Bitcoin Core (Bitcoin-Qt) 0.9.1 released - update required

[techgeek]

So glad my balance is still there, after the update.

[jl2012]

Why don't the devs send an update notice with the emergency key?

[sebastian]

Can really the CLIENT KEYs be compromised by this bug?

What I have understand, its a bug in the OpenSSL Implementation of Heartbeat protocol of TLS 1.2, causing OpenSSL to leak contents of RAM in the server.
This means, the attack vector would be limited to:
impersonating a server and replacing a bitcoin adress in the payment protocol, by stealing the SERVER KEYs.

Thus any client-side wallets should be safe since those private keys are never transmitted or kept by the server? (except for webshops and online services running a server-side bitcoin client relying on a vulnerable OpenSSL)

The bitcoin core protocol (port 8333) is not using any form of SSL at all what I know?



If what the Bitcoin devs say is correct (that client keys can be compromised), would also mean that any website using SSL can steal RAM contents of client computers, which would mean my site can get my visitor's bank details, and that would make the security hole way more critical than it is today.

[Siegfried]

How do I install this for Linux Mint? On the previous version there was just a bitcoin-qt file which I could click on and run. Now the extracted folder contains several files, none of which are executable. I am stupid and know almost nothing about using the terminal, compiling libraries, etc. Can someone give me a simple explanation please?

Please.

Almost sounds like you've downloaded a source archive. Are you sure you've downloaded https://bitcoin.org/bin/0.9.1/bitcoin-0.9.1-linux.tar.gz , 36MB in size?

I had a quick look at this archive and the executables appear to be there:

bin/32/bitcoin-qt
bin/64/bitcoin-qt

The file I downloaded from your link and the previous link is 47.5 MB. I tried it again with your link, but same result. Bitcoin-qt is not an executable, it is a "shared library (application/x-sharedlib)". I have no program that can execute this file. Fuck. Why didn't they just make an "executable (application/x-executable)" file like version 0.8.5?

[poordeveloper]

Can really the CLIENT KEYs be compromised by this bug?

What I have understand, its a bug in the OpenSSL Implementation of Heartbeat protocol of TLS 1.2, causing OpenSSL to leak contents of RAM in the server.
This means, the attack vector would be limited to:
impersonating a server and replacing a bitcoin adress in the payment protocol, by stealing the SERVER KEYs.

Thus any client-side wallets should be safe since those private keys are never transmitted or kept by the server? (except for webshops and online services running a server-side bitcoin client relying on a vulnerable OpenSSL)

The bitcoin core protocol (port 8333) is not using any form of SSL at all what I know?



If what the Bitcoin devs say is correct (that client keys can be compromised), would also mean that any website using SSL can steal RAM contents of client computers, which would mean my site can get my visitor's bank details, and that would make the security hole way more critical than it is today.

Bitcoin Core is considered a server / creates what would be considered a server in at least one of the cases highlighted by theymos.

And, even if it acted as a client in the other: This vulnerability also affects clients, which is basically why, if a browser you use uses OpenSSL (Android Browser, for example), the server itself can attack you this way.

So yes, what you say in your final sentence is true (at least for browsers using OpenSSL).

[Quantus]

I bet the CIA was exploiting this bug for years.


Do I sound like a conspiracy nut?

[rupy]

I think that it's probably more secure to use an old linux at this point...

Running bitcoind.static I got:

Code:

terminate called after throwing an instance of 'std::runtime_error'
  what():  locale::facet::_S_create_c_locale name not valid

Solution https://www.foresightlinux.se/what-localefacet_s_create_c_locale-name-not-valid/

[pyromaniac]

Bitcoin 0.9.1 in NOT working with russian version of windows!

[jonathan]

Did that glibc problem for linux users get auto-fixed with the 0.9.1 release? Yay! I feared we might be still stuck with 0.9.0's glibc headache:

 https://bitcointalk.org/index.php?topic=522014.msg5795604#msg5795604

... but I just ran the vanilla 0.9.1 in bash in debian wheezy without any trouble at all. Good work devs.

[Luke-Jr]

If you are using the graphical version of 0.9.0 on any platform, you must update immediately.

If you are using packages from your Linux distro (Ubuntu PPA included), 0.9.1 has no changes for you.
Instead, you must upgrade to a fixed OpenSSL version.

[BitCoinNutJob]

another reason for new investors to avoid bitcoin

[Luke-Jr]

Memorized private keys, the safest way to own bitcoin.

Memorized private keys are in fact one of the least secure ways to own bitcoin.

Can really the CLIENT KEYs be compromised by this bug?

What I have understand, its a bug in the OpenSSL Implementation of Heartbeat protocol of TLS 1.2, causing OpenSSL to leak contents of RAM in the server.
This means, the attack vector would be limited to:
impersonating a server and replacing a bitcoin adress in the payment protocol, by stealing the SERVER KEYs.

Thus any client-side wallets should be safe since those private keys are never transmitted or kept by the server? (except for webshops and online services running a server-side bitcoin client relying on a vulnerable OpenSSL)

The bitcoin core protocol (port 8333) is not using any form of SSL at all what I know?

If what the Bitcoin devs say is correct (that client keys can be compromised), would also mean that any website using SSL can steal RAM contents of client computers, which would mean my site can get my visitor's bank details, and that would make the security hole way more critical than it is today.

The vulnerability is bidirectional. The server (or anyone MITMing it!) can get the client to leak information too, which could include private wallet data.

[southerngentuk]

If you are using the graphical version of 0.9.0 on any platform, you must update immediately.

If you are using packages from your Linux distro (Ubuntu PPA included), 0.9.1 has no changes for you.
Instead, you must upgrade to a fixed OpenSSL version.

So if libssl1.0.0 has been updated then all is good and we can still use 0.9.0 ?   

[Luke-Jr]

If you are using the graphical version of 0.9.0 on any platform, you must update immediately.

If you are using packages from your Linux distro (Ubuntu PPA included), 0.9.1 has no changes for you.
Instead, you must upgrade to a fixed OpenSSL version.

So if libssl1.0.0 has been updated then all is good and we can still use 0.9.0 ?   

Just be sure it's updated to a fixed version.

[Rampion]

Could somebody describe how the attack would work when somebody had been using Bitcoin Core 0.9.0 and clicked on a "bitcoin:" link?

Would the wallet be considered compromised even if I generated the "bitcoin:" link myself and clicked it just to see how the new payment function worked? In that case, how the private keys would have been exposed?

Would the wallet be considered compromised if I clicked on a "bitcoin:" link but didn't go through the payment, and thus I did not sign any transaction?

I just cannot wrap my head around it yet.

[southerngentuk]

If you are using the graphical version of 0.9.0 on any platform, you must update immediately.

If you are using packages from your Linux distro (Ubuntu PPA included), 0.9.1 has no changes for you.
Instead, you must upgrade to a fixed OpenSSL version.

So if libssl1.0.0 has been updated then all is good and we can still use 0.9.0 ?   

Just be sure it's updated to a fixed version.

Looks good 
link for others :-   http://www.ubuntu.com/usn/usn-2165-1/

[Luke-Jr]

Could somebody describe how the attack would work when somebody had been using Bitcoin Core 0.9.0 and clicked on a "bitcoin:" link? Would the wallet be considered compromised even if I generated the "bitcoin:" link myself and clicked it just to see how the new payment function worked? In that case, how the private keys would have been exposed?

I just cannot wrap my head around it yet.

In this case, the risk is only if you were MITM'd...

[Rampion]

Could somebody describe how the attack would work when somebody had been using Bitcoin Core 0.9.0 and clicked on a "bitcoin:" link? Would the wallet be considered compromised even if I generated the "bitcoin:" link myself and clicked it just to see how the new payment function worked? In that case, how the private keys would have been exposed?

I just cannot wrap my head around it yet.

In this case, the risk is only if you were MITM'd...

But who could have MITM'd me? A malicious node? How can my priv keys be exposed just by clicking a "bitcoin:" link that I generated myself, especially if I did not go through the transaction and thus I didn't sign and broadcasted it?

[bananahunter67]

Thanks for info. Is electrum compromised as well?

[Polyatomic]

If your on Ubuntu Saucy you can type,

apt-cache showpkg --names-only openssl

in a terminal to find out what version you have installed.

Package: openssl
Versions:
1.0.1e-3ubuntu1.2

more info here http://www.ubuntu.com/usn/usn-2165-1/