We've gone through all the advisories published by the upstream go-ethereum repository to make sure XDC is not vulnerable to those issues. We can report that all the issues have been either patched in XDC or are not relevant. More details follow:
- CVE-2024-32972: XDC is not affected as the issue was in the implementation of eth/68 and XDC is on eth/62 (eth/64 on testnet).
- CVE-2023-40591: This has been patched by 4a333ad.
- CVE-2022-29177: Fixed by https://github.com/XinFinOrg/XDPoSChain/pull/242.
- CVE-2021-41173: Not relevant as XDC doesn't implement the snap protocol.
- CVE-2021-39137: Fixed as part of https://github.com/XinFinOrg/XDPoSChain/pull/133.
- CVE-2020-26265: The commit that introduced this issue (223b95) was never introduced to XDC.
- CVE-2020-26264: To my knowledge no XDC LES servers are in production.
- CVE-2020-28362: This has been an issue of XDC nodes built with Go <1.15.5 or <1.14.12. XDC cannot be built with such old versions anymore.
-
CVE-2020-26242: XDC is on v1.2.4 of
holiman/uint256
. The vulnerability had been resolved inv1.1.1
. Furthermore the precompiles have not been migrated to use uint256. - CVE-2020-26241: Fixed in https://github.com/XinFinOrg/XDPoSChain/pull/255.
- CVE-2020-26240: Not relevant as XDC is not on Ethash PoW algorithm.
Discussion (1)
Thank you for the updates