bitcoin core updated to 0.9.1

[awesomeami]

UPDATE:
Change ALL YOUR PASSWORDS on all your BTC-forums, casinos, exchanges, bettings websites ++ (internet) banking systems, gmail, FB, this forum, all httpS ...
(most paranoic - do it twice a day next 2 weeks - and don't forget them )


http://www.reddit.com/r/Bitcoin/comments/22jtxg/bitcoin_core_version_091_released/

Pls update https://bitcointalk.org/index.php?board=87.0 ty theymos nice & fast work

https://bitcointalk.org/index.php?topic=562409.msg6132778#msg6132778

A bug in OpenSSL, used by Bitcoin-Qt/Bitcoin Core, could allow your bitcoins to be stolen. Immediately updating Bitcoin Core to 0.9.1 is required in some cases, especially if you're using 0.9.0. Download.

https://bitcoin.org/bin/0.9.1/

https://bitcointalk.org/index.php?topic=561923.msg6128780#msg6128780
https://bitcointalk.org/index.php?topic=561923.msg6131049#msg6131049
https://bitcointalk.org/index.php?topic=561923.msg6131397#msg6131397

[1714138305]

1714138305

[1714138305]

1714138305

[1714138305]

1714138305

[roslinpl]

Yeah... I hope not many people have lost BTC because of that bug ...

Damn ... what to do, shit happens - good that reaction was quick and 0.9.1 is released.

[arcnorth]

Just so we're clear, the bug only affects bitcoin-qt and not any other 3rd party wallet like multibit right?

I'm going to transfer all my bitcoin to an online account just in case 

[Rampion]

I'm going to transfer all my bitcoin to an online account just in case 

I hope you are joking.

[DeathAndTaxes]

Just so we're clear, the bug only affects bitcoin-qt and not any other 3rd party wallet like multibit right?

I'm going to transfer all my bitcoin to an online account just in case  

Do you use SSL for remote RPC calls to your bitcoind daemon?  No.  Then it doesn't affect you even if you use Bitcoin-Core (the client formerly known as Bitcoin-QT).  Forgot about the new payment protocol system.  Great timing on that one.

Switching to an online account would be foolish.  Shutdown your client if you are worried.  Don't statup it up again until you have upgraded.

[Rampion]

Do you use SSL for remote RPC calls to your bitcoind daemon?  No.  Then it doesn't affect you even if you use Bitcoin-Core (the client formerly known as Bitcoin-QT). 

FYI:

If you are using the graphical version of 0.9.0 on any platform, you must update immediately. Download here. If you can't update immediately, shut down Bitcoin until you can. If you ever used the payment protocol (you clicked a bitcoin: link and saw a green box in Bitcoin Core's send dialog), then you should consider your wallet to be compromised. Carefully generate an entirely new wallet (not just a new address) and send all of your bitcoins there. Do not delete your old wallet.
- If you are using any other version of Bitcoin-Qt/Bitcoin Core, including bitcoind 0.9.0, you are vulnerable only if the rpcssl command-line option is set. If it is not, then no immediate action is required. If it is, and if an attacker could have possibly communicated with the RPC port, then you should consider your wallet to be compromised.

This vulnerability is caused by a critical bug in the OpenSSL library used by Bitcoin Core. Successfully attacking Bitcoin Core by means of this bug seems to be difficult in most cases, and it seems at this point that even successful attacks may be limited, but I recommend taking the above actions just in case.

If you are using a binary version of Bitcoin Core obtained from bitcoin.org or SourceForge, then updating your system's version of OpenSSL will not help. OpenSSL is packaged with the binary on all platforms.

Download 0.9.1
Announcement

Other software (including other wallet software) may also be affected by this bug. OpenSSL is extremely common.

[roslinpl]

Just so we're clear, the bug only affects bitcoin-qt and not any other 3rd party wallet like multibit right?

I'm going to transfer all my bitcoin to an online account just in case 

No worries too much. Problem is with Bitcoin-qt not with Multibit ...

And offline 3rd party wallets are not recommended to keep your BTCs  - online wallets are to keep reasonable amounts not all of your holdings...

Just do not worry as you are multibit user.
Just make sure your computer is behind a firewall, your router is behind a firewall, you can install some additional fire wall, and antivirus, and spybot remover and just keep all safety steps in mind. E-mails, phishing web sites, etc.

regards.

[awesomeami]

Just so we're clear, the bug only affects bitcoin-qt and not any other 3rd party wallet like multibit right?

I'm going to transfer all my bitcoin to an online account just in case  

Do you use SSL for remote RPC calls to your bitcoind daemon?  No.  Then it doesn't affect you even if you use Bitcoin-Core (the client formerly known as Bitcoin-QT).  Forgot about the new payment protocol system.  Great timing on that one.

Switching to an online account would be foolish.  Shutdown your client if you are worried.  Don't statup it up again until you have upgraded.

THIS!!

1. Just don't panic
2. Shutdown all bitcoin clients (better other ones, too - like multibit or armory)
3. upgrade
4. watch carefully for few days - better don't start
5. move to another wallet - https://bitcointalk.org/index.php?topic=562409.msg6132778#msg6132778 just for sure
6. read more about here:
https://bitcointalk.org/index.php?topic=561923.msg6133060#msg6133060

Change ALL YOUR PASSWORDS on banking systems, gmail, FB, this forum, all httpS ...
(most paranoic - do it twice a day next 2 weeks - and don't forget them )

[grue]

oh look, this sort of fearmongering again. On bitcoin-qt, you're not compromised unless you clicked a bitcoin payment link.

Change ALL YOUR PASSWORDS on banking systems, gmail, FB, this forum, all https

what if i told you that all of the major browsers do not use openssl? chrome and firefox use NSS, and microsoft uses their own closed source solution. What if I also told you that the vulnerability does not include code injection, so unless you entered passwords into a openssl application, you're safe.

[meawleir21]

LOL this is just big! if it's vlad who found it then he got himself attention for sure...

[binaryFate]

oh look, this sort of fearmongering again. On bitcoin-qt, you're not compromised unless you clicked a bitcoin payment link.

Change ALL YOUR PASSWORDS on banking systems, gmail, FB, this forum, all https

what if i told you that all of the major browsers do not use openssl? chrome and firefox use NSS, and microsoft uses their own closed source solution. What if I also told you that the vulnerability does not include code injection, so unless you entered passwords into a openssl application, you're safe.

The memory of the browser is compromised, no need to type any password... it is enough if they are in the part of your RAM that can be dumped to the attacker. Same for session IDs.
Good news that chrome and firefox are not affected.

[awesomeami]

Good news that chrome and firefox are not affected.

Can you pls explain how can I be/was safe using FF connecting to "compromised OpenSLL www".
ty - I am not much expert in that - maybe some link, ty

[Lethn]

You know, I was looking at their 0.9.0 version of the Bitcoin client, it said FINAL in big capital letters and then I thought "What if they find a new bug or vulnerability in it, then it won't be the final version at all will it?" open source software will always be improved upon and always be updated because there are so many people looking at the code and finding things.

[roslinpl]

You know, I was looking at their 0.9.0 version of the Bitcoin client, it said FINAL in big capital letters and then I thought "What if they find a new bug or vulnerability in it, then it won't be the final version at all will it?" open source software will always be improved upon and always be updated because there are so many people looking at the code and finding things.

this is true. And 0.9.0 not final at all

And perhaps there will be always some issue to solve ...
OpenSource.

[S4VV4S]

So if someone DIDN'T click on a bitcoin link using 0.9.0 they are safe right?

[binaryFate]

Good news that chrome and firefox are not affected.

Can you pls explain how can I be/was safe using FF connecting to "compromised OpenSLL www".
ty - I am not much expert in that - maybe some link, ty

The vulnerability is in the openssl library, that may be used by your browser among other things. But apparently firefox is using a different module for SSL capabilities, and not the openssl implementation, so it is not affected.
If a server was using that particular weak version of the openssl library, then anybody could dump data from that server, but not the other way around.

This is on the level of "browser not technically affected", however on the level of "user being safe" as you mention, things are less good: if a server was vulnerable, then the attacker could maybe use the weakness to take further control of the server (or impersonate it using its certificate), putting you at risk when you are doing your usual activity with what you believe is the usual friendly https server you have always talk to...

[DannyHamilton]

You know, I was looking at their 0.9.0 version of the Bitcoin client, it said FINAL in big capital letters and then I thought "What if they find a new bug or vulnerability in it, then it won't be the final version at all will it?"

FINAL means the final 0.9.0.  Any change that comes after that will go into 0.9.1.

[Fixx]

Were is Wallet.dat placed in Bitcoin 0.9.x ver for Windows x64 ?

[bitcoinforhelp]

i won't change, i feel secure , less secure would be changing them

[DeathAndTaxes]

You know, I was looking at their 0.9.0 version of the Bitcoin client, it said FINAL in big capital letters and then I thought "What if they find a new bug or vulnerability in it, then it won't be the final version at all will it?" open source software will always be improved upon and always be updated because there are so many people looking at the code and finding things.

Final on any version of Bitcoin simply distinguished between that and the release candidate.

i.e. 0.9.0 RC1, 0.9.0 RC2, <insert as many Release Candidates as necessary to resolve outstanding issues)>,  0.9.0 Final.

Version 0.9 is final it will never be updated.  Case in point the next release was v0.9.1