Status CVE-2021-41593 (Dust HTLC Exposure Considered Harmful)

[larsschenk]

https://lists.linuxfoundation.org/pipermail/lightning-dev/2021-October/003257.html
claims "the vulnerabilities are also affecting c-lightning".

Hereby I want to request what version has the fix for CVE-2021-41593.
Thx.

[cdecker]

The proposed fix was implemented in master and will be part of the release next week.

[NicolasDorier]

@cdecker can you point the commit(s)? I'd like to check if we can backport easily for our btcpay users.

[vincenzopalazzo]

@NicolasDorier #4837

[bitcoin-irs]

#4851

I think this might be actively exploited at the moment. Can someone confirm if this is related or a different attack?

[cdecker]

No, what @bitcoin-irs is seeing it the paytest plugin being used to measure the performance of the pay implementation. See https://github.com/lightningd/plugins/tree/master/paytest for details.

[ulidtko]

6-week bump ☝️

[ZmnSCPxj]

0.10.2 has the fix already.