Users of Bitcoin Core on Linux must not upgrade to the latest version of OpenSSL

[stolendata]

IMHO bitcoin core should maintain it's own SSL library to avoid such issues in the future, in fact it shouldn't rely on 3rd party, regardless if they're open source or not dynamically linked libraries to avoid any possible attacks too.  

In software development, it's generally considered unwise to reinvent something that already exists in an established and scrutinized form.

LibreSSL isn't reinventing the wheel, but rather repairing a broken wheel. As LibreSSL grows more mature, and since it's a drop-in replacement for OpenSSL, it will with time deprecate OpenSSL and I'm sure the Bitcoin devs are wise enough to make the switch at some point.

[1714803732]

1714803732

[1714803732]

1714803732

[1714803732]

1714803732

[1714803732]

1714803732

[fenghush]

I wasn't implying that they should reinvent the wheel, but to maintain their own fork of the libraries used.
The only reason why you want to build dynamically linked binaries is to reduce their size, but it's pointless for bitcoin since you have to download 30 or so gb blockchain data, so why not ship it with a bundle of all libraries used and statically link them, the binary file will be bigger by couple of megabytes but I don't see it as a big deal. And this will prevent issues such as this as well as prevent attacks from 3rd party developers who willingly or unwillingly introduce vulnerabilities in the bitcoin core via updates.

IMHO bitcoin core should maintain it's own SSL library to avoid such issues in the future, in fact it shouldn't rely on 3rd party, regardless if they're open source or not dynamically linked libraries to avoid any possible attacks too.  

In software development, it's generally considered unwise to reinvent something that already exists in an established and scrutinized form.

LibreSSL isn't reinventing the wheel, but rather repairing a broken wheen, and as LibreSSL grows more mature, and since it's a drop-in replacement for OpenSSL, it will with time deprecate OpenSSL and I'm sure the Bitcoin devs are wise enough to make the switch at some point.

[cjp]

So, on Debian Wheezy, the latest patched 1.0.1e can also cause problems?

I now confirmed this, by first successfully running the Bitcoin 0.9.3 test suite, then upgrading OpenSSL (it still says 1.0.1e), and then getting a failure from the test suite:
http://www.ultimatestunts.nl/bitcoin/bitcoin_openssl_unittest_result.txt

[cjp]

...and after applying the patch, Bitcoin passes its test again.   Good work!

[HCLivess]

Kind of makes me glad I haven't bothered upgrading openssl in some time.

*blank stare*
[/quote]

  I guess he's being sarcastic

[doof]

Appologies if its answered already, does this effect Mac OSX?

[ShadowOfHarbringer]

Somebody knows ETA of a fix coming out ?

[stolendata]

Appologies if its answered already, does this effect Mac OSX?

It affects all OSes. But unless you plan on updating your OS X-installation's openssl dylib yourself (and something tells me you're not), then you don't need to worry at this point. Everything is fine.

[drizzt]

Arch Linux users only needs to upgrade to 0.9.3-4 version.

[Luke-Jr]

Gentoo 0.8.6-r1 and 0.9.3-r1 have the patch to workaround the issue.

LibreSSL isn't reinventing the wheel, but rather repairing a broken wheel. As LibreSSL grows more mature, and since it's a drop-in replacement for OpenSSL, it will with time deprecate OpenSSL and I'm sure the Bitcoin devs are wise enough to make the switch at some point.

Unless LibreSSL is guaranteeing bug-for-bug compatibility with old OpenSSL, it cannot safely be used with Bitcoin.
That means it MUST make sure all bugs in OpenSSL 1.0.1j are still bugs in LibreSSL.
As far as I know, that is not a goal of either OpenSSL nor LibreSSL, and is exactly why the new version of OpenSSL breaks Bitcoin by fixing a bug.

[gmaxwell]

The binaries from Bitcoin.org are not effected, not on any operating system.

Virtually all users on Windows and OSX are not impacted, because virtually all of them use provided binaries. The only way you are possibly effected on those platforms is if you built the software for yourself and if you update OpenSSL.

Unless LibreSSL is guaranteeing bug-for-bug compatibility with old OpenSSL, it cannot safely be used with Bitcoin.

I looked at that a while back and their massive house-keeping makes the _changes_ more or less impossible to review. (Of course, OpenSSL is more or less impossible to review to begin with; so for their purposes I cannot blame them.)

Keep in mind the Bitcoin protocol doesn't use SSL. That we're using a SSL library here is an accident of history, and a bad call in general. As this update demonstrates, our needs are at odds with the needs of a SSL library.

[cjp]

Somebody knows ETA of a fix coming out ?

For most people, this will be the answer:

The binaries from Bitcoin.org are not effected, not on any operating system.

Virtually all users on Windows and OSX are not impacted, because virtually all of them use provided binaries. The only way you are possibly effected on those platforms is if you built the software for yourself and if you update OpenSSL.

If you did compile your own software, then you can run "make check" in the source tree to see if you're affected. If all tests pass, you're not affected. You might want to check again after you update your system's OpenSSL.

Those who compile their own software can fix their software by applying a patch. The required changes are available on Github; e.g. here for the 0.9 branch.

I created a version of the 0.9 sources that's nearly identical to the official 0.9.3 source code release for Linux, but with the fix applied:
https://github.com/cornwarecjp/bitcoin/tree/b146f97935d6c17927406ea549409d232eb7ce3c

I wouldn't recommend doing development on that branch(*), but since it's nearly identical to the official release source code, it should be OK for compiling your own Bitcoin binary. Check for yourself with a diff tool what the differences are with the 0.9.3 sources and make sure you agree. In Linux desktops, you can e.g. use the "Meld" program for this, and use it to compare directories.

(*) The reason being that it's become quite different from development branches, which might make it more difficult to merge things.

[bronan]

I was thinking about setting up a bitcoin node but i guess i'll wait till all these issues gets resolved
But i do not think anyone would have believed a year ago, that the most secure systems on the planet would get hacked.
This far we constant read about super secure systems being infiltrated.
Lets be honest the increase in calculate power and increased usage of the internet does open up doors we never had thought about.
Look at the power which modern graphic cards already have, i guess some people used the tech used for mining to make machines to break code as well.
As they did in the paste with graphics cards as well

[dserrano5]

I was thinking about setting up a bitcoin node but i guess i'll wait till all these issues gets resolved

If you use the binaries from bitcoin.org you are safe (regarding this issue). Go on setting up your peer!

[cr1776]

Somebody knows ETA of a fix coming out ?

I moved to 0.10rc2 this morning and if you are running that branch, the notes include preventive measures.

[curiosity81]

*schnipp schnapp*

It's an issue of what Bitcoin Core will use. If it's statically linking an OK version of OpenSSL, then updated your system OpenSSL is OK. If it's dynamically linking, then you'll have problems. The binaries on bitcoin.org statically link OpenSSL. I think that almost all Linux distros distribute versions of bitcoind/bitcoin-qt that dynamically link.

I guess this answers my main question!

If you're compiling Bitcoin Core using the normal configure+make, then it'll link dynamically. I'm not sure how to force this to link statically.

This problem would also affect self-compiled altcoin-wallets for which no altcoin.org-version exist, wouldn't it?

[fenghush]

Run make test and see.

*schnipp schnapp*

It's an issue of what Bitcoin Core will use. If it's statically linking an OK version of OpenSSL, then updated your system OpenSSL is OK. If it's dynamically linking, then you'll have problems. The binaries on bitcoin.org statically link OpenSSL. I think that almost all Linux distros distribute versions of bitcoind/bitcoin-qt that dynamically link.

I guess this answers my main question!

If you're compiling Bitcoin Core using the normal configure+make, then it'll link dynamically. I'm not sure how to force this to link statically.

This problem would also affect self-compiled altcoin-wallets for which no altcoin.org-version exist, wouldn't it?

[uki]

ubuntu 14.04

http://ppa.launchpad.net/bitcoin/bitcoin/ubuntu trusty main

affected?

same OS, my version is:

Code:

OpenSSL 1.0.1f 6 Jan 2014

I understand that this version is fine and I only don't need to upgrade to version 1.0.1k, but wait for the following one.
Did I understand that correctly?

well, apparently not.
Version 1.0.1f (6 Jan 2014) seems to be affected, too.
Running reindexing now.

[siameze]

Kind of makes me glad I haven't bothered upgrading openssl in some time.

*blank stare*


  I guess he's being sarcastic

Well sarcasm is one of those things that doesn't translate well on forums sometimes. [/sarcasm] tags may be appropriate in the future.

[Geronymo]

Sorry, but what is the actually BC version atm?