Security Advisory [Implementation bugs in Go and Python clients can cause DoS – Fixed – Please update clients]

State transition and consensus issue in geth client causes panic (crash) when processing a (valid) block with a specific combination of transactions, which may cause overall network instability if block is accepted and relayed by unaffected clients thus causing a DoS. This may happen in a block that contains transactions which suicide to the block reward address.

Affected configurations: Issue reported for Geth.While investigating the issue, related issues were discovered and corrected in pyethereum, hence pyethapp is also affected. C++ clients are unaffected.

Likelihood: Low

Severity: High

Complexity: High

Impact: Network Instability and DoS

Details: A block containing a specific combination of transactions which include one or more SUICIDE calls, while valid, causes panic crash in go-ethereum client and crash in pyethereum. Additional details may be posted when available.

Effects on expected chain reorganisation depth: None.

Remedial action taken by Ethereum: Provision of fixes as below.

Proposed temporary workaround: Switch to unaffected client such as eth (C++).

Fix:Upgrade geth and pyethereum client software.

go-ethereum (geth):

Please note that the current stable version of geth is now 1.1.1; if you are running 1.0 and using a package manager such as apt-get or homebrew the client will be upgraded.

If using the PPA: sudo apt-get update then sudo apt-get upgrade

If using brew: brew update then brew reinstall ethereum

If using a windows binary: download the updated binary.

If you are building from source: git pull followed by make geth (please use the Master branch commit 8f09242d7f527972acb1a8b2a61c9f55000e955d)

The correct version for this update on Ubuntu AND OSX is Geth/v1.1.1-8f09242d

pyethereum:

Users of pyethapp should reinstall

> pip install pyethapp --force-reinstall