theymos (OP)
Administrator
Legendary
 Offline
Activity: 5180
Merit: 12900
|
 |
January 10, 2015, 05:58:29 AM |
|
Greg Maxwell's announcement: http://sourceforge.net/p/bitcoin/mailman/message/33221963/Summary: There is a problem with the most recent release of OpenSSL which will cause issues for some users of Bitcoin Core on Linux. This is not a critical security issue, but everyone using Bitcoin Core on Linux should read the following information, especially if you're automatically processing Bitcoin payments. The worst-case scenario is that you might accept transactions as confirmed which are later reversed. You are likely to be affected only if: - You use Linux. - You installed Bitcoin Core using your distro's package manager or you compiled Bitcoin Core yourself without using gitian. You are not affected if you use the binaries on bitcoin.org. - You upgrade your system's OpenSSL to 1.0.0p or 1.0.1k. These were security-fix releases, so your package manager might have updated them automatically. If you are affected, then your client might become stuck at a particular block, and you'll have to reindex the block chain to fix it. In some conceivable but unlikely scenarios, you might see incoming transactions as having 6+ confirmations when the transactions are actually invalid. If you are a pool operator, then you could conceivably start mining on a false chain, which would cause you to lose all of your future blocks until you fix this. If you are using an affected version of Bitcoin Core, you should either make sure that your system OpenSSL does not get updated or shut down Bitcoin Core until an update fixing this is released in a day or two. If Bitcoin Core is already stuck and showing the "We do not appear to fully agree with our peers!" message, shut it down until an update fixing this is released; when you run that version, you'll have to run it with the -reindex switch. |
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
|
|
|
|
|
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
Remember remember the 5th of November
Legendary
Offline
Activity: 1862
Merit: 1011
Reverse engineer from time to time
|
 |
January 10, 2015, 06:04:46 AM |
|
Lol, what is this? OpenSSL is becoming more of a joke every day.
|
BTC:1AiCRMxgf1ptVQwx6hDuKMu4f7F27QmJC2
|
|
|
|
bitcreditscc
|
|
January 10, 2015, 06:38:18 AM |
|
Lol, what is this? OpenSSL is becoming more of a joke every day.
Or maybe it is being done on purpose. |
|
|
|
ghostlander
Legendary
Offline
Activity: 1239
Merit: 1020
No surrender, no retreat, no regret.
|
|
January 10, 2015, 07:47:31 AM |
|
The question is, why do the OpenSSL developers push compatibility breaking updates to the stable branches? They have 1.0.2-beta for all kinds of experiments.
|
|
|
|
newIndia
Legendary
Offline
Activity: 2198
Merit: 1049
|
|
January 10, 2015, 09:23:19 AM |
|
Lol, what is this? OpenSSL is becoming more of a joke every day.
Or maybe it is being done on purpose. Seems so...  |
|
|
|
|
Christian1998
|
|
January 10, 2015, 09:55:38 AM |
|
Thank you theymos for this info.
Best regards
Christian
|
|
|
|
|
srgkrgkj
Legendary
Offline
Activity: 1218
Merit: 1000
|
|
January 10, 2015, 10:26:45 AM |
|
thanks theymos OpenSSL lets me down once again  |
|
|
|
hexafraction
Sr. Member
Offline
Activity: 392
Merit: 259
Tips welcomed: 1CF4GhXX1RhCaGzWztgE1YZZUcSpoqTbsJ
|
|
January 10, 2015, 10:27:22 AM |
|
Is the issue having the new version of OpenSSL at compile-time, or at run-time? (My build of 0.10rc1 links dynamically to /lib/x86_64-linux-gnu/libssl.so.1.0.0, but I don't know about 0.9.3 or builds made on the PPA as part of a Debian build process).
Furthermore, to prevent such drama later if OpenSSL is still used down the road, is there a documented, secure, and feasible way to statically link to a known version of OpenSSL that is passing tests?
|
|
|
|
|
fenghush
|
|
January 10, 2015, 11:11:09 AM |
|
The question is, why do the OpenSSL developers push compatibility breaking updates to the stable branches? They have 1.0.2-beta for all kinds of experiments.
Because openssl is one giant mess, it's so horrid that it is immune to auditing but it is so widely used that we're just stuck with it. I for one commend the developers for at least trying to fix it, anyone else would have given up years ago. |
|
|
|
Buffer Overflow
Legendary
Offline
Activity: 1652
Merit: 1015
|
|
January 10, 2015, 11:16:31 AM |
|
Arch Linux just updated to 1.0.1k so this affects my node.
Think I'll just shut my node down till the patch.
|
|
|
|
ShadowOfHarbringer
Legendary
Offline
Activity: 1470
Merit: 1005
Bringing Legendary Har® to you since 1952
|
|
January 10, 2015, 11:46:57 AM |
|
This is serious.
Anybody knows when is a patch coming ?
|
|
|
|
|
boinc
|
|
January 10, 2015, 12:57:43 PM |
|
|
BTC 12P9LaA7eciiPCx68qFEFarpfrF8mcrNmY
|
|
|
shorena
Copper Member
Legendary
Offline
Activity: 1498
Merit: 1499
No I dont escrow anymore.
|
|
January 10, 2015, 01:12:18 PM |
|
Start openssl from terminal wait for it start and use version to see if you have one of the versions in question. Close openssl with quit |
Im not really here, its just your imagination.
|
|
|
|
stolendata
|
|
January 10, 2015, 01:30:45 PM |
|
Lol, what is this? OpenSSL is becoming more of a joke every day.
This is actually a twofold problem - Bitcoin Core's use of signature validation plays an equal part in this. |
|
|
|
|
|
boinc
|
|
January 10, 2015, 01:32:43 PM |
|
Start openssl from terminal wait for it start and use version to see if you have one of the versions in question. Close openssl with quitI know how to check openssl version, question was about bitcoin-qt binary package from ppa |
BTC 12P9LaA7eciiPCx68qFEFarpfrF8mcrNmY
|
|
|
Jay_Pal
Legendary
Offline
Activity: 1493
Merit: 1003
|
|
January 10, 2015, 02:06:06 PM |
|
Just for checking, I have version 1.0.1f in ubuntu but I'm using bitcoin core 0.9.2.1 from bitcoin.org, so no need to change or panic, is that right?  And thanks for the heads up, theymos - this is exactly what makes this community awesome! |
|
|
|
cr1776
Legendary
Offline
Activity: 4018
Merit: 1299
|
|
January 10, 2015, 02:12:45 PM
Last edit: January 10, 2015, 08:36:15 PM by cr1776 |
|
Start openssl from terminal wait for it start and use version to see if you have one of the versions in question. Close openssl with quitI know how to check openssl version, question was about bitcoin-qt binary package from ppa Perhaps try apt-get upgrade and see if it wants to install the new version. Then do not hit Y to install? I think it showed up on my ec2 server this morning and I installed it since it is just a web server. I didn't note it though and am not in a position to check right now. It looks like there is now a patch for it from Wladimir, per the mail list, btw. edit: I did check to see if 14.04 was offering to install the update via apt-get and it was not as of now. |
|
|
|
|
|
stolendata
|
|
January 10, 2015, 02:15:13 PM |
|
Because openssl is one giant mess, it's so horrid that it is immune to auditing but it is so widely used that we're just stuck with it.
I for one commend the developers for at least trying to fix it, anyone else would have given up years ago.
http://www.libressl.org/ |
|
|
|
|
siameze
Legendary
Offline
Activity: 1064
Merit: 1000
|
|
January 10, 2015, 02:19:15 PM |
|
Kind of makes me glad I haven't bothered upgrading openssl in some time.
|
|
|
|
|
stolendata
|
|
January 10, 2015, 02:22:13 PM |
|
I know how to check openssl version, question was about bitcoin-qt binary package from ppa
Just open the debug window and you will see what version of OpenSSL the executable was linked against. Kind of makes me glad I haven't bothered upgrading openssl in some time.
*blank stare* |
|
|
|
|
|
