TLS heartbeat read overrun (CVE-2014-0160)

[Sonny]

IIRC, bitcoin-qt uses OpenSSL 1.0.1e.

https://www.openssl.org/news/secadv_20140407.txt

OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for preparing the fix. Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. 1.0.2 will be fixed in 1.0.2-beta2.

How does this bug affect us?

[notbatman]

Cold storage of keys FTW?

[wumpus]

Michagogo worded it very well here:
http://www.reddit.com/r/Bitcoin/comments/22i9t1/psa_regarding_the_heartbleed_bug_cve20140160_and/

There are exactly two places in Bitcoin Core that may be affected by this issue.

One is RPC SSL. If you're using this, turn it off. If you don't know what that is, you most likely aren't using it.

The other is the payment protocol. Specifically, fetching payment requests. If you're using a vulnerable version, do not click any bitcoin: links and you will be protected. Note that this is only relevant for the GUI, and only for version 0.9.0.

If you're using self-built executables, you're most likely using dynamically linked OpenSSL. Simply upgrade your OpenSSL package and you should be fine. If I'm not mistaken, the same applies if you're using the PPA. If you're using release binaries, a version 0.9.1 is being prepared that will use the fixed OpenSSL 1.0.1g.

Note that if you're running the GUI (p.k.a. Bitcoin-Qt) you can check your OpenSSL version in the debug window's information tab. If you're on anything earlier than 1.0.1, for example 0.9.8, you're safe. If you're on 1.0.1g or later, you're safe. If you're on 1.0.1-1.0.1e, you may be vulnerable. However, that may not necessarily be the case -- for example, Debian has released an update for Wheezy, version 1.0.1e-2+deb7u5, which fixes the security bug without bumping the version number as reported by OpenSSL.

[NeonFlash]

Could someone explain this in more detail?

"If you're using a vulnerable version, do not click any bitcoin: links and you will be protected"

What exactly is meant by this? I am using Bitcoin-Qt on Windows with OpenSSL 1.0.1.e (so, it is vulnerable according to the link above).

[wumpus]

Exactly as it says: don't click any bitcoin payment links.
If you want to pay, copy the address and amount manually (until you can upgrade to 0.9.1).

[NeonFlash]

@wumpus: I am bit confused about Bitcoin Links. Where do they appear?

I am unable to see them in the Bitcoin-Qt client. Under which tab? Send/Receive/Transactions?

Or are you referring to something like this:

https://coinbase.com/docs/merchant_tools/payment_buttons

[Sonny]

Thanks wumpus for the link. It is really helpful.

BTW, it seems we will have 0.9.1 very soon.

https://twitter.com/gavinandresen/status/453574888587268096

Expect a 0.9.1 Bitcoin Core release soon, linked against openssl 1.0.1g, because #heartbleed

[kokojie]

question: When I'm online, my browser is always using a SSH tunnel as proxy (it's connected to a VPS which I own). Am I still affected by this OpenSSL thing?

[bitpop]

question: When I'm online, my browser is always using a SSH tunnel as proxy (it's connected to a VPS which I own). Am I still affected by this OpenSSL thing?

Yes they hit the site you're connected to.

[awesomeami]

Very dangerous
UPDATE NOW!
https://bitcointalk.org/index.php?topic=562388.msg6132453#msg6132453

And change all your passw in all your accounts (gmail, banking, FB)
https://bitcointalk.org/index.php?topic=562388.msg6132859#msg6132859