Bitcoin Forum
November 13, 2024, 08:54:48 PM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 4 5 6 »  All
  Print  
Author Topic: Users of Bitcoin Core on Linux must not upgrade to the latest version of OpenSSL  (Read 66055 times)
fenghush
Sr. Member
****
Offline Offline

Activity: 658
Merit: 250



View Profile
January 10, 2015, 02:32:08 PM
 #21

Kind of makes me glad I haven't bothered upgrading openssl in some time.

Heartbleed much?

siameze
Legendary
*
Offline Offline

Activity: 1064
Merit: 1000



View Profile
January 10, 2015, 02:35:59 PM
 #22

I know how to check openssl version, question was about bitcoin-qt binary package from ppa

Just open the debug window and you will see what version of OpenSSL the executable was linked against.


Kind of makes me glad I haven't bothered upgrading openssl in some time.

*blank stare*


Like you said, there is LibreSSL.  Cheesy


                     ▀▀█████████▀████████████████▄
                        ████▄      ▄████████████████
                     ▄██████▀  ▄  ███████████████████
                  ▄█████████▄████▄███████████████████
                ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀████████
                                               ▀▀███▀
    ▄█▀█       ▄▀  ▄▀▀█  ▄▀   █████████████████▄ ██▀         ▄▀█
   ▄█ ▄▀      ▀█▀ █▀ █▀ ▀█▀  ███████████████████ █▀ ▀▀      ▄▀▄▀
  ▄█    ▄███  █     █   █   ████████████████████  ▄█     ▄▀▀██▀ ▄███
███▄▄▄  █▄▄▄ █▄▄ ▄▄▀   █▄▄ ██████████████████▀▀   █▄▄ ▄▄ █▄▄█▄▄▄█▄▄▄
                           ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
                            ▀▀█████████████▄
                                █████████████▄
                                  █████████████▄
                                    ▀███████▀▀▀▀▀
                                      ▀████▀
                                        ▀█▀
LetItRideINNOVATIVE ▬▬▬
DICE GAME
                        ▄███████████▄
                       ██  ██████████▄
                     ▄█████████████  ██▄
            ▄▄▀█▄▄▄▄▄████████████████████▄
        ▄▄█▀   ███████████  █████  ████  █
    ▄██████ ▄▄███████████████████████████▀
 ▄▀▀ ██████████████████████████  ████  █
█  ▄███████████▀▀▀█████████████████████
██████████████    ████████▀▀██████  █▀
██████████████▄▄▄██████████   ▀▀▀▀▀▀▀
███▀ ▀██████████████████████
██    ███████████████████████
██▄▄██████████████████████████
██████████████▀   ██████████
  █████████████   ▄██████▀▀
     ▀▀██████████████▀▀
         ▀▀██████▀▀
PROVABLY
F A I R
▄█████████████▀ ▄█
██            ▄█▀
██          ▄██ ▄█
██ ▄█▄    ▄███  ██
██ ▀███▄ ▄███   ██
██  ▀███████    ██
██    █████     ██
██     ███      ██
██      ▀       ██
██              ██
▀████████████████▀
BUY  BACK
PLANS
[BTC]
boinc
Full Member
***
Offline Offline

Activity: 224
Merit: 100


View Profile
January 10, 2015, 02:53:57 PM
 #23

Just open the debug window and you will see what version of OpenSSL the executable was linked against.
it seems system version of OpenSSL used

BTC 12P9LaA7eciiPCx68qFEFarpfrF8mcrNmY
bitmarket.io
Legendary
*
Offline Offline

Activity: 1204
Merit: 1001



View Profile WWW
January 10, 2015, 03:05:22 PM
 #24

thats like mega gay dude since we use bitcoind on debian.
curiosity81
Legendary
*
Offline Offline

Activity: 1778
Merit: 1070



View Profile
January 10, 2015, 06:06:04 PM
 #25

What does the "p" and "k" stand for in:

"[...] OpenSSL to 1.0.0p or 1.0.1k [...]"Huh

 Huh

          ▄▄██▄▄
      ▄▄██████████▄▄
  ▄▄██████▀▀  ▀▀██████▄▄

███████▀          ▀███████
████       ▄▄▄▄     ▄█████
████     ███████▄▄██████▀
████     ██████████████
████     ████████▀██████▄
████       ▀▀▀▀     ▀█████
███████▄          ▄███████
  ▀▀██████▄▄  ▄▄██████▀▀
      ▀▀██████████▀▀
          ▀▀██▀▀
COINVEST
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
WEBSITE  ●  WHITEPAPER  ●  DEMO
ANN  ●  TELEGRAM  ●  BLOG

▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
       ▄▄█████████▄▄
    ▄██████▀▀▀▀▀██████▄
  ▄████▀▀         ▀▀████▄
 ▄████    ▄▄███▄▄    ████▄
▄████  ▄███▀▀ ▀▀███▄  ████▄
████   ██▌  ▄▄▄  ███   ████
████   ██▌ ▐███████    ████
████   ██▌  ▀▀▀  ███   ████
▀████  ▀███▄▄ ▄▄███▀  ████▀

 ▀████    ▀▀███▀▀    ████▀
  ▀████▄▄         ▄▄████▀

    ▀██████▄▄▄▄▄██████▀
       ▀▀█████████▀▀
COINTOKEN
tuaris
Hero Member
*****
Offline Offline

Activity: 780
Merit: 501



View Profile WWW
January 10, 2015, 06:26:25 PM
 #26

You are likely to be affected only if:
- You use Linux.

I use FreeBSD, is it affected?

fenghush
Sr. Member
****
Offline Offline

Activity: 658
Merit: 250



View Profile
January 10, 2015, 06:46:14 PM
 #27

You are likely to be affected only if:
- You use Linux.

I use FreeBSD, is it affected?
Can you even autoupdate freebsd's ports?

Buffer Overflow
Legendary
*
Offline Offline

Activity: 1652
Merit: 1016



View Profile
January 10, 2015, 07:32:40 PM
 #28

You can check if your compiled binary is working correctly by executing the command "make check" in the source code directory. This will then iterate through tests. It will return either pass or fail.

theymos (OP)
Administrator
Legendary
*
Offline Offline

Activity: 5376
Merit: 13410


View Profile
January 10, 2015, 07:33:39 PM
 #29

I use FreeBSD, is it affected?

Yes. I probably should have said "unix-like". The issue affects any system where you're dynamically linking Bitcoin Core against the system OpenSSL. This could even be done on Windows, though that'd be very unusual.

ubuntu 14.04
Quote
affected?

Yes.

Is the issue having the new version of OpenSSL at compile-time, or at run-time? (My build of 0.10rc1 links dynamically to /lib/x86_64-linux-gnu/libssl.so.1.0.0, but I don't know about 0.9.3 or builds made on the PPA as part of a Debian build process).

It's an issue of what Bitcoin Core will use. If it's statically linking an OK version of OpenSSL, then updated your system OpenSSL is OK. If it's dynamically linking, then you'll have problems. The binaries on bitcoin.org statically link OpenSSL. I think that almost all Linux distros distribute versions of bitcoind/bitcoin-qt that dynamically link.

If you're compiling Bitcoin Core using the normal configure+make, then it'll link dynamically. I'm not sure how to force this to link statically.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
tuaris
Hero Member
*****
Offline Offline

Activity: 780
Merit: 501



View Profile WWW
January 10, 2015, 08:13:57 PM
 #30

You are likely to be affected only if:
- You use Linux.

I use FreeBSD, is it affected?
Can you even autoupdate freebsd's ports?

It is possible with PKGNG, but I build my own package repositories to manage updates.


Yes. I probably should have said "unix-like". The issue affects any system where you're dynamically linking Bitcoin Core against the system OpenSSL. This could even be done on Windows, though that'd be very unusual.

Thank You.  I will watch out for this when building the next set of updates.

ShadowOfHarbringer
Legendary
*
Offline Offline

Activity: 1470
Merit: 1006


Bringing Legendary Har® to you since 1952


View Profile
January 11, 2015, 06:56:57 AM
 #31

I know how to check openssl version, question was about bitcoin-qt binary package from ppa

Just open the debug window and you will see what version of OpenSSL the executable was linked against.


Kind of makes me glad I haven't bothered upgrading openssl in some time.

*blank stare*
Like you said, there is LibreSSL.  Cheesy

Not stable or tested enough yet.
People, stop suggesting LibreSSL. One can seriously fuck up his/hers system by replacing a core library by an unstable solution.

Once LibreSSL is proven not to be dangerous, it can be used instead of OpenSSL

smoothie
Legendary
*
Offline Offline

Activity: 2492
Merit: 1474


LEALANA Bitcoin Grim Reaper


View Profile
January 11, 2015, 07:06:30 AM
 #32

I presume it doesn't matter what version of Linux you are running?

It is just Linux in general?

███████████████████████████████████████

            ,╓p@@███████@╗╖,           
        ,p████████████████████N,       
      d█████████████████████████b     
    d██████████████████████████████æ   
  ,████²█████████████████████████████, 
 ,█████  ╙████████████████████╨  █████y
 ██████    `████████████████`    ██████
║██████       Ñ███████████`      ███████
███████         ╩██████Ñ         ███████
███████    ▐▄     ²██╩     a▌    ███████
╢██████    ▐▓█▄          ▄█▓▌    ███████
 ██████    ▐▓▓▓▓▌,     ▄█▓▓▓▌    ██████─
           ▐▓▓▓▓▓▓█,,▄▓▓▓▓▓▓▌          
           ▐▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▌          
    ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓─  
     ²▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╩    
        ▀▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▀       
           ²▀▀▓▓▓▓▓▓▓▓▓▓▓▓▀▀`          
                   ²²²                 
███████████████████████████████████████

. ★☆ WWW.LEALANA.COM        My PGP fingerprint is A764D833.                  History of Monero development Visualization ★☆ .
LEALANA BITCOIN GRIM REAPER SILVER COINS.
 
uki
Legendary
*
Offline Offline

Activity: 1358
Merit: 1000


cryptojunk bag holder


View Profile
January 11, 2015, 12:32:00 PM
 #33

ubuntu 14.04
Quote
affected?
same OS, my version is:
Code:
OpenSSL 1.0.1f 6 Jan 2014
I understand that this version is fine and I only don't need to upgrade to version 1.0.1k, but wait for the following one.
Did I understand that correctly?

this space is intentionally left blank
MarketNeutral
Sr. Member
****
Offline Offline

Activity: 434
Merit: 252


View Profile
January 11, 2015, 02:23:29 PM
 #34

I presume it doesn't matter what version of Linux you are running?

It is just Linux in general?
I second this question.

So this affects any flavor of linux or unix-like system, including the BSDs? Got it.

Theymos said it affects any system that dynamically links OpenSSL to Bitcoin Core. Ok. Good to know.



So how does one force a static link in lieu of a dynamic link?
fenghush
Sr. Member
****
Offline Offline

Activity: 658
Merit: 250



View Profile
January 11, 2015, 02:31:14 PM
 #35

Basically any OS even windows although highly unusual with a dynamically linked openssl versions 1.0.0p or 1.0.1k.
To build it statically you need to generate the object files with gcc, then use ar to bundle them into a static library. But you do need to use a version of openssl which is NOT 1.0.0p or 1.0.1k, otherwise the whole exercise is pointless.
I presume it doesn't matter what version of Linux you are running?

It is just Linux in general?
I second this question.

So this affects any flavor of linux or unix-like system, including the BSDs? Got it.

Theymos said it affects any system that dynamically links OpenSSL to Bitcoin Core. Ok. Good to know.



So how does one force a static link in lieu of a dynamic link?

MarketNeutral
Sr. Member
****
Offline Offline

Activity: 434
Merit: 252


View Profile
January 11, 2015, 02:34:43 PM
 #36

Basically any OS with a dynamically linked openssl versions 1.0.0p or 1.0.1k.
To build it statically you need to generate the object files with gcc, then use ar to bundle them into a static library. But you do need to use a version of openssl which is NOT 1.0.0p or 1.0.1k, otherwise the whole exercise is pointless.
I presume it doesn't matter what version of Linux you are running?

It is just Linux in general?
I second this question.

So this affects any flavor of linux or unix-like system, including the BSDs? Got it.

Theymos said it affects any system that dynamically links OpenSSL to Bitcoin Core. Ok. Good to know.



So how does one force a static link in lieu of a dynamic link?


Excellent. Thank you.
cjp
Full Member
***
Offline Offline

Activity: 210
Merit: 124



View Profile WWW
January 11, 2015, 02:52:27 PM
 #37

Debian published this update:
https://www.debian.org/security/2015/dsa-3125

For Wheezy, the version number is still 1.0.1e. However, the description says it solves CVE-2014-8275, which is exactly the change that should trigger the Bitcoin problem.

So, on Debian Wheezy, the latest patched 1.0.1e can also cause problems? I guess I should first apply the Bitcoin patch, before applying this OpenSSL upgrade...

Donate to: 1KNgGhVJx4yKupWicMenyg6SLoS68nA6S8
http://cornwarecjp.github.io/amiko-pay/
Balthazar
Legendary
*
Offline Offline

Activity: 3108
Merit: 1359



View Profile
January 11, 2015, 03:22:16 PM
 #38

Lol, what is this? OpenSSL is becoming more of a joke every day.
Subj. is not a problem of openssl itself. New versions of openssl are rejecting non-standard signatures, while Bitcoin allows them. As the result, you can create block which will be accepted by some nodes but rejected by others.
stolendata
Sr. Member
****
Offline Offline

Activity: 264
Merit: 250


View Profile
January 11, 2015, 04:39:32 PM
 #39

Not stable or tested enough yet.
People, stop suggesting LibreSSL. One can seriously fuck up his/hers system by replacing a core library by an unstable solution.

Once LibreSSL is proven not to be dangerous, it can be used instead of OpenSSL

Not sure where you've gotten "unstable" from, but I suspect you just didn't inform yourself before posting. LibreSSL is a new fork, yes, but it's beyond the "unstable" phase. The current version of OpenBSD has entirely replaced OpenSSL with their LibreSSL project, not just for the OS portion, but consequently also for every single package in the ~9000 items large repository making use of OpenSSL. All of it works, and it's stable.

That said, there are still a few odd cases of badly written OpenSSL-centric software that needs reworking before it's even possible to link against LibreSSL. This is a different matter.
fenghush
Sr. Member
****
Offline Offline

Activity: 658
Merit: 250



View Profile
January 11, 2015, 04:52:32 PM
 #40

IMHO bitcoin core should maintain it's own SSL library to avoid such issues in the future, in fact it shouldn't rely on 3rd party, regardless if they're open source or not dynamically linked libraries to avoid any possible attacks too. 
Not stable or tested enough yet.
People, stop suggesting LibreSSL. One can seriously fuck up his/hers system by replacing a core library by an unstable solution.

Once LibreSSL is proven not to be dangerous, it can be used instead of OpenSSL

Not sure where you've gotten "unstable" from, but I suspect you just didn't inform yourself before posting. LibreSSL is a new fork, yes, but it's beyond the "unstable" phase. The current version of OpenBSD has entirely replaced OpenSSL with their LibreSSL project, not just for the OS portion, but consequently also for every single package in the ~9000 items large repository making use of OpenSSL. All of it works, and it's stable.

That said, there are still a few odd cases of badly written OpenSSL-centric software that needs reworking before it's even possible to link against LibreSSL. This is a different matter.

Pages: « 1 [2] 3 4 5 6 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!