Github.Com Ethereum Go-Ethereum vulnerabilities

CVE-2020-26240 [MEDIUM] CWE-682 Erroneous Proof of Work calculation in geth Erroneous Proof of Work calculation in geth ### Impact An ethash mining DAG generation flaw in Geth could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ETC chain on 2020-11-06. This issue is relevant only for miners, non-mining nodes are unaffected. ### Patches This issue is also fixed as of 1.9.24. Thanks to @slavikus for bringing the issue to our

CVE-2020-26265 [MEDIUM] CWE-682 Consensus flaw during block processing in github.com/ethereum/go-ethereum Consensus flaw during block processing in github.com/ethereum/go-ethereum ### Impact A consensus-vulnerability in Geth could cause a chain split, where vulnerable versions refuse to accept the canonical chain. ### Description A flaw was repoted at 2020-08-11 by John Youngseok Yang (Software Platform Lab), where a particular sequence of transactions could cause a consensus failure. - Tx

CVE-2020-26242 [MEDIUM] CWE-125 Denial of service in geth Denial of service in geth ### Impact Denial-of-service (crash) during block processing ### Details Affected versions suffer from a vulnerability which can be exploited through the `MULMOD` operation, by specifying a modulo of `0`: `mulmod(a,b,0)`, causing a `panic` in the underlying library. The crash was in the `uint256` library, where a buffer [underflowed](https://github.com/holiman/uint256/blob/4ce82e695c10ddad57215bdbeafb68b8c5df2

CVE-2020-26264 [MEDIUM] CWE-400 Denial of service in github.com/ethereum/go-ethereum Denial of service in github.com/ethereum/go-ethereum ### Impact A DoS vulnerability can make a LES server crash via malicious `GetProofsV2` request from a connected LES client. ### Patches The vulnerability was patched in https://github.com/ethereum/go-ethereum/pull/21896. ### Workarounds This vulnerability only concerns users explicitly enabling `les` server; disabling `les` prevents the exploit. It can a

CVE-2020-26241 [MEDIUM] CWE-682 Shallow copy bug in geth Shallow copy bug in geth ### Impact This is a Consensus vulnerability, which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth’s pre-compiled `dataCopy` (at `0x00...04`) contract did a shallow copy on invocation. An attacker could deploy a contract that - writes `X` to an EVM memory region `R`, - calls `0x00..04` with `R` as an argument, - overwrites `R` to `Y`, - and finally invokes the `RETURND

CVE-2018-16733 [HIGH] CWE-20 Go Ethereum Improper Input Validation Go Ethereum Improper Input Validation In Go Ethereum (aka geth) before 1.8.14, TraceChain in eth/api_tracer.go does not verify that the end block is after the start block. ### Specific Go Packages Affected github.com/ethereum/go-ethereum/eth