|
GermanGiant
|
|
October 12, 2015, 05:47:07 PM |
|
Does it affect any other wallet or only core ?
|
|
|
|
unamis76
Legendary
Offline
Activity: 1512
Merit: 1012
|
|
October 12, 2015, 05:57:06 PM |
|
Thanks for the heads up... Why will there be a new 0.10 release?
|
|
|
|
krb91
Member
Offline
Activity: 254
Merit: 10
Streamies Rocks!!!!
|
|
October 12, 2015, 06:24:49 PM |
|
Does it affect any other wallet or only core ?
I'm not sure, there is a reddit thread about it, and someone might use it to eventually explain if any other wallets besides core are vulnerable. At he moment the thread only gives the same advice as bitcoin.org, which I quoted. It's only for core, so the vulnerability probably doesn't affect other wallets. I don't understand UPNP well enough to say for certain. https://www.reddit.com/r/Bitcoin/comments/3ogg0t/bitcoinorg_vulnerability_in_upnp_library_used_by/Either turn off the checkbox in the GUI under Options → Network → Map port using UPNP add the line upnp=0 to your bitcoin.conf file add -upnp=0 to the command line options
|
|
|
|
Amph
Legendary
Offline
Activity: 3248
Merit: 1070
|
|
October 12, 2015, 06:45:17 PM |
|
what's the point of setting it to zero in the config if you remove the checkbox on the option menu? they should perform the same thing
also i don't use a config at all for core...
|
|
|
|
achow101
Staff
Legendary
Offline
Activity: 3570
Merit: 6927
Just writing some code
|
|
October 12, 2015, 06:58:56 PM |
|
what's the point of setting it to zero in the config if you remove the checkbox on the option menu? they should perform the same thing
also i don't use a config at all for core...
For the daemon if you don't use core.
|
|
|
|
krb91
Member
Offline
Activity: 254
Merit: 10
Streamies Rocks!!!!
|
|
October 12, 2015, 06:59:56 PM |
|
what's the point of setting it to zero in the config if you remove the checkbox on the option menu? they should perform the same thing
also i don't use a config at all for core...
I think you only have to select one of the options to protect your wallet from the vulnerability. Each option should protect your wallet on its own. Bitcoin.org recommends updating your wallet to the latest version. It says 0.10.3 and 0.11.1, and the upcoming 0.12.0 are safe to use. You only need to upgrade if you downloaded a compiled wallet, if you built your wallet yourself it should have UPnP disabled by default.
|
|
|
|
saturn643
|
|
October 12, 2015, 07:10:25 PM |
|
The vulnerability was discovered in miniupnp almost a month ago. Why didn't any of the devs let us know earlier? The article they reference looks like it has been public for a month so that would have been plenty of time for someone to try an attack against Bitcoin Core.
Has anyone tried any attacks against Bitcoin Core to see how badly these vulnerabilities affect Bitcoin Core?
|
|
|
|
Amph
Legendary
Offline
Activity: 3248
Merit: 1070
|
|
October 12, 2015, 08:38:39 PM |
|
what's the point of setting it to zero in the config if you remove the checkbox on the option menu? they should perform the same thing
also i don't use a config at all for core...
I think you only have to select one of the options to protect your wallet from the vulnerability. Each option should protect your wallet on its own. Bitcoin.org recommends updating your wallet to the latest version. It says 0.10.3 and 0.11.1, and the upcoming 0.12.0 are safe to use. You only need to upgrade if you downloaded a compiled wallet, if you built your wallet yourself it should have UPnP disabled by default. there is no 0.11.1 apparently, i found that they are at rc2 for this version, on a shady website, or at least it seems so...
|
|
|
|
achow101
Staff
Legendary
Offline
Activity: 3570
Merit: 6927
Just writing some code
|
|
October 12, 2015, 08:47:15 PM |
|
what's the point of setting it to zero in the config if you remove the checkbox on the option menu? they should perform the same thing
also i don't use a config at all for core...
I think you only have to select one of the options to protect your wallet from the vulnerability. Each option should protect your wallet on its own. Bitcoin.org recommends updating your wallet to the latest version. It says 0.10.3 and 0.11.1, and the upcoming 0.12.0 are safe to use. You only need to upgrade if you downloaded a compiled wallet, if you built your wallet yourself it should have UPnP disabled by default. there is no 0.11.1 apparently, i found that they are at rc2 for this version, on a shady website, or at least it seems so... Neither of them have been released yet. They are still in the release candidate stage. 0.11.1rc2 is officially available at https://bitcoin.org/bin/bitcoin-core-0.11.1/test/0.10.3rc2 is officially available at https://bitcoin.org/bin/bitcoin-core-0.10.3/test/
|
|
|
|
coinpr0n
|
|
October 12, 2015, 09:14:16 PM |
|
The vulnerability was discovered in miniupnp almost a month ago. Why didn't any of the devs let us know earlier? The article they reference looks like it has been public for a month so that would have been plenty of time for someone to try an attack against Bitcoin Core.
Has anyone tried any attacks against Bitcoin Core to see how badly these vulnerabilities affect Bitcoin Core?
Please remember that these are volunteer developers. They may have only just realized the problem was out there or they were waiting to have a patch ready before bringing it to the attention of the public.
|
|
|
|
shorena
Copper Member
Legendary
Offline
Activity: 1498
Merit: 1540
No I dont escrow anymore.
|
|
October 13, 2015, 05:41:32 AM Last edit: October 13, 2015, 09:33:19 AM by shorena |
|
The vulnerability was discovered in miniupnp almost a month ago. Why didn't any of the devs let us know earlier? The article they reference looks like it has been public for a month so that would have been plenty of time for someone to try an attack against Bitcoin Core.
Has anyone tried any attacks against Bitcoin Core to see how badly these vulnerabilities affect Bitcoin Core?
Please remember that these are volunteer developers. They may have only just realized the problem was out there or they were waiting to have a patch ready before bringing it to the attention of the public. I have no source, but I read about the issue on twitter way before this was on bitcoin.org or posted here (twice now?). Found the source, 3 days old: https://twitter.com/gavinandresen/status/652462681442648065
|
Im not really here, its just your imagination.
|
|
|
Melds
Full Member
Offline
Activity: 205
Merit: 100
Investor / Trader / Analyst
|
|
October 13, 2015, 07:06:36 AM |
|
What are the potential repercussions of this flaw? I'm slightly worried..
|
|
|
|
OmegaStarScream (OP)
Staff
Legendary
Offline
Activity: 3696
Merit: 6539
|
|
October 13, 2015, 07:43:41 AM |
|
Does it affect any other wallet or only core ?
I suppose it affects the others because the other SPV wallets use same versions of Bitcoin Core as we do , yes ? correct me if I'am wrong !
|
|
|
|
shorena
Copper Member
Legendary
Offline
Activity: 1498
Merit: 1540
No I dont escrow anymore.
|
|
October 13, 2015, 09:33:59 AM |
|
Does it affect any other wallet or only core ?
I suppose it affects the others because the other SPV wallets use same versions of Bitcoin Core as we do , yes ? correct me if I'am wrong ! SPV wallets are not affected, they just request data from full nodes.
|
Im not really here, its just your imagination.
|
|
|
christycalhoun
|
|
October 13, 2015, 10:25:18 AM |
|
Will this affect 3rd party clients as well or is this just a problem with the official bitcoin-qt client?
|
|
|
|
OmegaStarScream (OP)
Staff
Legendary
Offline
Activity: 3696
Merit: 6539
|
|
October 13, 2015, 10:34:57 AM |
|
Will this affect 3rd party clients as well or is this just a problem with the official bitcoin-qt client?
You must be kidding xD look the above reply (shorena replied to me)
|
|
|
|
NeuroticFish
Legendary
Offline
Activity: 3892
Merit: 6623
Looking for campaign manager? Contact icopress!
|
|
October 13, 2015, 10:58:31 AM |
|
A specially crafted XML response can lead to a buffer overflow on the stack resulting in remote code execution. An attacker can set up a server on the local network to trigger this vulnerability. So the local network has to be compromised first. And if the local network is compromised, you can be in big trouble even without this vulnerability. I hope that I understood it right.
|
|
|
|
okae
Legendary
Offline
Activity: 1401
Merit: 1008
northern exposure
|
|
October 13, 2015, 11:11:28 AM |
|
so if im not wrong, for users who are using the core, we just need to do it: - turn off the checkbox in the GUI under Options → Network → Map port using UPNP (see above)
and dont forget to update our core client when they release a new version with the fix included
|
|
|
|
Lauda
Legendary
Offline
Activity: 2674
Merit: 3000
Terminated.
|
|
October 13, 2015, 11:21:11 AM |
|
This is not a huge deal at the moment since the issue was quickly identified which is good (and because the workaround is easy). I also think that we should change the: News: Latest stable version of Bitcoin Core: 0.11.0 [Torrent]
to include some sort of heads up related to this issue. Let's hope that the next version gets released very quickly.
|
"The Times 03/Jan/2009 Chancellor on brink of second bailout for banks" 😼 Bitcoin Core ( onion)
|
|
|
|