Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: elect...@packages.debian.org Control: affects -1 + src:electrum
[ Reason ] A bug was discovered in a component known as Lightning of Electrum 4.1.0 - 4.4.5. https://github.com/spesmilo/electrum/security/advisories/GHSA-8r85-vp7r-hjxf [ Impact ] Users who opt to use the Lightning network (an optional component) can have portions of their Bitcoin transactions stolen by malicious nodes on the network. [ Tests ] Upstream has a test framework that I plan to integrate into autotests, but currently the Debian packages do not include those tests. [ Risks ] A cherry-picked fix was provided by upstream that patches 4.3.4 in bookworm. https://github.com/spesmilo/electrum/commit/11fba68126f82d05de90efd67f2b43dfd1b8f22c [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] The patch fixes the Lightning client to verify that all the components of a transaction are confirmed before releasing secrets to the Lightning node. I have also updated the Uploaders field to be myself. If that is inappropriate for a point release I can revert that change. See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041171 [ Other info ] Discussion with upstream is at: https://github.com/spesmilo/electrum/issues/8588 This was discussed with Debian Security. I was going to attach a link to the public part of the discussion on the mailing list, but it appears that the list server web interface is currently down. However, there is some information on the security tracker. https://security-tracker.debian.org/tracker/TEMP-0000000-1C589C Note that the security tracker currently says that 4.0.9 in oldstable is affected. I had initially thought it was and indicated so to the Debian Security team. However, upstream recently confirmed that the bug wasn't introduced until 4.1.0, which is documented in the first and third GitHub links above.
