Electrum 4.7.2 released

[cygan]

version 4.7.2 has just been released few days ago!
this version comes with several new changes and many bug fixes like this ones eg:

• changed: set restrictive unix umask application-wide by default
• fix: failing assert for wallets with old (2023) still unpaid ln payment requests
• fix: submarine swap providers window loses track of swap providers if opened for too long

you can read the complete changelog on the following github-link: https://github.com/spesmilo/electrum/blob/master/RELEASE-NOTES
and the version can be downloaded here: https://electrum.org/#download

[nc50lc]

That's new.
I mean your usual new version report is too late this time ;D

IDK why they've added this update in particular:

* QML GUI & Android:
   - changed: wizard: make trustedcoin 2fa secret copyable, open 2fa app for user (#10543)

This changes two things:

  [1] Makes the otp secret copy on click, so the user can tap on the secret and it gets copied to the clipboard.
  [2] If the user clicks on the qr it will automatically open their 2fa app with the secret, this is much more user friendly.

Using the same phone as 2FA device doesn't make sense (security-wise) aside from adding more workflow to open the wallet.
Even with different passwords (Electrum and 2FA App), if the device is key-logged, both of those passwords will be known.
But it's already a feature so, good(luck) for those who use that kind of 2fa wallet setup.

[NotATether]

Even with different passwords (Electrum and 2FA App), if the device is key-logged, both of those passwords will be known.

Which is significantly more likely to happen on old obsolete Android phones that have all sorts of unpatched vulnerabilities. Most people don't update their Android phones ever. At least with old Linux desktops or iPhones (not Windows or Mac devices), the barrier to entry for hackers is much higher.

[DireWolfM14]

Using the same phone as 2FA device doesn't make sense (security-wise) aside from adding more workflow to open the wallet.
Even with different passwords (Electrum and 2FA App), if the device is key-logged, both of those passwords will be known.
But it's already a feature so, good(luck) for those who use that kind of 2fa wallet setup.

I feel the whole TrustedCoin 2fa set up is  geared for newbies, so trying to make a bit more user friendly is understandable.  Once someone is aware enough to understand that a second device for 2fa is more appropriate, they'll likely have learned that a TrustedCoin enabled wallet is nothing more than a multi-sig wallet which they can set up on their own without the fees.  That was my learning curve when I was a newbie, so that might just be me projecting my own experience in regards to the subject.

@cygan,
What's with the delay?  Who authorized a vacation request?  

[fullfitlarry]

Just to let everyone knows,



https://x.com/ElectrumWallet/status/2049500846014992672

First bug (race bypass)
User configures daily_limit_sat=1000.
Malicious NWC client prepares two 1000-sat invoices.
Malicious NWC client sends two pay_invoice requests concurrently on the same connection.
Both may pass budget_allows_spend() before either call to add_to_budget(), resulting in 2000 sat total spend.

Second bug (msat truncation bypass)
User creates an NWC connection with a small limit, e.g. daily_limit_sat=1.
Pay a zero-amount invoice via NWC using amount=1999 (msat).
Budget logic accounts invoice.get_amount_sat() as 1 sat, while spend is 1.999 sat.
Repeating this exceeds intended sat-limit policy.

https://github.com/spesmilo/electrum/security/advisories/GHSA-q7m2-785w-r585

[Forsyth Jones]

Just to let everyone knows,



https://x.com/ElectrumWallet/status/2049500846014992672
...

https://github.com/spesmilo/electrum/security/advisories/GHSA-q7m2-785w-r585

Well, there are 2 vulnerabilities, one with a low risk rating and the other with a moderate risk rating.

I found the article very technical, but both are related to third-party plugins, which had vulnerabilities from version 4.6.0 (when the feature to add third-party plugins was added) to v4.7.1, the v4.7.2 fixes these vulnerabilities.

It seems we should wait a little longer before using third-party plugins. 

https://github.com/spesmilo/electrum/security/advisories/GHSA-q7m2-785w-r585 - low

https://github.com/spesmilo/electrum/security/advisories/GHSA-vw94-r84p-66qf - moderate

[nc50lc]

It seems we should wait a little longer before using third-party plugins.  :P

It's still quite safe IMO.
Those security issues aren't marked "high" because it requires the machine to have a malware/virus to begin with.

And in that case, the owner has more pressing issues other than those vulnerabilities in Electrum's 3rd-party/pre-installed plugin feature.

Just don't run Electrum on a compromised system and it should be fine.
Easier said than done though.

[NotATether]

If you are having issues installing the newer Electrum releases from source, the following should fix the problem:

Code:

python -m pip install --upgrade pip setuptools wheel

Specifically, this is the fix for two packages electrum-ecc and electrum-aionostr which are dependencies of Electrum and use a newer project metadata directive in pyproject.toml, which is not supported by older setuptools <77.0 and leads to the package names being seen as Unknown and version numbers as 0.0.

[nc50lc]

-snip- which is not supported by older setuptools <77.0

Basically, for users who installed setuptools via python pip on March last year and haven't been updated it since.

To others:
Those who have installed using the pre-built binaries aren't affected by this.
For those who've followed the "Installation from Python sources" instructions in the official download page, the first command in "Install with PIP" should update it.
I haven't got any issue following those instructions, at least on Ubuntu 22.04.

[Forsyth Jones]

If you are having issues installing the newer Electrum releases from source, the following should fix the problem:

Code:

python -m pip install --upgrade pip setuptools wheel

Specifically, this is the fix for two packages electrum-ecc and electrum-aionostr which are dependencies of Electrum and use a newer project metadata directive in pyproject.toml, which is not supported by older setuptools <77.0 and leads to the package names being seen as Unknown and version numbers as 0.0.

DireWolfM14 and I really racked our brains on it, but it finally seems to be resolved (mostly due to his merit), and his guide about installing Electrum via Python is now 100% updated. I remember it being quite a hassle for me. I think it's worth giving this guide an honorable mention.

Python installation of Electrum on latest Linux kernel