New OpenSSL vulnerability

[Tzupy]

Article at Arstechnica: http://arstechnica.com/security/2014/06/still-reeling-from-heartbleed-openssl-suffers-from-crypto-bypass-flaw/
Would this concern bitcoin? I don't know, someone more knowledgeable please comment.

[1713528612]

1713528612

[1713528612]

1713528612

[Peter882]

Article at Arstechnica: http://arstechnica.com/security/2014/06/still-reeling-from-heartbleed-openssl-suffers-from-crypto-bypass-flaw/
Would this concern bitcoin? I don't know, someone more knowledgeable please comment.

I would like to know that, is it safe to continue using version 0.9.1 with OpenSSL 1.0.1g?

[piotr_n]

AFAIK, the SSL part of OpenSSL is only used there for the new payment protocol and RPC-SSL (the one you switch on with -rpcssl command line switch).

If you don't use any of the two features, you should not be affected by the vulnerability.
At least the recently reported one - the one that you are asking about.

Who knows what other devils are still in there...
OpenSSL is a one big messy lib and devs just keep treating it like a black box, so nobody has an actual idea what this piece of crap does inside.

[dabura667]

AFAIK, the SSL part of OpenSSL is only used there for the new payment protocol and RPC-SSL (the one you switch on with -rpcssl command line switch).

If you don't use any of the two features, you should not be affected by the vulnerability.
At least the recently reported one - the one that you are asking about.

Who knows what other devils are still in there...
OpenSSL is a one big messy lib and devs just keep treating it like a black box, so nobody has an actual idea what this piece of crap does inside.

I think there's a division of people in the NSA that their sole job is to create huge bugs that are hard to find and push them onto open source crypto projects.

I'mma take my tin foil hat and uhhhh lock myself in a bunker for the rest of my life now...

[piotr_n]

I think there's a division of people in the NSA that their sole job is to create huge bugs that are hard to find and push them onto open source crypto projects.

Of course there is.
Mr Snowden was very specific about this, already like a year ago.
And now they are trying to get his ass, just for exposing it.

[Sydboy]

I do not understand some of ths. Is the vulnerabilities relatrd to new version of openSSL or hjave they always been there but someone finally figuird out an exploit(s) ?

[piotr_n]

I do not understand some of ths. Is the vulnerabilities relatrd to new version of openSSL or hjave they always been there but someone finally figuird out an exploit(s) ?

From what I read, these vulnerabilities were there for years.

The public finally figured them out, but for all we know someone could have just as well planted them there, on which case he'd have an exploit(s) ever since.

After the heartbleed incident, people have finally started to seriously audit this code.
These are just the first findings - I'm betting more will come.

[Sydboy]

thanks for clearinf that up, I understand now.
hearbleed was pretty annoyiny. God help us if they come up wth more and more.

Atleas IT specialits wil  have jobs