buksan
Newbie
 Offline
Activity: 12
Merit: 1
|
 |
February 26, 2020, 09:23:42 AM |
|
An important security update is released. It fixes two serious vulnerabilities discovered and reported to us by security researcher pearl: * text messages in chat were incorrectly handled which allowed attackers to execute arbitrary code on victim's wallet. An attacker could supply arbitrary code in angularjs {{}} expressions and the victim's wallet would evaluate it. The attack vector could be used to steal the private keys. The vulnerability existed in all versions of Obyte wallet since the first release in 2016. However, to exploit the vulnerability, an attacker needs to first trick the victim to pair with the attacker's wallet or chatbot. Users who had their wallets protected with a good password and seed words deleted were better protected against such an attack. We have no reports of this vulnerability being actually exploited. The fix makes sure that user input is always treated as text and never evaluated. * restore from full backup function allowed file paths with directory traversal (../) characters in backup archive, which could enable an attacker to overwrite important user files, such as .bashrc. on Linux. The vulnerability existed in all versions of Obyte wallet since restore from full backup was introduced in mid 2017. However, to exploit the vulnerability, an attacker needs to first trick the victim to restore from a maliciously crafted backup file. We have no reports of this vulnerability being actually exploited. The fix checks for directory traversal characters in file paths in the backup archive and ignores such files. Since the two vulnerabilities are now publicly disclosed and each can be used to inflict serious damage to Obyte users who are not aware of them yet, the hub at obyte.org will refuse connections from non-upgraded wallets to keep them safe. All known operators of other hubs have been notified and recommended to apply the same policy. Only GUI wallets are affected by the vulnerabilities and the upgrade is mandatory for them, headless nodes (wallets, hubs, relays) are not affected. Please upgrade https://github.com/byteball/obyte-gui-wallet/releasesAfter updating, when I try to add a new chat bat, I see this error: An exception occurred: TypeError: Cannot read property 'replace' of undefined; cause: undefined I tried to create a new wallet and I can not add any chat bot for the same error. PS Win64/32 |
|
|
|
|
|
tarmo888
|
|
February 26, 2020, 09:42:43 AM |
|
After updating, when I try to add a new chat bat, I see this error:
An exception occurred: TypeError: Cannot read property 'replace' of undefined; cause: undefined
I tried to create a new wallet and I can not add any chat bot for the same error.
PS Win64/32
while that gets fixed, you can add bots through that page https://obyte.io/bots |
|
|
|
|
buksan
Newbie
Offline
Activity: 12
Merit: 1
|
|
February 27, 2020, 06:28:26 AM |
|
After updating, when I try to add a new chat bat, I see this error:
An exception occurred: TypeError: Cannot read property 'replace' of undefined; cause: undefined
I tried to create a new wallet and I can not add any chat bot for the same error.
PS Win64/32
while that gets fixed, you can add bots through that page https://obyte.io/botsThanks. The message signature does not work yet. Writes an error: wrong signature. |
|
|
|
|
tonych (OP)
Legendary
Offline
Activity: 965
Merit: 1033
|
|
February 27, 2020, 03:24:23 PM |
|
Thanks. The message signature does not work yet.
Writes an error: wrong signature.
Which bot is that? |
Simplicity is beauty
|
|
|
buksan
Newbie
Offline
Activity: 12
Merit: 1
|
|
February 27, 2020, 04:06:06 PM |
|
Thanks. The message signature does not work yet.
Writes an error: wrong signature.
Which bot is that? At first I couldn't sign my address in Draw Airdrop with message: unknown fields. But then I found out that signing your address is impossible in any bot now. |
|
|
|
|
tonych (OP)
Legendary
Offline
Activity: 965
Merit: 1033
|
|
February 27, 2020, 04:29:25 PM |
|
Thanks. The message signature does not work yet.
Writes an error: wrong signature.
Which bot is that? At first I couldn't sign my address in Draw Airdrop with message: unknown fields. But then I found out that signing your address is impossible in any bot now. Draw bot has not been upgraded yet but the draw is suspended anyway. What other bots did you try? |
Simplicity is beauty
|
|
|
buksan
Newbie
Offline
Activity: 12
Merit: 1
|
|
February 28, 2020, 05:19:22 PM |
|
Thanks. The message signature does not work yet.
Writes an error: wrong signature.
Which bot is that? At first I couldn't sign my address in Draw Airdrop with message: unknown fields. But then I found out that signing your address is impossible in any bot now. Draw bot has not been upgraded yet but the draw is suspended anyway. What other bots did you try? Signing an address isn't possible in real name attestation bot. wrong signature |
|
|
|
|
tonych (OP)
Legendary
Offline
Activity: 965
Merit: 1033
|
|
February 28, 2020, 05:48:07 PM |
|
Thanks. The message signature does not work yet.
Writes an error: wrong signature.
Which bot is that? At first I couldn't sign my address in Draw Airdrop with message: unknown fields. But then I found out that signing your address is impossible in any bot now. Draw bot has not been upgraded yet but the draw is suspended anyway. What other bots did you try? Signing an address isn't possible in real name attestation bot. wrong signature Works for me. The bot was updated last night though, signing didn't work yesterday when it was on the old version. |
Simplicity is beauty
|
|
|
|
USBitcoinServices.Com
|
|
February 29, 2020, 01:22:56 AM |
|
I haven't been active on this thread and still have version 2.7.2 Do I have to get a newer version?
|
|
|
|
|
tarmo888
|
|
February 29, 2020, 02:36:39 AM |
|
I haven't been active on this thread and still have version 2.7.2 Do I have to get a newer version?
Yes, the old versions doesn't work anymore because there were vulnerabilities discovered in them. Also, the network will activate Autonomous Agents any time now, which requires the latest wallet version. |
|
|
|
|
tonych (OP)
Legendary
Offline
Activity: 965
Merit: 1033
|
|
March 05, 2020, 10:25:24 PM |
|
Another security update v3.0.2 that fixes several serious vulnerabilities (again discovered and reported to us by security researcher pearl). The update is mandatory for all nodes. Other bugfixes and improvements in this release: * Fixed a bug that crashed the wallet when trying to view bots or smart contract definition * Fixed a bug that crashed wallets on Windows if username contains non-latin characters * Restored the display of dollar amounts when sending funds, it was lost in the previous release due to merge error * Mac app is now notarized by Apple which allows it to be installed on macOS Catalina * Other minor bugfixes https://github.com/byteball/obyte-gui-wallet/releases |
Simplicity is beauty
|
|
|
DaveF
Legendary
Offline
Activity: 3654
Merit: 6671
Crypto Swap Exchange
|
|
March 08, 2020, 07:29:48 PM |
|
I installed the 3.0.2 and it goes to updating the database, please wait. It will take several hours please be patient. then when the OK pops and you click it the app closes.
Windows10 64 bit if that matters.
-Dave
|
|
|
|
aigeezer
Legendary
Offline
Activity: 1450
Merit: 1013
Cryptanalyst castrated by his government, 1952
|
|
March 08, 2020, 07:42:04 PM |
|
I installed the 3.0.2 and it goes to updating the database, please wait. It will take several hours please be patient. then when the OK pops and you click it the app closes.
Windows10 64 bit if that matters.
-Dave
I had the same issue, but it eventually synced after multiple restarts. Also Win10 64. |
|
|
|
|
DaveF
Legendary
Offline
Activity: 3654
Merit: 6671
Crypto Swap Exchange
|
|
March 08, 2020, 07:57:51 PM |
|
I installed the 3.0.2 and it goes to updating the database, please wait. It will take several hours please be patient. then when the OK pops and you click it the app closes.
Windows10 64 bit if that matters.
-Dave
I had the same issue, but it eventually synced after multiple restarts. Also Win10 64. Client restarts or OS restarts or both? I am working on 5 or 6 times now of the client restart. -Dave |
|
|
|
aigeezer
Legendary
Offline
Activity: 1450
Merit: 1013
Cryptanalyst castrated by his government, 1952
|
|
March 08, 2020, 08:01:34 PM |
|
Client restarts or OS restarts or both? I am working on 5 or 6 times now of the client restart.
-Dave
Client restarts. It went on for a couple of days iirc. Something - probably task manager - convinced me that it was making progress. |
|
|
|
|
|
tarmo888
|
|
March 09, 2020, 06:07:47 PM |
|
Client restarts or OS restarts or both? I am working on 5 or 6 times now of the client restart.
-Dave
Client restarts. It went on for a couple of days iirc. Something - probably task manager - convinced me that it was making progress. Re-download and install the latest version again, there was small fix to the binary, which fix the issue for Windows full nodes. https://github.com/byteball/obyte-gui-wallet/releases |
|
|
|
|
aigeezer
Legendary
Offline
Activity: 1450
Merit: 1013
Cryptanalyst castrated by his government, 1952
|
|
March 09, 2020, 08:01:09 PM |
|
Thanks very much. It also fixes an error that had just started to appear for me: "ReadError: IO error: NewRandomAccessFile failed to Create/Open: rocksdb/". Memo to self - after dodging that kind of bullet it really is time to make a new backup! |
|
|
|
|
|
tarmo888
|
|
March 09, 2020, 08:35:18 PM |
|
Thanks very much. It also fixes an error that had just started to appear for me: "ReadError: IO error: NewRandomAccessFile failed to Create/Open: rocksdb/". Memo to self - after dodging that kind of bullet it really is time to make a new backup! A new backup should be done regularly, especially when some private data changes (added new attestation profile, sent/received private assets like blackbytes, added multi-sig wallet or got a new smart-wallet/sub-wallet). Continues cloud backup to is planned feature. |
|
|
|
|
ewibit
Legendary
Offline
Activity: 2955
Merit: 1050
|
|
March 10, 2020, 02:19:14 AM |
|
Continues cloud backup to is planned feature.
don`t want a cloud only wan`t a simple easy local one!!!!  |
|
|
|
|
|
tarmo888
|
|
March 10, 2020, 03:09:45 AM |
|
Continues cloud backup to is planned feature.
don`t want a cloud only wan`t a simple easy local one!!!! Cloud is great if the backup is encrypted with passphrase. |
|
|
|
|
|
