awesomeami (OP)
Member
 Offline
Activity: 98
Merit: 10
|
 |
April 08, 2014, 10:16:31 PM
Last edit: April 08, 2014, 11:51:00 PM by awesomeami |
|
UPDATE: Change ALL YOUR PASSWORDS on all your BTC-forums, casinos, exchanges, bettings websites ++ (internet) banking systems, gmail, FB, this forum, all httpS ...(most paranoic - do it twice a day next 2 weeks - and don't forget them  ) http://www.reddit.com/r/Bitcoin/comments/22jtxg/bitcoin_core_version_091_released/Pls update https://bitcointalk.org/index.php?board=87.0 ty theymos nice & fast work  https://bitcointalk.org/index.php?topic=562409.msg6132778#msg6132778A bug in OpenSSL, used by Bitcoin-Qt/Bitcoin Core, could allow your bitcoins to be stolen. Immediately updating Bitcoin Core to 0.9.1 is required in some cases, especially if you're using 0.9.0. Download. https://bitcoin.org/bin/0.9.1/https://bitcointalk.org/index.php?topic=561923.msg6128780#msg6128780https://bitcointalk.org/index.php?topic=561923.msg6131049#msg6131049https://bitcointalk.org/index.php?topic=561923.msg6131397#msg6131397 |
|
|
|
roslinpl
Legendary
Offline
Activity: 2212
Merit: 1199
|
|
April 08, 2014, 10:30:17 PM |
|
Yeah... I hope not many people have lost BTC because of that bug ... Damn ... what to do, shit happens - good that reaction was quick and 0.9.1 is released. |
|
|
|
|
arcnorth
Newbie
Offline
Activity: 3
Merit: 0
|
|
April 08, 2014, 10:33:07 PM |
|
Just so we're clear, the bug only affects bitcoin-qt and not any other 3rd party wallet like multibit right? I'm going to transfer all my bitcoin to an online account just in case  |
|
|
|
|
Rampion
Legendary
Offline
Activity: 1148
Merit: 1018
|
|
April 08, 2014, 10:34:14 PM |
|
I'm going to transfer all my bitcoin to an online account just in case I hope you are joking. |
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
April 08, 2014, 10:36:47 PM
Last edit: April 08, 2014, 10:47:34 PM by DeathAndTaxes |
|
Just so we're clear, the bug only affects bitcoin-qt and not any other 3rd party wallet like multibit right? I'm going to transfer all my bitcoin to an online account just in case Do you use SSL for remote RPC calls to your bitcoind daemon? No. Then it doesn't affect you even if you use Bitcoin-Core (the client formerly known as Bitcoin-QT). Forgot about the new payment protocol system. Great timing on that one. Switching to an online account would be foolish. Shutdown your client if you are worried. Don't statup it up again until you have upgraded. |
|
|
|
|
Rampion
Legendary
Offline
Activity: 1148
Merit: 1018
|
|
April 08, 2014, 10:45:46 PM |
|
Do you use SSL for remote RPC calls to your bitcoind daemon? No. Then it doesn't affect you even if you use Bitcoin-Core (the client formerly known as Bitcoin-QT).
FYI: If you are using the graphical version of 0.9.0 on any platform, you must update immediately. Download here. If you can't update immediately, shut down Bitcoin until you can. If you ever used the payment protocol (you clicked a bitcoin: link and saw a green box in Bitcoin Core's send dialog), then you should consider your wallet to be compromised. Carefully generate an entirely new wallet (not just a new address) and send all of your bitcoins there. Do not delete your old wallet. - If you are using any other version of Bitcoin-Qt/Bitcoin Core, including bitcoind 0.9.0, you are vulnerable only if the rpcssl command-line option is set. If it is not, then no immediate action is required. If it is, and if an attacker could have possibly communicated with the RPC port, then you should consider your wallet to be compromised. This vulnerability is caused by a critical bug in the OpenSSL library used by Bitcoin Core. Successfully attacking Bitcoin Core by means of this bug seems to be difficult in most cases, and it seems at this point that even successful attacks may be limited, but I recommend taking the above actions just in case. If you are using a binary version of Bitcoin Core obtained from bitcoin.org or SourceForge, then updating your system's version of OpenSSL will not help. OpenSSL is packaged with the binary on all platforms. Download 0.9.1AnnouncementOther software (including other wallet software) may also be affected by this bug. OpenSSL is extremely common. |
|
|
|
roslinpl
Legendary
Offline
Activity: 2212
Merit: 1199
|
|
April 08, 2014, 10:50:08 PM |
|
Just so we're clear, the bug only affects bitcoin-qt and not any other 3rd party wallet like multibit right? I'm going to transfer all my bitcoin to an online account just in case No worries too much. Problem is with Bitcoin-qt not with Multibit ... And offline 3rd party wallets are not recommended to keep your BTCs - online wallets are to keep reasonable amounts not all of your holdings... Just do not worry as you are multibit user. Just make sure your computer is behind a firewall, your router is behind a firewall, you can install some additional fire wall, and antivirus, and spybot remover and just keep all safety steps in mind. E-mails, phishing web sites, etc. regards. |
|
|
|
|
awesomeami (OP)
Member
Offline
Activity: 98
Merit: 10
|
 |
April 08, 2014, 10:54:36 PM
Last edit: April 08, 2014, 11:23:03 PM by awesomeami |
|
Just so we're clear, the bug only affects bitcoin-qt and not any other 3rd party wallet like multibit right? I'm going to transfer all my bitcoin to an online account just in case Do you use SSL for remote RPC calls to your bitcoind daemon? No. Then it doesn't affect you even if you use Bitcoin-Core (the client formerly known as Bitcoin-QT). Forgot about the new payment protocol system. Great timing on that one. Switching to an online account would be foolish. Shutdown your client if you are worried. Don't statup it up again until you have upgraded. THIS!! 1. Just don't panic 2. Shutdown all bitcoin clients (better other ones, too - like multibit or armory) 3. upgrade 4. watch carefully for few days - better don't start 5. move to another wallet - https://bitcointalk.org/index.php?topic=562409.msg6132778#msg6132778 just for sure 6. read more about here: https://bitcointalk.org/index.php?topic=561923.msg6133060#msg6133060Change ALL YOUR PASSWORDS on banking systems, gmail, FB, this forum, all httpS ...(most paranoic - do it twice a day next 2 weeks - and don't forget them ) |
|
|
|
grue
Legendary
Offline
Activity: 2058
Merit: 1452
|
|
April 09, 2014, 04:00:49 AM |
|
oh look, this sort of fearmongering again. On bitcoin-qt, you're not compromised unless you clicked a bitcoin payment link. Change ALL YOUR PASSWORDS on banking systems, gmail, FB, this forum, all https
what if i told you that all of the major browsers do not use openssl? chrome and firefox use NSS, and microsoft uses their own closed source solution. What if I also told you that the vulnerability does not include code injection, so unless you entered passwords into a openssl application, you're safe. |
|
|
|
meawleir21
Member
Offline
Activity: 84
Merit: 10
|
|
April 09, 2014, 04:54:20 AM |
|
LOL this is just big! if it's vlad who found it then he got himself attention for sure...
|
|
|
|
|
binaryFate
Legendary
Offline
Activity: 1512
Merit: 1012
Still wild and free
|
|
April 09, 2014, 08:33:03 AM |
|
oh look, this sort of fearmongering again. On bitcoin-qt, you're not compromised unless you clicked a bitcoin payment link. Change ALL YOUR PASSWORDS on banking systems, gmail, FB, this forum, all https
what if i told you that all of the major browsers do not use openssl? chrome and firefox use NSS, and microsoft uses their own closed source solution. What if I also told you that the vulnerability does not include code injection, so unless you entered passwords into a openssl application, you're safe. The memory of the browser is compromised, no need to type any password... it is enough if they are in the part of your RAM that can be dumped to the attacker. Same for session IDs. Good news that chrome and firefox are not affected. |
Monero's privacy and therefore fungibility are MUCH stronger than Bitcoin's. This makes Monero a better candidate to deserve the term "digital cash".
|
|
|
awesomeami (OP)
Member
Offline
Activity: 98
Merit: 10
|
|
April 09, 2014, 09:38:56 AM |
|
Good news that chrome and firefox are not affected.
Can you pls explain how can I be/was safe using FF connecting to "compromised OpenSLL www". ty - I am not much expert in that - maybe some link, ty |
|
|
|
Lethn
Legendary
Offline
Activity: 1540
Merit: 1000
|
|
April 09, 2014, 09:57:10 AM |
|
You know, I was looking at their 0.9.0 version of the Bitcoin client, it said FINAL in big capital letters and then I thought "What if they find a new bug or vulnerability in it, then it won't be the final version at all will it?" open source software will always be improved upon and always be updated because there are so many people looking at the code and finding things.
|
|
|
|
|
roslinpl
Legendary
Offline
Activity: 2212
Merit: 1199
|
|
April 09, 2014, 10:11:56 AM |
|
You know, I was looking at their 0.9.0 version of the Bitcoin client, it said FINAL in big capital letters and then I thought "What if they find a new bug or vulnerability in it, then it won't be the final version at all will it?" open source software will always be improved upon and always be updated because there are so many people looking at the code and finding things.
this is true. And 0.9.0 not final at all And perhaps there will be always some issue to solve ... OpenSource. |
|
|
|
|
|
S4VV4S
|
|
April 09, 2014, 10:26:26 AM |
|
So if someone DIDN'T click on a bitcoin link using 0.9.0 they are safe right?
|
|
|
|
|
binaryFate
Legendary
Offline
Activity: 1512
Merit: 1012
Still wild and free
|
|
April 09, 2014, 11:18:49 AM |
|
Good news that chrome and firefox are not affected.
Can you pls explain how can I be/was safe using FF connecting to "compromised OpenSLL www". ty - I am not much expert in that - maybe some link, ty The vulnerability is in the openssl library, that may be used by your browser among other things. But apparently firefox is using a different module for SSL capabilities, and not the openssl implementation, so it is not affected. If a server was using that particular weak version of the openssl library, then anybody could dump data from that server, but not the other way around. This is on the level of "browser not technically affected", however on the level of "user being safe" as you mention, things are less good: if a server was vulnerable, then the attacker could maybe use the weakness to take further control of the server (or impersonate it using its certificate), putting you at risk when you are doing your usual activity with what you believe is the usual friendly https server you have always talk to... |
Monero's privacy and therefore fungibility are MUCH stronger than Bitcoin's. This makes Monero a better candidate to deserve the term "digital cash".
|
|
|
DannyHamilton
Legendary
Offline
Activity: 3486
Merit: 4847
|
|
April 09, 2014, 01:35:32 PM |
|
You know, I was looking at their 0.9.0 version of the Bitcoin client, it said FINAL in big capital letters and then I thought "What if they find a new bug or vulnerability in it, then it won't be the final version at all will it?"
FINAL means the final 0.9.0. Any change that comes after that will go into 0.9.1. |
|
|
|
|
|
Fixx
|
|
April 09, 2014, 05:31:58 PM |
|
Were is Wallet.dat placed in Bitcoin 0.9.x ver for Windows x64 ?
|
|
|
|
|
bitcoinforhelp
|
|
April 09, 2014, 05:33:48 PM |
|
i won't change, i feel secure , less secure would be changing them |
|
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
April 09, 2014, 06:09:18 PM |
|
You know, I was looking at their 0.9.0 version of the Bitcoin client, it said FINAL in big capital letters and then I thought "What if they find a new bug or vulnerability in it, then it won't be the final version at all will it?" open source software will always be improved upon and always be updated because there are so many people looking at the code and finding things.
Final on any version of Bitcoin simply distinguished between that and the release candidate. i.e. 0.9.0 RC1, 0.9.0 RC2, <insert as many Release Candidates as necessary to resolve outstanding issues)>, 0.9.0 Final. Version 0.9 is final it will never be updated. Case in point the next release was v0.9.1 |
|
|
|
|
|
