJ<_ zfB)|2WCvV7Jf34Sz=d;WtPRvhq)Qbr3IJEYLO#EvHOI`e`JzH3NHdQ$DtgD8v`hqJ zV>KR}Ao+QuKS_XiJ@VaZUQ=OQGd4 z1?ud~(vCnwf5-lGMZ7Sn^y%%YBW?tc#sGP{#BMxZ?@*YRrwmQ&4hm9IRP;X4FNlrJ zM!kah_@Di#?g6~G*t#%D8Al8@dt%6S$eSFe{WTp*Sf(r!R~ZSm%55FAk#Ax~7O@Zu zb9DP0+5*R)o|yO2+fUk$=Gsi<-T)3*UjYvCq}Uwm-}EZ5;j_^Ukz zZJ^Dheo8j(Oz;8{A!r0n+|(Hs2@I6TlX zU!urJ5lRwf!rG!dN`HFqRlEYuKU_`9j!QOepY7Lzx{uHa# z`mO;P6y?WcV?Hp8-L4$L7K?6t`vSTrwl-deEq)o&s6~9Yq&P+N)V$%9Ix#3!uRYfJ za^@NHn}5l#=_=$?LDt^lhvCW^sW#=uZ=c@gF){v`5X%Fk zAjxef!FHla$4jN^)eV6Bu`bGzf2s7$9UOV9tAL0-d=7pC4@85m;2+IHgW7=nf}PlP zj5m#bQ5Zp5$-5er0eeM5fqy0oXs==@Ox+F!e&f^N>y~c?p$`^1j*GJv-6%#_sDKJC< zcO2*fHt9}azC%8ka(Z;S(KD_e25{3$9=p$;{Qk|-@1Csmp2i2gWH$8H0W`k_C8L;KKW}D z=0v^rCjRdFk=MLK1h}%{Fg@VN5SjhW!CHZRp;dF;giO33N;Co3o4 zf?h!DRn%J_e`M$x0*uogzcrw+9*sgp1r+=y@zzP~0lPn6cZi0@@C=Qt;lig)S^~$U z-W3l=U@JlF?t@g~e2|5DM+Fb2+$F;EwH`VNEbSY9KeUOF2KsF96@HWu3D&sOxUPMh zy=jQbpUl%S{$0Z5vQYgO0oH&!?yt(KDs=o`dWrsKxk{9|^k!dPbb+*5oAM52RHWnX zQeP%6m0*Fxaa2S^U+Up?w1uHz+B3@Y2dTi2?sFZd%5`lv=VyA)lj}}Nv48vsBinM;@H$ptqOD0vG>FMiuiEWSV+8jpn@t+5ku@ zEONWp_@3OIpG0*8p$v+90H_53AE=W8t!_DWs{aDFw0PS#~hk}GWP>%!NRCMc5px~?``_>I$qnaD}eYU|?s)BeI5B)HF zbKLr#ofqLHUC^mnZr+;oQ4ft8C!~)1Yu^lTfOR>fJx_TR(4(yw+vk)R%uH=Q^rJVe z;TZVtsQ*ivJaX@^0s}u4$DvwVAiqPIU5bSVIBxU7CH8L)GtpMGvWd)(AJ;h^wuR5- zUfXdo^d{FN-01@>dg>k(D<|iGF6!_4XK~jx3+~^yK>)Bqh5eyN>Q&O{)+b}%gaymi zyB)jPZ36#_&1i8@09$E^R)r;KvMxQZ^Z{;aKDDyHE2e5aOGgxe%zpYudrqxwT{Nlm z5iRMTGbEvi0-XjoV4M}<_@~`zmF;;-W7i0uv8*4d{3)!DZ0+Ix{;>N$hPuADqoco;Usw;)<){m~^<` zhMl|)I-A!0&*+$#a->TOqB{kzL$ADy=}nJ!*y_}Zpt*9p=dVaO%S31HWh{v;%cF86 zGP&T!%|t%8cU?;Et6$K6G=A*DE&A$Lw9fB(0oYf5zdc@)Gdtr5n3j-8k=z>xi$Em_Z$fx-_e-p|COUBFl7joSHoFZG7ceLZdx=`uNahd(w-QMbx_zj&u@B__2 zB-9s1f6#tOB8EJ{y!goS#|0ec$)P*XK}+vbt7OZl^q(;x**VVXob0&79I{jYT2 zlN?Kup(BF>c(9BC#U>xW;R-q)kyExLI89SUl@&vBZ>gybNT%(0wW%?2h6B354Pr*# zbT4eXYE#16=WI!L$AZr4?7z=!Rh=GtDyl0h1FMLlCIe$cE0Mjgc8WYh6ej44RnAua z3>Y?W6Bxx5IbcVYIXND>+5~Pr18zbC=55N>O`8&qLoz<3&FbQ?5bIkQ1?PI zaY!kXyOkIYo>#vK;JF(bj8p?!$J?IC8 zcQ25VkleWVG@<14>9+e9_rcK>AnInt>V9L>IM_V1X>{pwwRVa!!-Y#%4QLIb>cu_j z7ni0nUKD~?ytNFRlM3HUt;aOquV7LT}_bUPY(?)s&87u>b47GMVFvM_jF>2j?V8=U@? zr)TF#YUoF5{?JVS&z(1++qax08kNO9Qp0CiOAFGO&5Z^~#t#Iix6rSHpUj`SS$NmK z*L_Hc*ULoOl^2woV>kBW`^S%vduG83v6+r5A0wSEUMI}qT%bLyr#DN0%@@J|K{Ebbw0VFo0Tc}3Z>VZgZd_K?N)Et)N*Drt3GW4Hmfpra$6qOYzc>e0${{sCYY32X` literal 0 HcmV?d00001 From 5b4ca428ef1ef4c00c57e572ad3e38ffc7fde2a5 Mon Sep 17 00:00:00 2001 From: Saivann Date: Mon, 12 Oct 2015 08:10:15 -0400 Subject: [PATCH 2/6] Move uPnP alert image to /img/ --- _alerts/2015-10-12-upnp-vulnerability.md | 2 +- {_alerts => img/alerts}/disable_upnp.png | Bin 2 files changed, 1 insertion(+), 1 deletion(-) rename {_alerts => img/alerts}/disable_upnp.png (100%) diff --git a/_alerts/2015-10-12-upnp-vulnerability.md b/_alerts/2015-10-12-upnp-vulnerability.md index bb0ff59e..a411c7c9 100644 --- a/_alerts/2015-10-12-upnp-vulnerability.md +++ b/_alerts/2015-10-12-upnp-vulnerability.md @@ -11,7 +11,7 @@ bannerclass: "alert" ## Summary -![Disabling UPnP in the GUI](disable_upnp.png) +![Disabling UPnP in the GUI](/img/alerts/disable_upnp.png) Either diff --git a/_alerts/disable_upnp.png b/img/alerts/disable_upnp.png similarity index 100% rename from _alerts/disable_upnp.png rename to img/alerts/disable_upnp.png From 8b4abfdc1f2ffc430636938a084559f64b00ded3 Mon Sep 17 00:00:00 2001 From: "Wladimir J. van der Laan" Date: Mon, 12 Oct 2015 14:34:32 +0200 Subject: [PATCH 3/6] improve the text a bit --- _alerts/2015-10-12-upnp-vulnerability.md | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/_alerts/2015-10-12-upnp-vulnerability.md b/_alerts/2015-10-12-upnp-vulnerability.md index a411c7c9..a4510784 100644 --- a/_alerts/2015-10-12-upnp-vulnerability.md +++ b/_alerts/2015-10-12-upnp-vulnerability.md @@ -16,29 +16,31 @@ bannerclass: "alert" Either - turn off the checkbox in the GUI under Options → Network → Map port using UPNP (see above) -- add `-upnp=0` to the command line options - add the line `upnp=0` to your `bitcoin.conf` file +- add `-upnp=0` to the command line options Alternatively, upgrade to a version of Bitcoin Core at least 0.10.3 or 0.11.1. -These versions upgrade the library to a non-vulnerable version, as well as have -upnp disabled by default to prevent this problem in the future. +These versions upgrade the library to a non-vulnerable version, as well as +disable UPnP by default to prevent this problem in the future. ## Details Version before 1.9.20151008 of the miniupnpc library are vulnerable to a buffer overflow in the XML parser during initial network discovery. The -vulnerable code triggers at startup of Bitcoin Core if upnp is enabled. +vulnerable code triggers at startup of Bitcoin Core if UPnP is enabled. Details of the vulnerability can be found here: http://talosintel.com/reports/TALOS-2015-0035/ -It has been verified that the vulnerability can be used to crash the application at startup. +It has been verified that the vulnerability can be used to crash the +application at startup by running a malicious UPnP server on the local +network. To have more connectable nodes, the Bitcoin Core executables distributed by -bitcoin.org include the library and have always had UPnP functionality enabled -by default. +bitcoin.org include the miniupnpc library and have always had UPnP +functionality enabled by default, to forward the P2P port. -This applies to the distributed executables only, not when building from source or -using distribution provided packages. Self-built executables have UPnP disabled +This applies to the distributed executables only, not those built from source or +from distribution provided packages. Self-built executables have UPnP disabled by default, unless `--enable-upnp-default` was provided to the configure script. Releases starting from 0.10.3 and 0.11.1, and the upcoming 0.12.0 will still ship From d3d01dcf0faf5fe2e328d24e2da18c8df4859cdf Mon Sep 17 00:00:00 2001 From: Saivann Date: Mon, 12 Oct 2015 09:04:17 -0400 Subject: [PATCH 4/6] Make link clickable on uPnP alert page --- _alerts/2015-10-12-upnp-vulnerability.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_alerts/2015-10-12-upnp-vulnerability.md b/_alerts/2015-10-12-upnp-vulnerability.md index a4510784..7b3e2547 100644 --- a/_alerts/2015-10-12-upnp-vulnerability.md +++ b/_alerts/2015-10-12-upnp-vulnerability.md @@ -29,7 +29,7 @@ Version before 1.9.20151008 of the miniupnpc library are vulnerable to a buffer overflow in the XML parser during initial network discovery. The vulnerable code triggers at startup of Bitcoin Core if UPnP is enabled. -Details of the vulnerability can be found here: http://talosintel.com/reports/TALOS-2015-0035/ +Details of the vulnerability can be found here: It has been verified that the vulnerability can be used to crash the application at startup by running a malicious UPnP server on the local From 3fb01e8c72fb378b57326dbe75f3135abcaad57d Mon Sep 17 00:00:00 2001 From: "David A. Harding" Date: Mon, 12 Oct 2015 09:10:57 -0400 Subject: [PATCH 5/6] Alerts/upnp: show banner / describe manual port forwarding --- _alerts/2015-10-12-upnp-vulnerability.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/_alerts/2015-10-12-upnp-vulnerability.md b/_alerts/2015-10-12-upnp-vulnerability.md index 7b3e2547..5475c4a0 100644 --- a/_alerts/2015-10-12-upnp-vulnerability.md +++ b/_alerts/2015-10-12-upnp-vulnerability.md @@ -5,7 +5,7 @@ title: "Vulnerability in UPnP library used by Bitcoin Core" shorturl: "upnp-vulnerability" active: true -#banner: "WARNING: serious vulnerability in UPnP library used by Bitcoin Core (click here to read)" +banner: "WARNING: serious vulnerability in UPnP library used by Bitcoin Core (click here to read)" bannerclass: "alert" --- @@ -54,3 +54,11 @@ makes it harder to use this vulnerability for remote code execution or private key leaks. However, it is still advised to upgrade, or if not possible, disable UPnP as soon as possible. +## Manual Port Forwarding + +With UPnP turned off, your node will still connect to 8 other peers on +the Bitcoin network to receive new blocks and transactions. However, it +will not accept incomming connections from other peers unless you +manually enable port forwarding on your router. If you wish to do +that---it isn't required---please [follow these +instructions](/en/full-node#network-configuration). From 38c10793e01f6ff673473368f5410cb675e25085 Mon Sep 17 00:00:00 2001 From: "Wladimir J. van der Laan" Date: Mon, 12 Oct 2015 16:19:18 +0200 Subject: [PATCH 6/6] mention that 0.11.1 and 0.10.3 aren't released yet --- _alerts/2015-10-12-upnp-vulnerability.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/_alerts/2015-10-12-upnp-vulnerability.md b/_alerts/2015-10-12-upnp-vulnerability.md index 5475c4a0..cae4d65f 100644 --- a/_alerts/2015-10-12-upnp-vulnerability.md +++ b/_alerts/2015-10-12-upnp-vulnerability.md @@ -19,9 +19,10 @@ Either - add the line `upnp=0` to your `bitcoin.conf` file - add `-upnp=0` to the command line options -Alternatively, upgrade to a version of Bitcoin Core at least 0.10.3 or 0.11.1. -These versions upgrade the library to a non-vulnerable version, as well as -disable UPnP by default to prevent this problem in the future. +Also upgrade to a version of Bitcoin Core at least 0.10.3 or 0.11.1 when they +are released (the release cycle is in progress). These versions upgrade the +library to a non-vulnerable version, as well as disable UPnP by default to +prevent this problem in the future. ## Details