|
Title: bitcoin core updated to 0.9.1 Post by: awesomeami on April 08, 2014, 10:16:31 PM UPDATE:
Change ALL YOUR PASSWORDS on all your BTC-forums, casinos, exchanges, bettings websites ++ (internet) banking systems, gmail, FB, this forum, all httpS ... (most paranoic - do it twice a day next 2 weeks - and don't forget them :P) http://www.reddit.com/r/Bitcoin/comments/22jtxg/bitcoin_core_version_091_released/ https://bitcointalk.org/index.php?topic=562409.msg6132778#msg6132778 Quote A bug in OpenSSL, used by Bitcoin-Qt/Bitcoin Core, could allow your bitcoins to be stolen. Immediately updating Bitcoin Core to 0.9.1 is required in some cases, especially if you're using 0.9.0. Download. https://bitcoin.org/bin/0.9.1/https://bitcointalk.org/index.php?topic=561923.msg6128780#msg6128780 https://bitcointalk.org/index.php?topic=561923.msg6131049#msg6131049 https://bitcointalk.org/index.php?topic=561923.msg6131397#msg6131397 Title: Re: bitcoin core updated to 0.9.1 Post by: roslinpl on April 08, 2014, 10:30:17 PM Yeah... I hope not many people have lost BTC because of that bug ...
Damn :) ... what to do, shit happens - good that reaction was quick and 0.9.1 is released. Title: Re: bitcoin core updated to 0.9.1 Post by: arcnorth on April 08, 2014, 10:33:07 PM Just so we're clear, the bug only affects bitcoin-qt and not any other 3rd party wallet like multibit right?
I'm going to transfer all my bitcoin to an online account just in case :( Title: Re: bitcoin core updated to 0.9.1 Post by: Rampion on April 08, 2014, 10:34:14 PM I'm going to transfer all my bitcoin to an online account just in case :( I hope you are joking. Title: Re: bitcoin core updated to 0.9.1 Post by: DeathAndTaxes on April 08, 2014, 10:36:47 PM Just so we're clear, the bug only affects bitcoin-qt and not any other 3rd party wallet like multibit right? I'm going to transfer all my bitcoin to an online account just in case :( Switching to an online account would be foolish. Shutdown your client if you are worried. Don't statup it up again until you have upgraded. Title: Re: bitcoin core updated to 0.9.1 Post by: Rampion on April 08, 2014, 10:45:46 PM Do you use SSL for remote RPC calls to your bitcoind daemon? No. Then it doesn't affect you even if you use Bitcoin-Core (the client formerly known as Bitcoin-QT). FYI: If you are using the graphical version of 0.9.0 on any platform, you must update immediately. Download here (https://bitcoin.org/bin/0.9.1/). If you can't update immediately, shut down Bitcoin until you can. If you ever used the payment protocol (you clicked a bitcoin: link and saw a green box in Bitcoin Core's send dialog), then you should consider your wallet to be compromised. Carefully generate an entirely new wallet (not just a new address) and send all of your bitcoins there. Do not delete your old wallet. - If you are using any other version of Bitcoin-Qt/Bitcoin Core, including bitcoind 0.9.0, you are vulnerable only if the rpcssl command-line option is set. If it is not, then no immediate action is required. If it is, and if an attacker could have possibly communicated with the RPC port, then you should consider your wallet to be compromised. This vulnerability is caused by a critical bug in the OpenSSL library used by Bitcoin Core. Successfully attacking Bitcoin Core by means of this bug seems to be difficult in most cases, and it seems at this point that even successful attacks may be limited, but I recommend taking the above actions just in case. If you are using a binary version of Bitcoin Core obtained from bitcoin.org or SourceForge, then updating your system's version of OpenSSL will not help. OpenSSL is packaged with the binary on all platforms. Download 0.9.1 (https://bitcoin.org/bin/0.9.1/) Announcement (https://bitcoin.org/en/release/v0.9.1) Other software (including other wallet software) may also be affected by this bug. OpenSSL is extremely common. Title: Re: bitcoin core updated to 0.9.1 Post by: roslinpl on April 08, 2014, 10:50:08 PM Just so we're clear, the bug only affects bitcoin-qt and not any other 3rd party wallet like multibit right? No worries too much. Problem is with Bitcoin-qt not with Multibit ... I'm going to transfer all my bitcoin to an online account just in case :( And offline 3rd party wallets are not recommended to keep your BTCs - online wallets are to keep reasonable amounts not all of your holdings... Just do not worry as you are multibit user. Just make sure your computer is behind a firewall, your router is behind a firewall, you can install some additional fire wall, and antivirus, and spybot remover and just keep all safety steps in mind. E-mails, phishing web sites, etc. :) regards. Title: Re: bitcoin core updated to 0.9.1 Post by: awesomeami on April 08, 2014, 10:54:36 PM Just so we're clear, the bug only affects bitcoin-qt and not any other 3rd party wallet like multibit right? I'm going to transfer all my bitcoin to an online account just in case :( Switching to an online account would be foolish. Shutdown your client if you are worried. Don't statup it up again until you have upgraded. 1. Just don't panic 2. Shutdown all bitcoin clients (better other ones, too - like multibit or armory) 3. upgrade 4. watch carefully for few days - better don't start 5. move to another wallet - https://bitcointalk.org/index.php?topic=562409.msg6132778#msg6132778 just for sure 6. read more about here: https://bitcointalk.org/index.php?topic=561923.msg6133060#msg6133060 Change ALL YOUR PASSWORDS on banking systems, gmail, FB, this forum, all httpS ... (most paranoic - do it twice a day next 2 weeks - and don't forget them :P) Title: Re: bitcoin core updated to 0.9.1 Post by: grue on April 09, 2014, 04:00:49 AM oh look, this sort of fearmongering again. On bitcoin-qt, you're not compromised unless you clicked a bitcoin payment link.
Change ALL YOUR PASSWORDS on banking systems, gmail, FB, this forum, all https what if i told you that all of the major browsers do not use openssl? chrome and firefox use NSS (https://en.wikipedia.org/wiki/Network_Security_Services), and microsoft uses their own closed source solution. What if I also told you that the vulnerability does not include code injection, so unless you entered passwords into a openssl application, you're safe.Title: Re: bitcoin core updated to 0.9.1 Post by: meawleir21 on April 09, 2014, 04:54:20 AM LOL this is just big! if it's vlad who found it then he got himself attention for sure...
Title: Re: bitcoin core updated to 0.9.1 Post by: binaryFate on April 09, 2014, 08:33:03 AM oh look, this sort of fearmongering again. On bitcoin-qt, you're not compromised unless you clicked a bitcoin payment link. Change ALL YOUR PASSWORDS on banking systems, gmail, FB, this forum, all https what if i told you that all of the major browsers do not use openssl? chrome and firefox use NSS (https://en.wikipedia.org/wiki/Network_Security_Services), and microsoft uses their own closed source solution. What if I also told you that the vulnerability does not include code injection, so unless you entered passwords into a openssl application, you're safe.The memory of the browser is compromised, no need to type any password... it is enough if they are in the part of your RAM that can be dumped to the attacker. Same for session IDs. Good news that chrome and firefox are not affected. Title: Re: bitcoin core updated to 0.9.1 Post by: awesomeami on April 09, 2014, 09:38:56 AM Good news that chrome and firefox are not affected. Can you pls explain how can I be/was safe using FF connecting to "compromised OpenSLL www".ty - I am not much expert in that - maybe some link, ty Title: Re: bitcoin core updated to 0.9.1 Post by: Lethn on April 09, 2014, 09:57:10 AM You know, I was looking at their 0.9.0 version of the Bitcoin client, it said FINAL in big capital letters and then I thought "What if they find a new bug or vulnerability in it, then it won't be the final version at all will it?" open source software will always be improved upon and always be updated because there are so many people looking at the code and finding things.
Title: Re: bitcoin core updated to 0.9.1 Post by: roslinpl on April 09, 2014, 10:11:56 AM You know, I was looking at their 0.9.0 version of the Bitcoin client, it said FINAL in big capital letters and then I thought "What if they find a new bug or vulnerability in it, then it won't be the final version at all will it?" open source software will always be improved upon and always be updated because there are so many people looking at the code and finding things. this is true. And 0.9.0 not final at all :) And perhaps there will be always some issue to solve ... OpenSource. Title: Re: bitcoin core updated to 0.9.1 Post by: S4VV4S on April 09, 2014, 10:26:26 AM So if someone DIDN'T click on a bitcoin link using 0.9.0 they are safe right?
Title: Re: bitcoin core updated to 0.9.1 Post by: binaryFate on April 09, 2014, 11:18:49 AM Good news that chrome and firefox are not affected. Can you pls explain how can I be/was safe using FF connecting to "compromised OpenSLL www".ty - I am not much expert in that - maybe some link, ty The vulnerability is in the openssl library, that may be used by your browser among other things. But apparently firefox is using a different module for SSL capabilities, and not the openssl implementation, so it is not affected. If a server was using that particular weak version of the openssl library, then anybody could dump data from that server, but not the other way around. This is on the level of "browser not technically affected", however on the level of "user being safe" as you mention, things are less good: if a server was vulnerable, then the attacker could maybe use the weakness to take further control of the server (or impersonate it using its certificate), putting you at risk when you are doing your usual activity with what you believe is the usual friendly https server you have always talk to... Title: Re: bitcoin core updated to 0.9.1 Post by: DannyHamilton on April 09, 2014, 01:35:32 PM You know, I was looking at their 0.9.0 version of the Bitcoin client, it said FINAL in big capital letters and then I thought "What if they find a new bug or vulnerability in it, then it won't be the final version at all will it?" FINAL means the final 0.9.0. Any change that comes after that will go into 0.9.1. Title: Re: bitcoin core updated to 0.9.1 Post by: Fixx on April 09, 2014, 05:31:58 PM Were is Wallet.dat placed in Bitcoin 0.9.x ver for Windows x64 ?
Title: Re: bitcoin core updated to 0.9.1 Post by: bitcoinforhelp on April 09, 2014, 05:33:48 PM i won't change, i feel secure :), less secure would be changing them
Title: Re: bitcoin core updated to 0.9.1 Post by: DeathAndTaxes on April 09, 2014, 06:09:18 PM You know, I was looking at their 0.9.0 version of the Bitcoin client, it said FINAL in big capital letters and then I thought "What if they find a new bug or vulnerability in it, then it won't be the final version at all will it?" open source software will always be improved upon and always be updated because there are so many people looking at the code and finding things. Final on any version of Bitcoin simply distinguished between that and the release candidate. i.e. 0.9.0 RC1, 0.9.0 RC2, <insert as many Release Candidates as necessary to resolve outstanding issues)>, 0.9.0 Final. Version 0.9 is final it will never be updated. Case in point the next release was v0.9.1 Title: Re: bitcoin core updated to 0.9.1 Post by: DeathAndTaxes on April 09, 2014, 06:10:19 PM Were is Wallet.dat placed in Bitcoin 0.9.x ver for Windows x64 ? Same place as all prior versions https://en.bitcoin.it/wiki/Data_directory Title: Re: bitcoin core updated to 0.9.1 Post by: Altoidnerd on April 12, 2014, 04:59:22 AM Even if an attacker obtained my wallet.dat, if it is encrypted with a long password, is it safe to say the stolen wallet is, for the time being, useless to the attacker?
Title: Re: bitcoin core updated to 0.9.1 Post by: binaryFate on April 12, 2014, 01:02:30 PM Even if an attacker obtained my wallet.dat, if it is encrypted with a long password, is it safe to say the stolen wallet is, for the time being, useless to the attacker? Yes it is useless to the attacker. But in a worst case scenario with the hearbleed bug, however, if you just recently sent coin and therefore unlocked your wallet, the private keys might be in memory and leaked to the attacker. This is just theoretical, in practice probably very unlikely. |