|
Title: OpenSSL update Post by: ca333 on March 24, 2015, 02:23:26 PM #EDIT: BTC-Core/wallet is not affected directly by new openSSL vulns. But server can be attacked because of it through DoS and overload.. or also the second high serverity vuln is reclassification of FREAK attack and gives a risk so a bad certificate will be accepted by victim and then badguy can make the man-in-the-middle attack IF a NULL pointer dereference is triggered.
Referencing to https://www.openssl.org/news/secadv_20150319.txt i advice all user and service-maintainer to upgrade OpenSSL if you run online BTC-project. Vulnerabilities: (red one is high severity) OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291) affects OpenSSL version: 1.0.2 - upgrade to 1.0.2a! Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204) affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.1 users should upgrade to 1.0.1k. OpenSSL 1.0.0 users should upgrade to 1.0.0p. OpenSSL 0.9.8 users should upgrade to 0.9.8zd. Multiblock corrupted pointer (CVE-2015-0290) Segmentation fault in DTLSv1_listen (CVE-2015-0207) Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286) Segmentation fault for invalid PSS parameters (CVE-2015-0208) ASN.1 structure reuse memory corruption (CVE-2015-0287) PKCS7 NULL pointer dereferences (CVE-2015-0289) Base64 decode (CVE-2015-0292) DoS via reachable assert in SSLv2 servers (CVE-2015-0293) Empty CKE with client auth and DHE (CVE-2015-1787) Handshake with unseeded PRNG (CVE-2015-0285) Use After Free following d2i_ECPrivatekey error (CVE-2015-0209) X509_to_X509_REQ NULL pointer deref (CVE-2015-0288) source: https://www.openssl.org/news/secadv_20150319.txt please take it serious! ca333 Title: Re: [ADVICE] UPDATE OpenSSL NOW! - 12 vulns! Post by: gmaxwell on March 24, 2015, 04:23:11 PM The disclosed vulnerabilities are not very exciting for Bitcoin implementations and I am not aware of any reason people should rush to deploy in the context of Bitcoin software (the subject of this subforum! your webserver is another matter)
The diff between 1.0.1l and 1.0.1m is over 700k lines of code because they also reformatted the whole codebase at the same time. If someone has told you've they've reviewed the changes carefully they're lying. Gentoo (and, I believe, Debian) appears to be rejecting openssl's huge patch and is working on backporting the specific fixes. Title: Re: OpenSSL update Post by: DeathAndTaxes on March 24, 2015, 04:40:01 PM The diff between 1.0.1l and 1.0.1m is over 700k lines of code because they also reformatted the whole codebase at the same time. Awesome. Even if not malicious such practices make great cover for other malicious actors. Glad to see some distros are saying WTF! Title: OpenSSL update Post by: ca333 on March 24, 2015, 06:52:52 PM The disclosed vulnerabilities are not very exciting for Bitcoin implementations and I am not aware of any reason people should rush to deploy in the context of Bitcoin software (the subject of this subforum! your webserver is another matter) The diff between 1.0.1l and 1.0.1m is over 700k lines of code because they also reformatted the whole codebase at the same time. If someone has told you've they've reviewed the changes carefully they're lying. Gentoo (and, I believe, Debian) appears to be rejecting openssl's huge patch and is working on backporting the specific fixes. you are correct regarding the direct danger for bitcoinwallet. but this board is also for the development and technic discussion of general projects for bitcoin i think. so advice for security update should fit in. if not, please advice me. and so i think service-maintainer must make the update (if affected openssl versions are used) because bitcoin-enviroments will be directly affected by the vulnerability.. True that BTC-core itself is not affected directly. but btc-services offline because a server get crashed by DoS is very bad i think. and many BTC-services are harmed/affected hardly by this downtime-risk.. so in my opinion when you run a btc-related service than you must rush for the update very fast. operators of high-frequency service in darknet are in update-progress, and i hope the big btc-service in clearnet also make it. and of course this is only my opinion. so i am thankful for other opinion and also other knowledge. #EDIT: it s good when linux distros backport only the fixes which used to remove vulns . but i think most users apply patching manually without waiting for official updatepatch. spescially webmasters. and also not sure what is sense of reformatting in the SAME TIME??? why not only fix vuln and in next version increment reformat codebase? Title: Re: [ADVICE] UPDATE OpenSSL NOW! - 12 vulns! Post by: gmaxwell on March 24, 2015, 07:08:45 PM but this board is also for the development and technic discussion of general projects for bitcoin i think. so advice for security update should fit in. if not, please advice me. It very explicitly is not, please see the description of the subforum: "Technical discussion about Satoshi's Bitcoin client and the Bitcoin network in general. No third-party sites/clients, bug reports that do not require much discussion (use github), or support requests.".Quote #EDIT: it s good when linux distros backport only the fixes which used to remove vulns . but i think most users apply patching manually without waiting for official updatepatch. spescially webmasters. and also not sure what is sense of reformatting in the SAME TIME??? why not only fix vuln and in next version increment reformat codebase? I do not know why they did that. I think its unreasonable.Title: OpenSSL update Post by: ca333 on March 24, 2015, 07:13:56 PM but this board is also for the development and technic discussion of general projects for bitcoin i think. so advice for security update should fit in. if not, please advice me. It very explicitly is not, please see the description of the subforum: "Technical discussion about Satoshi's Bitcoin client and the Bitcoin network in general. No third-party sites/clients, bug reports that do not require much discussion (use github), or support requests.".I am sorry, my intention of this thread is only to make a benefit for the users/developers of bitcoinprojects overall.. i look for the correct board and move it. excuses. Quote from: gmaxwell Quote #EDIT: it s good when linux distros backport only the fixes which used to remove vulns . but i think most users apply patching manually without waiting for official updatepatch. spescially webmasters. and also not sure what is sense of reformatting in the SAME TIME??? why not only fix vuln and in next version increment reformat codebase? I do not know why they did that. I think its unreasonable.yes agree. this sound strange to me. normally so skilled developers take care on this and think about this factors.. |