docker-bitcoind icon indicating copy to clipboard operation
docker-bitcoind copied to clipboard
verified publisher icon lncm

bitcoind image v27.2 contains multiple critical and high vulnerabilities

Open antonr-p2p opened this issue 5 months ago • 11 comments

Please find more details attached. I hope it should be possible to just rebuild current image with the latest base one. Both v27.2 and v28.0 images were released ~6 months ago and these critical/high vulns are 4-5 months old.

bitcoind-27.2.pdf

antonr-p2p avatar Jul 23 '25 13:07 antonr-p2p

I'll check what I can do, but none of these vulns seem exploitable.

This is not a "critical issue", but rather low-priority.

The repository is not really actively maintained at the moment, maybe you can also try this fork: https://github.com/lnliz/docker-bitcoind.

AaronDewes avatar Jul 23 '25 14:07 AaronDewes

Thank you Aaron for all your work. I maintain lnliz/docker-bitcoind and I pushed an update for the docker images for 26.2, 27.2, 28.0 to update alpine, hope that helps.

And I agree with Aaron, this are not critical issue but robot generated pdf reports so only low-priority.

lnliz avatar Jul 29 '25 22:07 lnliz

@lnliz , did this impact the latest version , or just those that you mentioned ( 26.2, 27.2 and 28 ) ?

Goro2030 avatar Jul 29 '25 23:07 Goro2030

No idea, @antonr-p2p can know with his generated pdf reports.

lnliz avatar Jul 31 '25 21:07 lnliz

@Goro2030 as I mentioned in subject Both v27.2 and v28.0 images were released ~6 months ago and these critical/high vulns are 4-5 months old. So basically rebuilding using latest OS image/packages and dependencies should fix it.

antonr-p2p avatar Aug 04 '25 10:08 antonr-p2p

Is there a way to drag attention to this repository? The Docker image has 1.8M pulls 🚀 We're one of them running our bitcoin nodes thanks to it for years :) Let's give it some love! 💌

planbetterHQ avatar Oct 16 '25 11:10 planbetterHQ

@planbetterHQ I think the best suggestion here would be to switch to lnliz/bitcoind because it's released frequently. Because here the latest release was around 9 months ago. Vulnerabilities in OS and deps are found periodically, that's why good idea is to release new builds with updated underlaying components periodically as well even if the main app code is not changed. That's an idea of security fixes/patches.

antonr-p2p avatar Oct 16 '25 15:10 antonr-p2p

@AaronDewes any ETA to upgrade this library to use the latest Bitcoin version?

planbetterHQ avatar Oct 16 '25 18:10 planbetterHQ

@planbetterHQ I'm not really involved here anymore. I recommend using https://github.com/lnliz/docker-bitcoind for now.

AaronDewes avatar Oct 16 '25 19:10 AaronDewes

Who else is involved? Why @lnliz isn't taking care of this :)? That'd be way more convenient than creating a new fork and restarting the reputation.

planbetterHQ avatar Oct 16 '25 19:10 planbetterHQ

@planbetterHQ - this is open-source repo, everyone can contribute and open a PR with the new bitcoin version, including you. I forked to my own repo because waiting for reviews in this repo was slow as original owners moved own.

If you need the new version of bitcoin core images then feel free to use images from here (lnliz repo, drop0in replacement, got latest 29.x and 30) or build your own 🤷‍♀️

lnliz avatar Oct 17 '25 05:10 lnliz