vulnerabilities: integrate vulnerabilities into documentation page (#21889)
* vulnerailities: integrate vulnerabilities into documentation page * vulnerabilities: add signature file * vulnerabilities: add CVE * vulnerabilities: more info about github advisories * vulnerabilities: link to GH advisories
This commit is contained in:
parent
995a2a38d9
commit
be1f08b12f
|
@ -71,3 +71,9 @@ collections:
|
|||
caption: Whisper
|
||||
sidebar_index: 8
|
||||
frontpage: _whisper/Whisper-Overview.md
|
||||
vulnerabilities:
|
||||
output: true
|
||||
permalink: docs/:collection/:slug
|
||||
caption: Vulnerabilities
|
||||
sidebar_index: 9
|
||||
frontpage: _vulnerabilies/vulnerabilities.md
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
untrusted comment: signature from minisign secret key
|
||||
RWQk7Lo5TQgd+6yVey1A8y2f2GZduUSb95pD+1lmBDFQvhVULfofBQnW+/c3xHoBxB/0OoJjlEO/IPP44u1m7gJmYCFZF4S19gc=
|
||||
trusted comment: timestamp:1606134012 file:vulnerabilities.json
|
||||
K09k9CDs8910uUdom54obtZJh5In7o8c3Phto4RDdM94ONPGDFA/3/QrwZ44Wr2F6qmI52P4mmOg7OGQHpq3CQ==
|
|
@ -1,4 +1,9 @@
|
|||
## Vulnerability disclosures
|
||||
---
|
||||
title: Vulnerability disclosure
|
||||
sort_key: A
|
||||
---
|
||||
|
||||
## About disclosures
|
||||
|
||||
In the software world, it is expected for security vulnerabilities to be immediately announced, thus giving operators an opportunity to take protective measure against attackers.
|
||||
|
||||
|
@ -47,7 +52,9 @@ In keeping with this policy, we have taken inspiration from [Solidity bug disclo
|
|||
|
||||
## Disclosed vulnerabilities
|
||||
|
||||
In this folder, you can find a JSON-formatted list of some of the known security-relevant vulnerabilities concerning `geth`.
|
||||
In this folder, you can find a JSON-formatted list ([`vulnerabilities.json`](vulnerabilities.json)) of some of the known security-relevant vulnerabilities concerning `geth`.
|
||||
|
||||
As of `geth` version `1.9.25`, geth has a built-in command to check whether it is affected by any publically disclosed vulnerability, using the command `geth version-check`. This command will fetch the latest json file (and the accompanying [signature-file](vulnerabilities.json.minisig), and cross-check the data against it's own version number.
|
||||
|
||||
The file itself is hosted in the Github repository, on the `gh-pages`-branch.
|
||||
The list was started in November 2020, and covers mainly `v1.9.7` and forward.
|
||||
|
@ -75,4 +82,13 @@ The JSON file of known vulnerabilities below is a list of objects, one for each
|
|||
- Takes into account the severity of impact and likelihood of exploitation.
|
||||
- `check`
|
||||
- This field contains a regular expression, which can be used against the reported `web3_clientVersion` of a node. If the check
|
||||
matches, the node is with a high likelyhood affected by the vulnerability.
|
||||
matches, the node is with a high likelyhood affected by the vulnerability.
|
||||
- `CVE`
|
||||
- The assigned `CVE` identifier, if available (optional)
|
||||
|
||||
### What about Github security advisories
|
||||
|
||||
We prefer to not rely on Github as the only/primary publishing protocol for security advisories, but
|
||||
we plan use the Github-advisory process as a second channel for disseminating vulnerability-information.
|
||||
|
||||
Advisories published via Github can be accessed [here](https://github.com/ethereum/go-ethereum/security/advisories?state=published).
|
Loading…
Reference in New Issue