diff --git a/_config.yml b/_config.yml index 3025084285..cbef41c89b 100644 --- a/_config.yml +++ b/_config.yml @@ -71,3 +71,9 @@ collections: caption: Whisper sidebar_index: 8 frontpage: _whisper/Whisper-Overview.md + vulnerabilities: + output: true + permalink: docs/:collection/:slug + caption: Vulnerabilities + sidebar_index: 9 + frontpage: _vulnerabilies/vulnerabilities.md diff --git a/docs/vulnerabilities/vulnerabilities.json b/docs/_vulnerabilities/vulnerabilities.json similarity index 100% rename from docs/vulnerabilities/vulnerabilities.json rename to docs/_vulnerabilities/vulnerabilities.json diff --git a/docs/_vulnerabilities/vulnerabilities.json.minisig b/docs/_vulnerabilities/vulnerabilities.json.minisig new file mode 100644 index 0000000000..62455907bd --- /dev/null +++ b/docs/_vulnerabilities/vulnerabilities.json.minisig @@ -0,0 +1,4 @@ +untrusted comment: signature from minisign secret key +RWQk7Lo5TQgd+6yVey1A8y2f2GZduUSb95pD+1lmBDFQvhVULfofBQnW+/c3xHoBxB/0OoJjlEO/IPP44u1m7gJmYCFZF4S19gc= +trusted comment: timestamp:1606134012 file:vulnerabilities.json +K09k9CDs8910uUdom54obtZJh5In7o8c3Phto4RDdM94ONPGDFA/3/QrwZ44Wr2F6qmI52P4mmOg7OGQHpq3CQ== diff --git a/docs/vulnerabilities/vulnerabilities.md b/docs/_vulnerabilities/vulnerabilities.md similarity index 80% rename from docs/vulnerabilities/vulnerabilities.md rename to docs/_vulnerabilities/vulnerabilities.md index 1c01185d8a..4fb554992d 100644 --- a/docs/vulnerabilities/vulnerabilities.md +++ b/docs/_vulnerabilities/vulnerabilities.md @@ -1,4 +1,9 @@ -## Vulnerability disclosures +--- +title: Vulnerability disclosure +sort_key: A +--- + +## About disclosures In the software world, it is expected for security vulnerabilities to be immediately announced, thus giving operators an opportunity to take protective measure against attackers. @@ -47,7 +52,9 @@ In keeping with this policy, we have taken inspiration from [Solidity bug disclo ## Disclosed vulnerabilities -In this folder, you can find a JSON-formatted list of some of the known security-relevant vulnerabilities concerning `geth`. +In this folder, you can find a JSON-formatted list ([`vulnerabilities.json`](vulnerabilities.json)) of some of the known security-relevant vulnerabilities concerning `geth`. + +As of `geth` version `1.9.25`, geth has a built-in command to check whether it is affected by any publically disclosed vulnerability, using the command `geth version-check`. This command will fetch the latest json file (and the accompanying [signature-file](vulnerabilities.json.minisig), and cross-check the data against it's own version number. The file itself is hosted in the Github repository, on the `gh-pages`-branch. The list was started in November 2020, and covers mainly `v1.9.7` and forward. @@ -75,4 +82,13 @@ The JSON file of known vulnerabilities below is a list of objects, one for each - Takes into account the severity of impact and likelihood of exploitation. - `check` - This field contains a regular expression, which can be used against the reported `web3_clientVersion` of a node. If the check - matches, the node is with a high likelyhood affected by the vulnerability. \ No newline at end of file + matches, the node is with a high likelyhood affected by the vulnerability. +- `CVE` + - The assigned `CVE` identifier, if available (optional) + +### What about Github security advisories + +We prefer to not rely on Github as the only/primary publishing protocol for security advisories, but +we plan use the Github-advisory process as a second channel for disseminating vulnerability-information. + +Advisories published via Github can be accessed [here](https://github.com/ethereum/go-ethereum/security/advisories?state=published). \ No newline at end of file