Common sentiment is that the miniupnpc codebase likely contains further
vulnerabilities.
I'd prefer to get rid of the dependency completely, but a compromise for
now is to at least disable it by default.
For Gitian releases:
- Windows builds remain unchanged. libstdc++ was already linked statically.
- OSX builds remain unchanged. libstdc++ is tied to the SDK and not worth
messing with.
- Linux builds now statically link libstdc++.
For Travis:
- Match the previous behavior by adding --enable-reduce-exports as
necessary.
- Use static libstdc++ for the full Linux build.
Since permissions and timestamps are changed for the sake of determinism,
. must not be added to the archive. Otherwise, tar may try to modify pwd when
extracting.
Descriptors now make use of the dependencies builder, so results are cached.
A very new version (>= e9741525c) of Gitian should be used in order to take
advantage of caching.
Upgrade for https://www.openssl.org/news/secadv_20140605.txt
Just in case - there is no vulnerability that affects ecdsa signing or
verification.
The MITM attack vulnerability (CVE-2014-0224) may have some effect on
our usage of SSL/TLS.
As long as payment requests are signed (which is the common case), usage
of the payment protocol should also not be affected.
The TLS usage in RPC may be at risk for MITM attacks. If you have
`-rpcssl` enabled, be sure to update OpenSSL as soon as possible.
Bumps deps-linux, deps-win dependency versions as well.
qt-win does not need to be bumped, as although it depends on deps-win,
Qt doesn't use miniupnp. I verified this by rebuilding the dependency
and checking the the output is the same. Not having to rebuild Qt is a
good thing as it is huge.
IIRC this was the case with 0.8.6, so let's keep this to avoid the risk
of losing connectable nodes with 0.9 release.
Also our miniupnpc library was recently updated and I've heard
reports that it works better than before now.
- Add 'g++' package (virtualbox images don't have this by default)
- Workaround for determinism in Qt5 resources
- Pass --disable-maintainer-mode --disable-dependency-tracking to
configure for libqrencode to avoid random errors about missing m4
directory
- Fix typo -with-pic -> --with-pic
It is not necessary to rebuild dependencies after this commit.
Fixes#3610 and #3612.
Luke Dashjr