Bitcoin Forum
November 16, 2024, 02:56:32 PM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 [5] 6 7 8 9 10 11 12 »  All
  Print  
Author Topic: Bitcoin Core (Bitcoin-Qt) 0.9.1 released - update required  (Read 64172 times)
techgeek
Hero Member
*****
Offline Offline

Activity: 826
Merit: 1000


View Profile
April 09, 2014, 05:14:12 AM
 #81

So glad my balance is still there, after the update.


jl2012
Legendary
*
Offline Offline

Activity: 1792
Merit: 1111


View Profile
April 09, 2014, 05:25:36 AM
 #82

Why don't the devs send an update notice with the emergency key?

Donation address: 374iXxS4BuqFHsEwwxUuH3nvJ69Y7Hqur3 (Bitcoin ONLY)
LRDGENPLYrcTRssGoZrsCT1hngaH3BVkM4 (LTC)
PGP: D3CC 1772 8600 5BB8 FF67 3294 C524 2A1A B393 6517
sebastian
Full Member
***
Offline Offline

Activity: 129
Merit: 119


View Profile
April 09, 2014, 05:50:10 AM
 #83

Can really the CLIENT KEYs be compromised by this bug?

What I have understand, its a bug in the OpenSSL Implementation of Heartbeat protocol of TLS 1.2, causing OpenSSL to leak contents of RAM in the server.
This means, the attack vector would be limited to:
impersonating a server and replacing a bitcoin adress in the payment protocol, by stealing the SERVER KEYs.

Thus any client-side wallets should be safe since those private keys are never transmitted or kept by the server? (except for webshops and online services running a server-side bitcoin client relying on a vulnerable OpenSSL)

The bitcoin core protocol (port 8333) is not using any form of SSL at all what I know?



If what the Bitcoin devs say is correct (that client keys can be compromised), would also mean that any website using SSL can steal RAM contents of client computers, which would mean my site can get my visitor's bank details, and that would make the security hole way more critical than it is today.
Siegfried
Sr. Member
****
Offline Offline

Activity: 266
Merit: 250


View Profile
April 09, 2014, 06:02:20 AM
 #84

How do I install this for Linux Mint? On the previous version there was just a bitcoin-qt file which I could click on and run. Now the extracted folder contains several files, none of which are executable. I am stupid and know almost nothing about using the terminal, compiling libraries, etc. Can someone give me a simple explanation please?

Please.

Almost sounds like you've downloaded a source archive. Are you sure you've downloaded https://bitcoin.org/bin/0.9.1/bitcoin-0.9.1-linux.tar.gz , 36MB in size?

I had a quick look at this archive and the executables appear to be there:

bin/32/bitcoin-qt
bin/64/bitcoin-qt

The file I downloaded from your link and the previous link is 47.5 MB. I tried it again with your link, but same result. Bitcoin-qt is not an executable, it is a "shared library (application/x-sharedlib)". I have no program that can execute this file. Fuck. Why didn't they just make an "executable (application/x-executable)" file like version 0.8.5?
poordeveloper
Hero Member
*****
Offline Offline

Activity: 896
Merit: 527


₿₿₿₿₿₿₿


View Profile WWW
April 09, 2014, 06:04:06 AM
 #85

Can really the CLIENT KEYs be compromised by this bug?

What I have understand, its a bug in the OpenSSL Implementation of Heartbeat protocol of TLS 1.2, causing OpenSSL to leak contents of RAM in the server.
This means, the attack vector would be limited to:
impersonating a server and replacing a bitcoin adress in the payment protocol, by stealing the SERVER KEYs.

Thus any client-side wallets should be safe since those private keys are never transmitted or kept by the server? (except for webshops and online services running a server-side bitcoin client relying on a vulnerable OpenSSL)

The bitcoin core protocol (port 8333) is not using any form of SSL at all what I know?



If what the Bitcoin devs say is correct (that client keys can be compromised), would also mean that any website using SSL can steal RAM contents of client computers, which would mean my site can get my visitor's bank details, and that would make the security hole way more critical than it is today.
Bitcoin Core is considered a server / creates what would be considered a server in at least one of the cases highlighted by theymos.

And, even if it acted as a client in the other: This vulnerability also affects clients, which is basically why, if a browser you use uses OpenSSL (Android Browser, for example), the server itself can attack you this way.

So yes, what you say in your final sentence is true (at least for browsers using OpenSSL).

🎰 Bitcoin Casinos ⭐⭐⭐⭐⭐
.
🔵 Buy Bitcoin (Visa / Mastercard / SEPA / Bank Transfer / Western Union / MoneyGram / RIA)
Quantus
Legendary
*
Offline Offline

Activity: 883
Merit: 1005



View Profile
April 09, 2014, 06:17:31 AM
 #86

I bet the CIA was exploiting this bug for years.


Do I sound like a conspiracy nut?

(I am a 1MB block supporter who thinks all users should be using Full-Node clients)
Avoid the XT shills, they only want to destroy bitcoin, their hubris and greed will destroy us.
Know your adversary https://www.youtube.com/watch?v=BKorP55Aqvg
rupy
Hero Member
*****
Offline Offline

Activity: 725
Merit: 503



View Profile
April 09, 2014, 06:29:26 AM
Last edit: April 09, 2014, 06:42:27 AM by rupy
 #87

I think that it's probably more secure to use an old linux at this point...

Running bitcoind.static I got:

Code:
terminate called after throwing an instance of 'std::runtime_error'
  what():  locale::facet::_S_create_c_locale name not valid

Solution https://www.foresightlinux.se/what-localefacet_s_create_c_locale-name-not-valid/

BANKBOOK GWT Wallet & no-FIAT Billing API
pyromaniac
Hero Member
*****
Offline Offline

Activity: 639
Merit: 500



View Profile
April 09, 2014, 07:12:28 AM
 #88

Bitcoin 0.9.1 in NOT working with russian version of windows!

jonathan
Member
**
Offline Offline

Activity: 84
Merit: 14


View Profile
April 09, 2014, 07:17:51 AM
 #89

Did that glibc problem for linux users get auto-fixed with the 0.9.1 release? Yay! I feared we might be still stuck with 0.9.0's glibc headache:

 https://bitcointalk.org/index.php?topic=522014.msg5795604#msg5795604

... but I just ran the vanilla 0.9.1 in bash in debian wheezy without any trouble at all. Good work devs. Smiley
Luke-Jr
Legendary
*
Offline Offline

Activity: 2576
Merit: 1186



View Profile
April 09, 2014, 07:32:45 AM
 #90

If you are using the graphical version of 0.9.0 on any platform, you must update immediately.
If you are using packages from your Linux distro (Ubuntu PPA included), 0.9.1 has no changes for you.
Instead, you must upgrade to a fixed OpenSSL version.

BitCoinNutJob
Legendary
*
Offline Offline

Activity: 1316
Merit: 1000


View Profile
April 09, 2014, 07:33:26 AM
 #91

another reason for new investors to avoid bitcoin Sad
Luke-Jr
Legendary
*
Offline Offline

Activity: 2576
Merit: 1186



View Profile
April 09, 2014, 07:36:44 AM
 #92

Memorized private keys, the safest way to own bitcoin.
Memorized private keys are in fact one of the least secure ways to own bitcoin.

Can really the CLIENT KEYs be compromised by this bug?

What I have understand, its a bug in the OpenSSL Implementation of Heartbeat protocol of TLS 1.2, causing OpenSSL to leak contents of RAM in the server.
This means, the attack vector would be limited to:
impersonating a server and replacing a bitcoin adress in the payment protocol, by stealing the SERVER KEYs.

Thus any client-side wallets should be safe since those private keys are never transmitted or kept by the server? (except for webshops and online services running a server-side bitcoin client relying on a vulnerable OpenSSL)

The bitcoin core protocol (port 8333) is not using any form of SSL at all what I know?

If what the Bitcoin devs say is correct (that client keys can be compromised), would also mean that any website using SSL can steal RAM contents of client computers, which would mean my site can get my visitor's bank details, and that would make the security hole way more critical than it is today.
The vulnerability is bidirectional. The server (or anyone MITMing it!) can get the client to leak information too, which could include private wallet data.

southerngentuk
Sr. Member
****
Offline Offline

Activity: 1316
Merit: 254


Sugars.zone | DatingFi - Earn for Posting


View Profile
April 09, 2014, 07:49:56 AM
 #93

If you are using the graphical version of 0.9.0 on any platform, you must update immediately.
If you are using packages from your Linux distro (Ubuntu PPA included), 0.9.1 has no changes for you.
Instead, you must upgrade to a fixed OpenSSL version.
So if libssl1.0.0 has been updated then all is good and we can still use 0.9.0 ?   Cool

SUGAR
██   ██

██   ██

██   ██

██   ██

██   ██

██   ██
▄▄████████████████████▄▄
▄████████████████████████▄
███████▀▀▀██████▀▀▀███████
█████▀██████▀▀██████▀█████
██████████████████████████
██████████████████████████
█████████████████████▄████
██████████████████████████
████████▄████████▄████████
██████████████████████████
▀████████████████████████▀
▀▀████████████████████▀▀

██   ██

██   ██

██   ██

██   ██

██   ██

██   ██
███████████████████████████
███████████████████████████
██████               ██████
██████   ▄████▀      ██████
██████▄▄▄███▀   ▄█   ██████
██████████▀   ▄███   ██████
████████▀   ▄█████▄▄▄██████
██████▀   ▄███████▀▀▀██████
██████   ▀▀▀▀▀▀▀▀▀   ██████
██████               ██████
███████████████████████████
███████████████████████████
.
Backed By
ZetaChain

██   ██

██   ██

██   ██

██   ██

██   ██

██   ██

██   ██

██   ██

██   ██

██   ██

██   ██

██   ██
▄▄████████████████████▄▄
██████████████████████████
████████████████████████████
█████████████████▀▀  ███████
█████████████▀▀      ███████
█████████▀▀   ▄▄     ███████
█████▀▀    ▄█▀▀     ████████
█████████ █▀        ████████
█████████ █ ▄███▄   ████████
██████████████████▄▄████████
██████████████████████████
▀▀████████████████████▀▀
▄▄████████████████████▄▄
██████████████████████████
██████ ▄▀██████████  ███████
███████▄▀▄▀██████  █████████
█████████▄▀▄▀██  ███████████
███████████▄▀▄ █████████████
███████████  ▄▀▄▀███████████
█████████  ████▄▀▄▀█████████
███████  ████████▄▀ ████████
████████████████████████████
██████████████████████████
▀▀████████████████████▀▀
Luke-Jr
Legendary
*
Offline Offline

Activity: 2576
Merit: 1186



View Profile
April 09, 2014, 07:59:01 AM
 #94

If you are using the graphical version of 0.9.0 on any platform, you must update immediately.
If you are using packages from your Linux distro (Ubuntu PPA included), 0.9.1 has no changes for you.
Instead, you must upgrade to a fixed OpenSSL version.
So if libssl1.0.0 has been updated then all is good and we can still use 0.9.0 ?   Cool
Just be sure it's updated to a fixed version.

Rampion
Legendary
*
Offline Offline

Activity: 1148
Merit: 1018


View Profile
April 09, 2014, 08:02:28 AM
 #95

Could somebody describe how the attack would work when somebody had been using Bitcoin Core 0.9.0 and clicked on a "bitcoin:" link?

Would the wallet be considered compromised even if I generated the "bitcoin:" link myself and clicked it just to see how the new payment function worked? In that case, how the private keys would have been exposed?

Would the wallet be considered compromised if I clicked on a "bitcoin:" link but didn't go through the payment, and thus I did not sign any transaction?

I just cannot wrap my head around it yet.

southerngentuk
Sr. Member
****
Offline Offline

Activity: 1316
Merit: 254


Sugars.zone | DatingFi - Earn for Posting


View Profile
April 09, 2014, 08:04:25 AM
 #96

If you are using the graphical version of 0.9.0 on any platform, you must update immediately.
If you are using packages from your Linux distro (Ubuntu PPA included), 0.9.1 has no changes for you.
Instead, you must upgrade to a fixed OpenSSL version.
So if libssl1.0.0 has been updated then all is good and we can still use 0.9.0 ?   Cool
Just be sure it's updated to a fixed version.
Looks good  Smiley
link for others :-   http://www.ubuntu.com/usn/usn-2165-1/

SUGAR
██   ██

██   ██

██   ██

██   ██

██   ██

██   ██
▄▄████████████████████▄▄
▄████████████████████████▄
███████▀▀▀██████▀▀▀███████
█████▀██████▀▀██████▀█████
██████████████████████████
██████████████████████████
█████████████████████▄████
██████████████████████████
████████▄████████▄████████
██████████████████████████
▀████████████████████████▀
▀▀████████████████████▀▀

██   ██

██   ██

██   ██

██   ██

██   ██

██   ██
███████████████████████████
███████████████████████████
██████               ██████
██████   ▄████▀      ██████
██████▄▄▄███▀   ▄█   ██████
██████████▀   ▄███   ██████
████████▀   ▄█████▄▄▄██████
██████▀   ▄███████▀▀▀██████
██████   ▀▀▀▀▀▀▀▀▀   ██████
██████               ██████
███████████████████████████
███████████████████████████
.
Backed By
ZetaChain

██   ██

██   ██

██   ██

██   ██

██   ██

██   ██

██   ██

██   ██

██   ██

██   ██

██   ██

██   ██
▄▄████████████████████▄▄
██████████████████████████
████████████████████████████
█████████████████▀▀  ███████
█████████████▀▀      ███████
█████████▀▀   ▄▄     ███████
█████▀▀    ▄█▀▀     ████████
█████████ █▀        ████████
█████████ █ ▄███▄   ████████
██████████████████▄▄████████
██████████████████████████
▀▀████████████████████▀▀
▄▄████████████████████▄▄
██████████████████████████
██████ ▄▀██████████  ███████
███████▄▀▄▀██████  █████████
█████████▄▀▄▀██  ███████████
███████████▄▀▄ █████████████
███████████  ▄▀▄▀███████████
█████████  ████▄▀▄▀█████████
███████  ████████▄▀ ████████
████████████████████████████
██████████████████████████
▀▀████████████████████▀▀
Luke-Jr
Legendary
*
Offline Offline

Activity: 2576
Merit: 1186



View Profile
April 09, 2014, 08:04:38 AM
 #97

Could somebody describe how the attack would work when somebody had been using Bitcoin Core 0.9.0 and clicked on a "bitcoin:" link? Would the wallet be considered compromised even if I generated the "bitcoin:" link myself and clicked it just to see how the new payment function worked? In that case, how the private keys would have been exposed?

I just cannot wrap my head around it yet.
In this case, the risk is only if you were MITM'd...

Rampion
Legendary
*
Offline Offline

Activity: 1148
Merit: 1018


View Profile
April 09, 2014, 08:05:45 AM
 #98

Could somebody describe how the attack would work when somebody had been using Bitcoin Core 0.9.0 and clicked on a "bitcoin:" link? Would the wallet be considered compromised even if I generated the "bitcoin:" link myself and clicked it just to see how the new payment function worked? In that case, how the private keys would have been exposed?

I just cannot wrap my head around it yet.
In this case, the risk is only if you were MITM'd...

But who could have MITM'd me? A malicious node? How can my priv keys be exposed just by clicking a "bitcoin:" link that I generated myself, especially if I did not go through the transaction and thus I didn't sign and broadcasted it?

bananahunter67
Sr. Member
****
Offline Offline

Activity: 392
Merit: 265


View Profile WWW
April 09, 2014, 08:46:19 AM
 #99

Thanks for info. Is electrum compromised as well?

Cryptostats.es
Polyatomic
Sr. Member
****
Offline Offline

Activity: 257
Merit: 250


View Profile
April 09, 2014, 09:24:57 AM
 #100

If your on Ubuntu Saucy you can type,

apt-cache showpkg --names-only openssl

in a terminal to find out what version you have installed.

Package: openssl
Versions:
1.0.1e-3ubuntu1.2

more info here http://www.ubuntu.com/usn/usn-2165-1/
Pages: « 1 2 3 4 [5] 6 7 8 9 10 11 12 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!