# Gavin Andresen # 2012-05-14 16:56:30 # https://bitcointalk.org/index.php?topic=81749.msg899957#msg899957 We have been quietly notifying the largest exchanges, merchant service providers and mining pools about this issue, and waited until they upgraded or patched their code to go public with this: @p{par} @p{@p{--}-}@p{--}BEGIN PGP SIGNED MESSAGE@p{@p{--}-}@p{--} @p{brk} Hash: SHA512 @p{par} CVE-2012-2459: Critical Vulnerability @p{par} A denial-of-service vulnerability that affects all versions of @p{brk} bitcoind and Bitcoin-Qt has been reported and fixed. An attacker @p{brk} could isolate a victim's node and cause the creation of blockchain @p{brk} forks. @p{par} Because this bug could be exploited to severely disrupt the Bitcoin @p{brk} network we consider this a critical vulnerability, and encourage @p{brk} everybody to upgrade to the latest version: 0.6.2. @p{par} Backports for older releases (0.5.5 and 0.4.6) are also available if @p{brk} you cannot upgrade to version 0.6.2. @p{par} Full technical details are being withheld to give people the @p{brk} opportunity to upgrade. @p{par} Thanks to Forrest Voight for discovering and reporting the vulnerability. @p{par} @p{brk} Questions that might be frequently asked: @p{par} How would I know if I am the victim of this attack? @p{par} Your bitcoin process would stop processing blocks and would have a @p{brk} different block count from the rest of the network (you can see the @p{brk} current block count at websites like blockexplorer.com or @p{brk} blockchain.info). Eventually it would display the message: @p{par} "WARNING: Displayed transactions may not be correct! You may need to @p{brk} upgrade, or other nodes may need to upgrade." @p{par} (note that this message is displayed whenever your bitcoin process @p{brk} detects that the rest of the network seems to have a different @p{brk} block count, which can happen for several reasons unrelated to @p{brk} this vulnerability). @p{par} @p{brk} Could this bug be used to steal my wallet? @p{par} No. @p{par} @p{brk} Could this bug be used to install malware on my system? @p{par} No. @p{par} @p{brk} @p{@p{--}-}@p{--}BEGIN PGP SIGNATURE@p{@p{--}-}@p{--} @p{brk} Version: GnuPG v1.4.9 (Darwin) @p{par} iQIcBAEBCgAGBQJPsTpaAAoJECnZ7msfxzDB76cQALBqcEb40dQOtopbsk7vHDuL @p{brk} FL4xd56B1/s3idyHGeCuwJX5bgxGD9b3svayXhDiLo9O+5E3sxsLY1HehTXnU8KV @p{brk} BGpIQ7I+XLDcmarGYrDLMNMDLFOp/1hTipi08X3cr6oHNdYOxGbdtqCQR8xxtdfh @p{brk} Mmo07ReYYWamlF+QbwoXIJQOEka2UVeWWgmk1C+WW1phI3P3Of5EvWvkmOurZsY1 @p{brk} zew7G3sk0Lu8glxSt8qq1SKlDXOaSqTBPxs+2FtgkUplNrAIyufu0vCTsnC44oie @p{brk} ndJD6XZAaG6cYr3adGQKmUjRR+oyZarMtBdDHBvYHkrQI4uQclL1aS7DhkLtH8kp @p{brk} fBRHdqmbBJpmpWOcs+OZeaQCzrArKihuVVZqP4HYbHgGHLV3Ls1bebyWm5eLZH6Z @p{brk} C5l3B4Hz/lp50gJpVsIZI291l3KWfoBW2qGyQv51U4uByLU8tPzgr5bdyo6YCo4N @p{brk} XQZHveNInMDI8jSimGyHg7WNm0YjkSAM8PEIJhQuL+RaHKgN/ghLPR+1K1YZnMjq @p{brk} BPdJZVDpP2bgClyj6P+UkhAplEoenxZUsjyRmcs9EWjHZo3UUI9MLZW96vkR0Wlv @p{brk} UBgq0/jSNQ6s3U3YwKM8CDFJ4OB7Mu1Ln6sn+Tu5sl3xtPyapARA5K67FYSpvqVX @p{brk} GNIME8aiNjICQmtIFiuX @p{brk} =9L8G @p{brk} @p{@p{--}-}@p{--}END PGP SIGNATURE@p{@p{--}-}@p{--} @p{brk}