|
Title: TLS heartbeat read overrun (CVE-2014-0160) Post by: Sonny on April 08, 2014, 09:18:41 AM IIRC, bitcoin-qt uses OpenSSL 1.0.1e.
https://www.openssl.org/news/secadv_20140407.txt Quote OpenSSL Security Advisory [07 Apr 2014] ======================================== TLS heartbeat read overrun (CVE-2014-0160) ========================================== A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for preparing the fix. Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. 1.0.2 will be fixed in 1.0.2-beta2. How does this bug affect us? Title: Re: TLS heartbeat read overrun (CVE-2014-0160) Post by: notbatman on April 08, 2014, 11:26:47 AM Cold storage of keys FTW?
Title: Re: TLS heartbeat read overrun (CVE-2014-0160) Post by: wumpus on April 08, 2014, 11:32:52 AM Michagogo worded it very well here:
http://www.reddit.com/r/Bitcoin/comments/22i9t1/psa_regarding_the_heartbleed_bug_cve20140160_and/ Quote There are exactly two places in Bitcoin Core that may be affected by this issue. One is RPC SSL. If you're using this, turn it off. If you don't know what that is, you most likely aren't using it. The other is the payment protocol. Specifically, fetching payment requests. If you're using a vulnerable version, do not click any bitcoin: links and you will be protected. Note that this is only relevant for the GUI, and only for version 0.9.0. If you're using self-built executables, you're most likely using dynamically linked OpenSSL. Simply upgrade your OpenSSL package and you should be fine. If I'm not mistaken, the same applies if you're using the PPA. If you're using release binaries, a version 0.9.1 is being prepared that will use the fixed OpenSSL 1.0.1g. Note that if you're running the GUI (p.k.a. Bitcoin-Qt) you can check your OpenSSL version in the debug window's information tab. If you're on anything earlier than 1.0.1, for example 0.9.8, you're safe. If you're on 1.0.1g or later, you're safe. If you're on 1.0.1-1.0.1e, you may be vulnerable. However, that may not necessarily be the case -- for example, Debian has released an update for Wheezy, version 1.0.1e-2+deb7u5, which fixes the security bug without bumping the version number as reported by OpenSSL. Title: Re: TLS heartbeat read overrun (CVE-2014-0160) Post by: NeonFlash on April 08, 2014, 11:38:24 AM Could someone explain this in more detail?
Quote "If you're using a vulnerable version, do not click any bitcoin: links and you will be protected" What exactly is meant by this? I am using Bitcoin-Qt on Windows with OpenSSL 1.0.1.e (so, it is vulnerable according to the link above). Title: Re: TLS heartbeat read overrun (CVE-2014-0160) Post by: wumpus on April 08, 2014, 11:39:46 AM Exactly as it says: don't click any bitcoin payment links.
If you want to pay, copy the address and amount manually (until you can upgrade to 0.9.1). Title: Re: TLS heartbeat read overrun (CVE-2014-0160) Post by: NeonFlash on April 08, 2014, 11:49:15 AM @wumpus: I am bit confused about Bitcoin Links. Where do they appear?
I am unable to see them in the Bitcoin-Qt client. Under which tab? Send/Receive/Transactions? Or are you referring to something like this: https://coinbase.com/docs/merchant_tools/payment_buttons Title: Re: TLS heartbeat read overrun (CVE-2014-0160) Post by: Sonny on April 08, 2014, 06:41:27 PM Thanks wumpus for the link. It is really helpful.
BTW, it seems we will have 0.9.1 very soon. https://twitter.com/gavinandresen/status/453574888587268096 Quote Expect a 0.9.1 Bitcoin Core release soon, linked against openssl 1.0.1g, because #heartbleed Title: Re: TLS heartbeat read overrun (CVE-2014-0160) Post by: kokojie on April 08, 2014, 06:55:28 PM question: When I'm online, my browser is always using a SSH tunnel as proxy (it's connected to a VPS which I own). Am I still affected by this OpenSSL thing?
Title: Re: TLS heartbeat read overrun (CVE-2014-0160) Post by: bitpop on April 08, 2014, 08:05:23 PM question: When I'm online, my browser is always using a SSH tunnel as proxy (it's connected to a VPS which I own). Am I still affected by this OpenSSL thing? Yes they hit the site you're connected to. Title: Re: TLS heartbeat read overrun (CVE-2014-0160) Post by: awesomeami on April 08, 2014, 11:03:03 PM Very dangerous
UPDATE NOW! https://bitcointalk.org/index.php?topic=562388.msg6132453#msg6132453 And change all your passw in all your accounts (gmail, banking, FB) https://bitcointalk.org/index.php?topic=562388.msg6132859#msg6132859 |