比特币核心开发人员披露了影响旧软件版本的 10 个漏洞

这些漏洞在最近的版本中得到修复，可能允许对运行过时的比特币核心版本的节点进行各种攻击。

Bitcoin Optech has disclosed a total of 10 vulnerabilities that have affected older versions of Bitcoin Core software, according to a report by CryptoSlate. These vulnerabilities, which have been fixed in more recent releases, could have enabled various attacks on nodes running outdated Bitcoin Core versions.

根据 CryptoSlate 的一份报告，Bitcoin Optech 披露了总共 10 个影响旧版本 Bitcoin Core 软件的漏洞。这些漏洞已在最新版本中修复，可能会对运行过时的比特币核心版本的节点发起各种攻击。

The disclosure of these vulnerabilities is significant considering that Bitcoin Core developers have recently introduced a new security disclosure policy with the aim of improving transparency and communication regarding vulnerabilities.

考虑到比特币核心开发人员最近推出了一项新的安全披露政策，旨在提高有关漏洞的透明度和沟通，这些漏洞的披露意义重大。

In the past, the project has faced criticism for not adequately disclosing security-critical bugs to the public, leading to a perception that Bitcoin Core is largely bug-free.

过去，该项目因没有向公众充分披露安全关键漏洞而受到批评，导致人们认为比特币核心基本上没有漏洞。

Libbitcoin developer Eric Voskuil, in a message to the Bitcoin mailing list, highlighted that this perception is misleading and could be dangerous, as it downplays the risks involved in running outdated software versions.

Libbitcoin 开发人员 Eric Voskuil 在给比特币邮件列表的消息中强调，这种看法具有误导性，并且可能很危险，因为它淡化了运行过时软件版本所涉及的风险。

Active Bitcoin node vulnerabilities

活跃比特币节点漏洞

CryptoSlate has analyzed active Bitcoin nodes to assess how many are currently vulnerable to each attack vector. Out of 14,001 nodes, roughly 787 (5.94%) are running versions older than 0.21.0.

CryptoSlate 分析了活跃的比特币节点，以评估当前有多少节点容易受到每种攻击向量的影响。在 14,001 个节点中，大约 787 个（5.94%）正在运行早于 0.21.0 的版本。

While the network remains secure and largely protected against any meaningful attacks, this figure is significant enough to be considered a problem that the Bitcoin community may need to address.

虽然网络仍然安全，并且在很大程度上受到保护，免受任何有意义的攻击，但这个数字足以被视为比特币社区可能需要解决的问题。

Efforts can be made to encourage these node operators to upgrade to newer versions in order to enhance the Bitcoin network’s overall security, efficiency, and future readiness.

可以努力鼓励这些节点运营商升级到新版本，以增强比特币网络的整体安全性、效率和未来准备度。

Although not an immediate critical issue, it is certainly a concern that warrants attention. It’s not an existential threat to Bitcoin, as the majority of the network still runs up-to-date software. However, it does represent a non-trivial portion of the network that could cause issues or be exploited under certain circumstances.

虽然这不是一个迫在眉睫的关键问题，但它确实是一个值得关注的问题。这并不是对比特币的生存威胁，因为网络的大部分仍然运行最新的软件。然而，它确实代表了网络的一个重要部分，可能会导致问题或在某些情况下被利用。

This highlights a need for better communication and incentives within the Bitcoin community to encourage more frequent updates.

这凸显了比特币社区内需要更好的沟通和激励措施，以鼓励更频繁的更新。

Risks for active Bitcoin nodes

活跃比特币节点的风险

According to the disclosure, the most widespread vulnerability affected versions prior to 0.21.0, potentially impacting 787 nodes. This flaw could enable censorship of unconfirmed transactions and cause netsplits due to excessive time adjustments.

据披露，最广泛的漏洞影响 0.21.0 之前的版本，可能影响 787 个节点。这一缺陷可能会导致对未经确认的交易进行审查，并因过多的时间调整而导致网络分裂。

Three separate vulnerabilities affected versions before 0.20.0, each potentially impacting 182 nodes. These included a memory DoS from large inv-messages, a CPU-wasting DoS from malformed requests, and a memory-related crash when parsing BIP72 URIs.

三个独立的漏洞影响 0.20.0 之前的版本，每个漏洞可能影响 182 个节点。其中包括来自大型 inv 消息的内存 DoS、来自格式错误的请求的 CPU 浪费 DoS，以及解析 BIP72 URI 时与内存相关的崩溃。

An unbound ban list CPU/memory DoS vulnerability (CVE-2020-14198) affected versions prior to 0.20.1, putting 185 nodes at risk. Earlier versions were susceptible to other attacks, such as a CPU DoS and node stalling from orphan handling (before 0.18.0, affecting 70 nodes) and a memory DoS using low-difficulty headers (before 0.15.0, impacting 29 nodes).

未绑定禁令列表 CPU/内存 DoS 漏洞 (CVE-2020-14198) 影响 0.20.1 之前的版本，使 185 个节点面临风险。早期版本容易受到其他攻击，例如 CPU DoS 和孤立处理造成的节点停顿（0.18.0 之前，影响 70 个节点）以及使用低难度标头的内存 DoS（0.15.0 之前，影响 29 个节点）。

The oldest vulnerabilities disclosed included a remote code execution bug in miniupnpc (CVE-2015-6031) affecting versions before 0.11.1 and a node crash DoS from large messages (CVE-2015-3641) in versions prior to 0.10.1. These affected 22 and 5 nodes, respectively, indicating that very few are still running such outdated software.

披露的最早的漏洞包括影响 0.11.1 之前版本的 miniupnpc 中的远程代码执行错误 (CVE-2015-6031) 以及 0.10.1 之前版本中来自大消息的节点崩溃 DoS (CVE-2015-3641)。这些分别影响了 22 个和 5 个节点，表明很少有节点仍在运行此类过时的软件。

New Bitcoin developer disclosure policy

新的比特币开发商披露政策

The new policy categorizes vulnerabilities into four severity levels: low, medium, high, and critical. Low-severity bugs, which are difficult to exploit or have minimal impact, will be disclosed two weeks after a fixed version is released, with a pre-announcement made simultaneously.

新政策将漏洞分为四个严重级别：低、中、高和严重。对于难以利用或影响较小的低严重性错误，将在修复版本发布两周后披露，并同时发布预公告。

Medium and high-severity bugs, which have more significant impacts, will be disclosed two weeks after the last affected release reaches its end-of-life (EOL), typically one year after the fixed version is first released. A pre-announcement will be made two weeks before disclosure. Critical bugs threatening the network’s integrity will require an ad-hoc disclosure procedure.

具有更重大影响的中度和高严重性错误将在最后一个受影响的版本达到生命周期结束 (EOL) 后两周（通常是修复版本首次发布一年后）披露。披露前两周将发布预公告。威胁网络完整性的严重错误将需要临时披露程序。

The policy will be implemented gradually. All vulnerabilities fixed in Bitcoin Core versions 0.21.0 and earlier will be disclosed immediately. In July, vulnerabilities fixed in version 22.0 will be disclosed, followed by those fixed in version 23.0 in August. This process will continue until all EOL versions have been addressed.

该政策将逐步落实。 Bitcoin Core 0.21.0 及更早版本中修复的所有漏洞将立即披露。 7月份将披露22.0版本中修复的漏洞，随后8月份将披露23.0版本中修复的漏洞。此过程将持续下去，直到所有 EOL 版本都得到解决。

This initiative aims to set clear expectations for security researchers, incentivizing them to find and responsibly disclose vulnerabilities. By making security bugs available to a broader group of contributors, the policy seeks to prevent future issues and enhance the overall security of the Bitcoin network.

该举措旨在为安全研究人员设定明确的期望，激励他们发现并负责任地披露漏洞。通过向更广泛的贡献者群体提供安全漏洞，该政策旨在防止未来出现问题并增强比特币网络的整体安全性。

According to the Bitcoin Development Mailing List, the policy’s gradual adoption will allow the community to adjust and provide feedback on its impact.

根据比特币发展邮件列表，该政策的逐步采用将使社区能够对其影响进行调整并提供反馈。

Node operators still using affected versions are strongly advised to upgrade to the latest release to mitigate these potential risks.

强烈建议仍在使用受影响版本的节点运营商升级到最新版本，以减轻这些潜在风险。