From d62c773e3b6b6f4a336004f476486ef244c0117d Mon Sep 17 00:00:00 2001 From: Martin Holst Swende Date: Tue, 23 Nov 2021 09:41:04 +0100 Subject: [PATCH] docs: vulnerability disclosure (#23955) --- docs/_vulnerabilities/vulnerabilities.json | 9 +++++---- docs/_vulnerabilities/vulnerabilities.json.minisig | 6 +++--- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/docs/_vulnerabilities/vulnerabilities.json b/docs/_vulnerabilities/vulnerabilities.json index 789478adf4..8acefac878 100644 --- a/docs/_vulnerabilities/vulnerabilities.json +++ b/docs/_vulnerabilities/vulnerabilities.json @@ -134,13 +134,14 @@ "check": "(Geth\\/v1\\.10\\.(0|1|2|3|4|5|6|7)-.*)$" }, { - "name": "DoS via maliciously crafted p2p message", + "name": "DoS via malicious `snap/1` request ", "uid": "GETH-2021-03", - "summary": "A vulnerable node is susceptible to crash when processing a maliciously crafted message from a peer.", - "description": "A vulnerable node is susceptible to crash when processing a maliciously crafted message from a peer.\nFurther details will be released at a later point in time, in accordance with our official disclosure policy.", + "summary": "A vulnerable node is susceptible to crash when processing a maliciously crafted message from a peer, via the snap/1 protocol. The crash can be triggered by sending a malicious snap/1 GetTrieNodes package.", + "description": "The `snap/1` protocol handler contains two vulnerabilities related to the `GetTrieNodes` packet, which can be exploited to crash the node. Full details are available at the Github security [advisory](https://github.com/ethereum/go-ethereum/security/advisories/GHSA-59hh-656j-3p7v)", "links": [ "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-59hh-656j-3p7v", - "https://geth.ethereum.org/docs/vulnerabilities/vulnerabilities" + "https://geth.ethereum.org/docs/vulnerabilities/vulnerabilities", + "https://github.com/ethereum/go-ethereum/pull/23657" ], "introduced": "v1.10.0", "fixed": "v1.10.9", diff --git a/docs/_vulnerabilities/vulnerabilities.json.minisig b/docs/_vulnerabilities/vulnerabilities.json.minisig index 3b78dddc2e..6b61983807 100644 --- a/docs/_vulnerabilities/vulnerabilities.json.minisig +++ b/docs/_vulnerabilities/vulnerabilities.json.minisig @@ -1,4 +1,4 @@ untrusted comment: signature from minisign secret key -RWQk7Lo5TQgd+8l5duLP0gUKWHwGDmqe1FDRgmbZ0OE0D4dnw8W2MJhhq6ckZKhGnD7zW1Htw63mbnHuy7TDo0Oz99qwFfzv1w8= -trusted comment: timestamp:1635075909 file:vulnerabilities.json -827bn9OQI+f9gdKa1JSPYmnCpDGSKEWI2C9Ywz7Mlnvzi6Z9Ec+h+R5t/v9x7CLwXK8l5TMXgm6sv5JBduv8Dw== +RWQk7Lo5TQgd++1KS2a5zDfzIShMgTJkiv++9SEPG1JSAvSkq3MbNuYg/Rg0sAiRdfh7V4oBfKBL8sxlwoAq2MpKE19ezsluIwM= +trusted comment: timestamp:1637656079 file:vulnerabilities.json +Wazb+Xg21XNnbbx10OF0fDtlI27VhgJ5GfjmywnD3s3uJHFCC3CSRF14m75nSBelmvw4tHNZk1Apf3vBNvw0AQ==