interesting
/
go-ethereum
mirror of https://github.com/ethereum/go-ethereum.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

vulnerabilities: integrate vulnerabilities into documentation page (#21889) 

* vulnerailities: integrate vulnerabilities into documentation page

* vulnerabilities: add signature file

* vulnerabilities: add CVE

* vulnerabilities: more info about github advisories

* vulnerabilities: link to GH advisories
This commit is contained in:
Martin Holst Swende 2020-11-24 13:13:29 +01:00 committed by GitHub
parent 995a2a38d9
commit be1f08b12f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 29 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
_config.yml
View File

@ -71,3 +71,9 @@ collections:
caption: Whisper
sidebar_index: 8
frontpage: _whisper/Whisper-Overview.md
vulnerabilities:
output: true
permalink: docs/:collection/:slug
caption: Vulnerabilities
sidebar_index: 9
frontpage: _vulnerabilies/vulnerabilities.md

0
docs/vulnerabilities/vulnerabilities.json → docs/_vulnerabilities/vulnerabilities.json
View File

4
docs/_vulnerabilities/vulnerabilities.json.minisig Normal file
View File

@ -0,0 +1,4 @@
untrusted comment: signature from minisign secret key
RWQk7Lo5TQgd+6yVey1A8y2f2GZduUSb95pD+1lmBDFQvhVULfofBQnW+/c3xHoBxB/0OoJjlEO/IPP44u1m7gJmYCFZF4S19gc=
trusted comment: timestamp:1606134012 file:vulnerabilities.json
K09k9CDs8910uUdom54obtZJh5In7o8c3Phto4RDdM94ONPGDFA/3/QrwZ44Wr2F6qmI52P4mmOg7OGQHpq3CQ==

20
docs/vulnerabilities/vulnerabilities.md → docs/_vulnerabilities/vulnerabilities.md
View File

@ -1,4 +1,9 @@
## Vulnerability disclosures
---
title: Vulnerability disclosure
sort_key: A
---
## About disclosures
In the software world, it is expected for security vulnerabilities to be immediately announced, thus giving operators an opportunity to take protective measure against attackers.
@ -47,7 +52,9 @@ In keeping with this policy, we have taken inspiration from [Solidity bug disclo
## Disclosed vulnerabilities
In this folder, you can find a JSON-formatted list of some of the known security-relevant vulnerabilities concerning `geth`.
In this folder, you can find a JSON-formatted list ([`vulnerabilities.json`](vulnerabilities.json)) of some of the known security-relevant vulnerabilities concerning `geth`.
As of `geth` version `1.9.25`, geth has a built-in command to check whether it is affected by any publically disclosed vulnerability, using the command `geth version-check`. This command will fetch the latest json file (and the accompanying [signature-file](vulnerabilities.json.minisig), and cross-check the data against it's own version number.
The file itself is hosted in the Github repository, on the `gh-pages`-branch.
The list was started in November 2020, and covers mainly `v1.9.7` and forward.
@ -76,3 +83,12 @@ The JSON file of known vulnerabilities below is a list of objects, one for each
- `check`
- This field contains a regular expression, which can be used against the reported `web3_clientVersion` of a node. If the check
matches, the node is with a high likelyhood affected by the vulnerability.
- `CVE`
- The assigned `CVE` identifier, if available (optional)
### What about Github security advisories
We prefer to not rely on Github as the only/primary publishing protocol for security advisories, but
we plan use the Github-advisory process as a second channel for disseminating vulnerability-information.
Advisories published via Github can be accessed [here](https://github.com/ethereum/go-ethereum/security/advisories?state=published).