比特幣核心開發人員揭露了 10 個影響舊軟體版本的漏洞

這些漏洞在最近的版本中得到修復，可能允許對運行過時的比特幣核心版本的節點進行各種攻擊。

Bitcoin Optech has disclosed a total of 10 vulnerabilities that have affected older versions of Bitcoin Core software, according to a report by CryptoSlate. These vulnerabilities, which have been fixed in more recent releases, could have enabled various attacks on nodes running outdated Bitcoin Core versions.

根據 CryptoSlate 的報告，Bitcoin Optech 揭露了總共 10 個影響舊版 Bitcoin Core 軟體的漏洞。這些漏洞已在最新版本中修復，可能會對運行過時的比特幣核心版本的節點發動各種攻擊。

The disclosure of these vulnerabilities is significant considering that Bitcoin Core developers have recently introduced a new security disclosure policy with the aim of improving transparency and communication regarding vulnerabilities.

考慮到比特幣核心開發人員最近推出了一項新的安全揭露政策，旨在提高有關漏洞的透明度和溝通，這些漏洞的揭露意義重大。

In the past, the project has faced criticism for not adequately disclosing security-critical bugs to the public, leading to a perception that Bitcoin Core is largely bug-free.

過去，該計畫因沒有向公眾充分披露安全關鍵漏洞而受到批評，導致人們認為比特幣核心基本上沒有漏洞。

Libbitcoin developer Eric Voskuil, in a message to the Bitcoin mailing list, highlighted that this perception is misleading and could be dangerous, as it downplays the risks involved in running outdated software versions.

Libbitcoin 開發人員 Eric Voskuil 在給比特幣郵件清單的訊息中強調，這種看法具有誤導性，並且可能很危險，因為它淡化了運行過時軟體版本所涉及的風險。

Active Bitcoin node vulnerabilities

活躍比特幣節點漏洞

CryptoSlate has analyzed active Bitcoin nodes to assess how many are currently vulnerable to each attack vector. Out of 14,001 nodes, roughly 787 (5.94%) are running versions older than 0.21.0.

CryptoSlate 分析了活躍的比特幣節點，以評估目前有多少節點容易受到每種攻擊向量的影響。在 14,001 個節點中，大約 787 個（5.94%）正在運行早於 0.21.0 的版本。

While the network remains secure and largely protected against any meaningful attacks, this figure is significant enough to be considered a problem that the Bitcoin community may need to address.

雖然網路仍然安全，並且在很大程度上受到保護，免受任何有意義的攻擊，但這個數字足以被視為比特幣社群可能需要解決的問題。

Efforts can be made to encourage these node operators to upgrade to newer versions in order to enhance the Bitcoin network’s overall security, efficiency, and future readiness.

可以努力鼓勵這些節點業者升級到新版本，以增強比特幣網路的整體安全性、效率和未來準備度。

Although not an immediate critical issue, it is certainly a concern that warrants attention. It’s not an existential threat to Bitcoin, as the majority of the network still runs up-to-date software. However, it does represent a non-trivial portion of the network that could cause issues or be exploited under certain circumstances.

雖然這不是一個迫在眉睫的關鍵問題，但它確實是一個值得關注的問題。這並不是對比特幣的生存威脅，因為網路的大部分仍然運行最新的軟體。然而，它確實代表了網路的一個重要部分，可能會導致問題或在某些情況下被利用。

This highlights a need for better communication and incentives within the Bitcoin community to encourage more frequent updates.

這凸顯了比特幣社群內需要更好的溝通和激勵措施，以鼓勵更頻繁的更新。

Risks for active Bitcoin nodes

活躍比特幣節點的風險

According to the disclosure, the most widespread vulnerability affected versions prior to 0.21.0, potentially impacting 787 nodes. This flaw could enable censorship of unconfirmed transactions and cause netsplits due to excessive time adjustments.

據揭露，最廣泛的漏洞影響 0.21.0 之前的版本，可能影響 787 個節點。該缺陷可能會導致對未經確認的交易進行審查，並因過多的時間調整而導致網路分裂。

Three separate vulnerabilities affected versions before 0.20.0, each potentially impacting 182 nodes. These included a memory DoS from large inv-messages, a CPU-wasting DoS from malformed requests, and a memory-related crash when parsing BIP72 URIs.

三個獨立的漏洞影響 0.20.0 之前的版本，每個漏洞可能影響 182 個節點。其中包括來自大型 inv 訊息的記憶體 DoS、來自格式錯誤的請求的 CPU 浪費 DoS，以及解析 BIP72 URI 時與記憶體相關的當機。

An unbound ban list CPU/memory DoS vulnerability (CVE-2020-14198) affected versions prior to 0.20.1, putting 185 nodes at risk. Earlier versions were susceptible to other attacks, such as a CPU DoS and node stalling from orphan handling (before 0.18.0, affecting 70 nodes) and a memory DoS using low-difficulty headers (before 0.15.0, impacting 29 nodes).

未綁定禁令清單 CPU/記憶體 DoS 漏洞 (CVE-2020-14198) 影響 0.20.1 之前的版本，使 185 個節點面臨風險。早期版本容易受到其他攻擊，例如 CPU DoS 和孤立處理造成的節點停頓（0.18.0 之前，影響 70 個節點）以及使用低難度標頭的記憶體 DoS（0.15.0 之前，影響 29 個節點）。

The oldest vulnerabilities disclosed included a remote code execution bug in miniupnpc (CVE-2015-6031) affecting versions before 0.11.1 and a node crash DoS from large messages (CVE-2015-3641) in versions prior to 0.10.1. These affected 22 and 5 nodes, respectively, indicating that very few are still running such outdated software.

揭露的最早的漏洞包括影響 0.11.1 之前版本的 miniupnpc 中的遠端程式碼執行錯誤 (CVE-2015-6031) 以及 0.10.1 先前版本中來自大訊息的節點崩潰 DoS (CVE-2015-3641)。這些分別影響了 22 個和 5 個節點，表明很少有節點仍在運行此類過時的軟體。

New Bitcoin developer disclosure policy

新的比特幣開發人員揭露政策

The new policy categorizes vulnerabilities into four severity levels: low, medium, high, and critical. Low-severity bugs, which are difficult to exploit or have minimal impact, will be disclosed two weeks after a fixed version is released, with a pre-announcement made simultaneously.

新政策將漏洞分為四個嚴重程度：低、中、高和嚴重。對於難以利用或影響較小的低嚴重性錯誤，將在修復版本發布兩週後披露，並同時發布預公告。

Medium and high-severity bugs, which have more significant impacts, will be disclosed two weeks after the last affected release reaches its end-of-life (EOL), typically one year after the fixed version is first released. A pre-announcement will be made two weeks before disclosure. Critical bugs threatening the network’s integrity will require an ad-hoc disclosure procedure.

具有更重大影響的中度和高嚴重性錯誤將在最後一個受影響的版本達到生命週期結束 (EOL) 後兩週（通常是修復版本首次發布一年後）披露。披露前兩週將發布預公告。威脅網路完整性的嚴重錯誤將需要臨時揭露程序。

The policy will be implemented gradually. All vulnerabilities fixed in Bitcoin Core versions 0.21.0 and earlier will be disclosed immediately. In July, vulnerabilities fixed in version 22.0 will be disclosed, followed by those fixed in version 23.0 in August. This process will continue until all EOL versions have been addressed.

該政策將逐步落實。 Bitcoin Core 0.21.0 及更早版本中修復的所有漏洞將立即揭露。 7月將揭露22.0版本中修復的漏洞，隨後8月將揭露23.0版本中修復的漏洞。此過程將持續下去，直到所有 EOL 版本都解決。

This initiative aims to set clear expectations for security researchers, incentivizing them to find and responsibly disclose vulnerabilities. By making security bugs available to a broader group of contributors, the policy seeks to prevent future issues and enhance the overall security of the Bitcoin network.

該措施旨在為安全研究人員設定明確的期望，激勵他們發現並負責任地揭露漏洞。透過向更廣泛的貢獻者群體提供安全漏洞，該政策旨在防止未來出現問題並增強比特幣網路的整體安全性。

According to the Bitcoin Development Mailing List, the policy’s gradual adoption will allow the community to adjust and provide feedback on its impact.

根據比特幣發展郵件列表，該政策的逐步採用將使社區能夠對其影響進行調整併提供回饋。

Node operators still using affected versions are strongly advised to upgrade to the latest release to mitigate these potential risks.

強烈建議仍在使用受影響版本的節點營運商升級到最新版本，以減輕這些潛在風險。