A critical bug was discovered in lib ssl, Bitcoin affected

[virtualmaster]

Comment by Mempo security team:

This bug implications seem to be that an attacker could potentially read any memory of affected programs and
compromise of all the data;
Including all secrets, passwords, private keys, bitcoin private keys (!), irc logins and so on.

We recommend that users should turn off the affected applications,
upgrade the system to version that fixes this issue,
and consider all accounts compromised.

In case of crypto-currencies like bitcoin, users probably would like to move their savings to freshly generated addresses.
Warning:
0. The SSL seems to be used only in RPC/API, not for p2p communication with other nodes, so this is would be not trivial to exploit this problem to attack any/all nodes over Internet.
1. Do not panic (do not lose money by sending to wrong address in a hurry), first prepare, make backups of old and new wallets/addresses.
2. Bitcoin pre-generates pool of spare private-keys (addresses). You should take care to generate actually new keys. One might want to start with a fresh new wallet.
Be sure to not lose any money by moving or deleting wallets in a hurry.
3. While moving more then 1 address, be mindful of possible correlation privacy leaks:
3.a. When sending money from account A to account X (X being in new wallet or freshly generated), bitcoind (and other wallets perhaps?)
could sometime take money from other account B if you sent the full amount but there was money missing to pay the txfee; This will result in A-B addresses correlation.
3.b. Timing attack, if you move your 5-10 addresses at once it's likelly they are owned by same person.
4. In conclusion it could be best to move now the biggest account, and later carefully recycle all other savings.
5. If you already published old address e.g. for donations or trade or pools or as payout address elsewhere, remember to keep the old wallet just in case.

Affected programs:
* bitcoind
* other bitcoind-based programs
* irssi
* xchat
* probably others

http://mempo.org/memposec/issue2.html
http://www.reddit.com/r/Bitcoin/comments/22gquw/psa_vuln_in_libssl_allows_to_read_64kb_of/

[virtualmaster]

https://www.debian.org/security/2014/dsa-2896
Debian:
Current stable (wheezy) is vulnerable. Old stable (squeeze) is safe.

[virtualmaster]

Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:

    Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
    Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
    CentOS 6.5, OpenSSL 1.0.1e-15
    Fedora 18, OpenSSL 1.0.1e-4
    OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
    FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
    NetBSD 5.0.2 (OpenSSL 1.0.1e)
    OpenSUSE 12.2 (OpenSSL 1.0.1c)

Operating system distribution with versions that are not vulnerable:

    Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
    SUSE Linux Enterprise Server
    FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
    FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
    FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)

How can OpenSSL be fixed?

Even though the actual code fix may appear trivial, OpenSSL team is the expert in fixing it properly so latest fixed version 1.0.1g or newer should be used. If this is not possible software developers can recompile OpenSSL with the handshake removed from the code by compile time option -DOPENSSL_NO_HEARTBEATS

Can I detect if someone has exploited this against me?

Exploitation of this bug leaves no traces of anything abnormal happening to the logs.

http://heartbleed.com/

[RodeoX]

Thank you for bringing this to everyone's attention. 

[proudhon]

All my coins are controlled by offline Armory keys that only reside on encrypted and offline systems.  Is there any reason for me to bother moving coins to new addresses?

[virtualmaster]

All my coins are controlled by offline Armory keys that only reside on encrypted and offline systems.  Is there any reason for me to bother moving coins to new addresses?

If your Armory was never online then I think you should be secure. But if you have an OS which is affected and it was ever or it will be connected online then your private keys could be compromised.(the past and the future ones)
More:
http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/
Tor services are also affected.
https://blog.torproject.org/blog/openssl-bug-cve-2014-0160

[proudhon]

All my coins are controlled by offline Armory keys that only reside on encrypted and offline systems.  Is there any reason for me to bother moving coins to new addresses?

If your Armory was never online then I think you should be secure. But if you have an OS which is affected and it was ever or it will be connected online then your private keys could be compromised.(the past and the future ones)
More:
http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/
Tor services are also affected.
https://blog.torproject.org/blog/openssl-bug-cve-2014-0160

I'm probably ok, but I might as well destroy some days

[Meuh6879]

 https://www.virwox.com/ is already in upgrade since the middle of this day for this fix ...  

Please pardon the inconvenience. We work hard to keep this interruption of our service as short as possible.

Unfortunately we have discovered a potential vulnerability at one of our service providers.
We take security very seriously and have therefore suspended our service until the problem is fixed.