Sergio Demian Lerner

Name of the Vulnerable Software and Affected Versions: Bitcoin Core versions prior to 0.14 Description: The issue allows an attacker to create an ostensibly valid SPV proof for a payment to a victim who uses an SPV wallet, even if that payment did not actually occur. Completing the attack would cost more than a million dollars, and is relevant mainly only in situations where an autonomous system relies solely on an SPV proof for transactions of a greater dollar amount. Recommendations: For versions prior to 0.14, update to version 0.14 or later to resolve the issue. As a temporary workaround, consider restricting the reliance on SPV proofs for transactions of a greater dollar amount in autonomous systems.

**Name of the Vulnerable Software and Affected Versions** bitcoind and Bitcoin-Qt versions prior to 0.7.0 **Description** The issue concerns the alert functionality in the affected software, which improperly handles different character representations of the same signature data. It relies on a hash of this signature, allowing remote attackers to cause a denial of service through resource consumption by providing a valid modified signature for a circulating alert. **Recommendations** For versions prior to 0.7.0, update to version 0.7.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Bitcoin-Qt versions prior to 0.8.0rc1 bitcoind versions prior to 0.8.0rc1 **Description** The issue allows remote attackers to cause a denial of service by consuming disk I/O via a Bitcoin transaction with many inputs corresponding to different parts of the stored block chain. This is due to the CTransaction::FetchInputs method copying transactions from disk to memory without checking for spent prevouts. **Recommendations** For bitcoind versions prior to 0.8.0rc1, update to version 0.8.0rc1 or later to resolve the issue. For Bitcoin-Qt versions prior to 0.8.0rc1, update to version 0.8.0rc1 or later to resolve the issue.