Security update for bitcoin SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2022:0072-1 Final 1 1 2022-03-03T19:01:19Z current 2022-03-03T19:01:19Z 2022-03-03T19:01:19Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for bitcoin This update for bitcoin fixes the following issues: Update to version 0.21.2 * P2P protocol and network code * use NetPermissions::HasFlag() in CConnman::Bind() * Rate limit the processing of rumoured addresses * Wallet * Do not iterate a directory if having an error while accessing it * RPC * Reset scantxoutset progress before inferring descriptors * Build System * depends: update Qt 5.9 source url * Update Windows code signing certificate * Use custom MacOS code signing tool * Fix build with Boost 1.77.0 * Tests and QA * Build with --enable-werror by default, and document exceptions * Fix intermittent feature_taproot issue * Fix macOS brew install command * add missing ECCVerifyHandle to base_encode_decode * Run fuzzer task for the master branch only * GUI * Do not use QClipboard::Selection on Windows and macOS. * Remove user input from URI error message * Draw 'eye' sign at the beginning of watch-only addresses * Miscellaneous * Fix crash when parsing command line with -noincludeconf=0 * util: Properly handle -noincludeconf on command line (take 2) Update to version 0.21.1 * Consensus: * Speedy trial support for versionbits * Speedy trial activation parameters for Taproot * P2P protocol and network code * allow CSubNet of non-IP networks * Avoid UBSan warning in ProcessMessage * Wallet * Introduce DeferredSignatureChecker and have SignatureExtractorClass subclass it * Avoid requesting fee rates multiple times during coin selection * RPC and other APIs: * Disallow sendtoaddress and sendmany when private keys disabled CVE-2021-3195 Update to version 0.21.0: * For full details see release-notes-0.21.0.md Update to version 0.20.1 * Mining * Fix GBT: Restore '!segwit' and 'csv' to 'rules' key * P2P protocol and network code * Replace automatic bans with discouragement filter * Wallet * Handle concurrent wallet loading * Minimal fix to restore conflicted transaction notifications * RPC and other APIs * Increment input value sum only once per UTXO in decodepsbt * psbt: Increment input value sum only once per UTXO in decodepsbt * psbt: Include and allow both non_witness_utxo and witness_utxo for segwit inputs * GUI * Add missing QPainterPath include * update Qt base translations for macOS release * Misc * util: Don't reference errno when pthread fails * Fix locking on WSL using flock instead of fcntl Update to version 0.20.0: * See https://github.com/bitcoin/bitcoin/blob/master/doc/release-notes/release-notes-0.20.0.md - Do not run bitcoind in daemon mode. Running it not as a background process makes it working properly with journald (instead of writing logs in /var/log). Update to version 0.19.1: * Wallet * Fix origfee return for bumpfee with feerate arg * Fix unique_ptr usage in boost::signals2 * Fix issue with conflicted mempool tx in listsinceblock * Bug: IsUsedDestination shouldn't use key id as script id for ScriptHash * IsUsedDestination should count any known single-key address * Reset reused transactions cache * RPC and other APIs * cli: Fix fatal leveldb error when specifying -blockfilterindex=basic twice * require second argument only for scantxoutset start action * zmq: Fix due to invalid argument and multiple notifiers * psbt: handle unspendable psbts * psbt: check that various indexes and amounts are within bounds * GUI * Fix missing qRegisterMetaType for size_t * disable File->CreateWallet during startup * Fix comparison function signature * Fix unintialized WalletView::progressDialog * Tests and QA * Appveyor improvement - text file for vcpkg package list * fix 'bitcoind already running' warnings on macOS * add missing #include to fix compiler errors * Platform support * Update msvc build for Visual Studio 2019 v16.4 * Updates to appveyor config for VS2019 and Qt5.9.8 + msvc project fixes * bug-fix macos: give free bytes to F_PREALLOCATE * Miscellaneous * init: Stop indexes on shutdown after ChainStateFlushed callback * util: Add missing headers to util/fees.cpp * Unbreak build with Boost 1.72.0 * scripts: Fix symbol-check & security-check argument passing * Log to net category for exceptions in ProcessMessages * Update univalue subtree The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2022-72 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZQOIWU7XODRDIITDKWB45QLM5US3ATJW/ E-Mail link for openSUSE-SU-2022:0072-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2021-3195/ SUSE CVE CVE-2021-3195 page SUSE Package Hub 15 SP3 openSUSE Leap 15.3 bitcoin-qt5-0.21.2-bp153.2.3.1 bitcoin-test-0.21.2-bp153.2.3.1 bitcoin-utils-0.21.2-bp153.2.3.1 bitcoind-0.21.2-bp153.2.3.1 libbitcoinconsensus-devel-0.21.2-bp153.2.3.1 libbitcoinconsensus0-0.21.2-bp153.2.3.1 bitcoin-qt5-0.21.2-bp153.2.3.1 as a component of SUSE Package Hub 15 SP3 bitcoin-test-0.21.2-bp153.2.3.1 as a component of SUSE Package Hub 15 SP3 bitcoin-utils-0.21.2-bp153.2.3.1 as a component of SUSE Package Hub 15 SP3 bitcoind-0.21.2-bp153.2.3.1 as a component of SUSE Package Hub 15 SP3 libbitcoinconsensus-devel-0.21.2-bp153.2.3.1 as a component of SUSE Package Hub 15 SP3 libbitcoinconsensus0-0.21.2-bp153.2.3.1 as a component of SUSE Package Hub 15 SP3 bitcoin-qt5-0.21.2-bp153.2.3.1 as a component of openSUSE Leap 15.3 bitcoin-test-0.21.2-bp153.2.3.1 as a component of openSUSE Leap 15.3 bitcoin-utils-0.21.2-bp153.2.3.1 as a component of openSUSE Leap 15.3 bitcoind-0.21.2-bp153.2.3.1 as a component of openSUSE Leap 15.3 libbitcoinconsensus-devel-0.21.2-bp153.2.3.1 as a component of openSUSE Leap 15.3 libbitcoinconsensus0-0.21.2-bp153.2.3.1 as a component of openSUSE Leap 15.3 ** DISPUTED ** bitcoind in Bitcoin Core through 0.21.0 can create a new file in an arbitrary directory (e.g., outside the ~/.bitcoin directory) via a dumpwallet RPC call. NOTE: this reportedly does not violate the security model of Bitcoin Core, but can violate the security model of a fork that has implemented dumpwallet restrictions. CVE-2021-3195 SUSE Package Hub 15 SP3:bitcoin-qt5-0.21.2-bp153.2.3.1 SUSE Package Hub 15 SP3:bitcoin-test-0.21.2-bp153.2.3.1 SUSE Package Hub 15 SP3:bitcoin-utils-0.21.2-bp153.2.3.1 SUSE Package Hub 15 SP3:bitcoind-0.21.2-bp153.2.3.1 SUSE Package Hub 15 SP3:libbitcoinconsensus-devel-0.21.2-bp153.2.3.1 SUSE Package Hub 15 SP3:libbitcoinconsensus0-0.21.2-bp153.2.3.1 openSUSE Leap 15.3:bitcoin-qt5-0.21.2-bp153.2.3.1 openSUSE Leap 15.3:bitcoin-test-0.21.2-bp153.2.3.1 openSUSE Leap 15.3:bitcoin-utils-0.21.2-bp153.2.3.1 openSUSE Leap 15.3:bitcoind-0.21.2-bp153.2.3.1 openSUSE Leap 15.3:libbitcoinconsensus-devel-0.21.2-bp153.2.3.1 openSUSE Leap 15.3:libbitcoinconsensus0-0.21.2-bp153.2.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZQOIWU7XODRDIITDKWB45QLM5US3ATJW/ https://www.suse.com/security/cve/CVE-2021-3195.html CVE-2021-3195 https://bugzilla.suse.com/1181784 SUSE Bug 1181784