|
fenghush
|
 |
January 10, 2015, 02:32:08 PM |
|
Kind of makes me glad I haven't bothered upgrading openssl in some time.
Heartbleed much? |
|
|
|
siameze
Legendary
 Offline
Activity: 1064
Merit: 1000
|
|
January 10, 2015, 02:35:59 PM |
|
I know how to check openssl version, question was about bitcoin-qt binary package from ppa
Just open the debug window and you will see what version of OpenSSL the executable was linked against. Kind of makes me glad I haven't bothered upgrading openssl in some time.
*blank stare* Like you said, there is LibreSSL.  |
|
|
|
|
boinc
|
|
January 10, 2015, 02:53:57 PM |
|
Just open the debug window and you will see what version of OpenSSL the executable was linked against.
it seems system version of OpenSSL used |
BTC 12P9LaA7eciiPCx68qFEFarpfrF8mcrNmY
|
|
|
bitmarket.io
Legendary
Offline
Activity: 1204
Merit: 1001
|
|
January 10, 2015, 03:05:22 PM |
|
thats like mega gay dude since we use bitcoind on debian.
|
|
|
|
|
curiosity81
Legendary
Offline
Activity: 1778
Merit: 1070
|
|
January 10, 2015, 06:06:04 PM |
|
What does the "p" and "k" stand for in: "[...] OpenSSL to 1.0.0p or 1.0.1k [...]"  |
|
|
|
|
tuaris
|
|
January 10, 2015, 06:26:25 PM |
|
You are likely to be affected only if:
- You use Linux.
I use FreeBSD, is it affected? |
|
|
|
|
fenghush
|
|
January 10, 2015, 06:46:14 PM |
|
You are likely to be affected only if:
- You use Linux.
I use FreeBSD, is it affected? Can you even autoupdate freebsd's ports? |
|
|
|
Buffer Overflow
Legendary
Offline
Activity: 1652
Merit: 1016
|
|
January 10, 2015, 07:32:40 PM |
|
You can check if your compiled binary is working correctly by executing the command "make check" in the source code directory. This will then iterate through tests. It will return either pass or fail.
|
|
|
|
theymos (OP)
Administrator
Legendary
Offline
Activity: 5376
Merit: 13410
|
|
January 10, 2015, 07:33:39 PM |
|
I use FreeBSD, is it affected?
Yes. I probably should have said "unix-like". The issue affects any system where you're dynamically linking Bitcoin Core against the system OpenSSL. This could even be done on Windows, though that'd be very unusual. Yes. Is the issue having the new version of OpenSSL at compile-time, or at run-time? (My build of 0.10rc1 links dynamically to /lib/x86_64-linux-gnu/libssl.so.1.0.0, but I don't know about 0.9.3 or builds made on the PPA as part of a Debian build process).
It's an issue of what Bitcoin Core will use. If it's statically linking an OK version of OpenSSL, then updated your system OpenSSL is OK. If it's dynamically linking, then you'll have problems. The binaries on bitcoin.org statically link OpenSSL. I think that almost all Linux distros distribute versions of bitcoind/bitcoin-qt that dynamically link. If you're compiling Bitcoin Core using the normal configure+make, then it'll link dynamically. I'm not sure how to force this to link statically. |
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
|
tuaris
|
|
January 10, 2015, 08:13:57 PM |
|
You are likely to be affected only if:
- You use Linux.
I use FreeBSD, is it affected? Can you even autoupdate freebsd's ports? It is possible with PKGNG, but I build my own package repositories to manage updates. Yes. I probably should have said "unix-like". The issue affects any system where you're dynamically linking Bitcoin Core against the system OpenSSL. This could even be done on Windows, though that'd be very unusual.
Thank You. I will watch out for this when building the next set of updates. |
|
|
|
ShadowOfHarbringer
Legendary
Offline
Activity: 1470
Merit: 1006
Bringing Legendary Har® to you since 1952
|
|
January 11, 2015, 06:56:57 AM |
|
I know how to check openssl version, question was about bitcoin-qt binary package from ppa
Just open the debug window and you will see what version of OpenSSL the executable was linked against. Kind of makes me glad I haven't bothered upgrading openssl in some time.
*blank stare* Like you said, there is LibreSSL. Not stable or tested enough yet. People, stop suggesting LibreSSL. One can seriously fuck up his/hers system by replacing a core library by an unstable solution. Once LibreSSL is proven not to be dangerous, it can be used instead of OpenSSL |
|
|
|
smoothie
Legendary
Offline
Activity: 2492
Merit: 1474
LEALANA Bitcoin Grim Reaper
|
|
January 11, 2015, 07:06:30 AM |
|
I presume it doesn't matter what version of Linux you are running?
It is just Linux in general?
|
███████████████████████████████████████
,╓p@@███████@╗╖,
,p████████████████████N,
d█████████████████████████b
d██████████████████████████████æ
,████²█████████████████████████████,
,█████ ╙████████████████████╨ █████y
██████ `████████████████` ██████
║██████ Ñ███████████` ███████
███████ ╩██████Ñ ███████
███████ ▐▄ ²██╩ a▌ ███████
╢██████ ▐▓█▄ ▄█▓▌ ███████
██████ ▐▓▓▓▓▌, ▄█▓▓▓▌ ██████─
▐▓▓▓▓▓▓█,,▄▓▓▓▓▓▓▌
▐▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▌
▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓─
²▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╩
▀▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▀
²▀▀▓▓▓▓▓▓▓▓▓▓▓▓▀▀`
²²²
███████████████████████████████████████
| . ★☆ WWW.LEALANA.COM My PGP fingerprint is A764D833. History of Monero development Visualization ★☆ .
LEALANA BITCOIN GRIM REAPER SILVER COINS.
|
|
|
|
uki
Legendary
Offline
Activity: 1358
Merit: 1000
cryptojunk bag holder
|
|
January 11, 2015, 12:32:00 PM |
|
same OS, my version is: OpenSSL 1.0.1f 6 Jan 2014
I understand that this version is fine and I only don't need to upgrade to version 1.0.1k, but wait for the following one. Did I understand that correctly? |
this space is intentionally left blank
|
|
|
|
MarketNeutral
|
|
January 11, 2015, 02:23:29 PM |
|
I presume it doesn't matter what version of Linux you are running?
It is just Linux in general?
I second this question. So this affects any flavor of linux or unix-like system, including the BSDs? Got it. Theymos said it affects any system that dynamically links OpenSSL to Bitcoin Core. Ok. Good to know. So how does one force a static link in lieu of a dynamic link? |
|
|
|
|
|
fenghush
|
|
January 11, 2015, 02:31:14 PM |
|
Basically any OS even windows although highly unusual with a dynamically linked openssl versions 1.0.0p or 1.0.1k. To build it statically you need to generate the object files with gcc, then use ar to bundle them into a static library. But you do need to use a version of openssl which is NOT 1.0.0p or 1.0.1k, otherwise the whole exercise is pointless. I presume it doesn't matter what version of Linux you are running?
It is just Linux in general?
I second this question. So this affects any flavor of linux or unix-like system, including the BSDs? Got it. Theymos said it affects any system that dynamically links OpenSSL to Bitcoin Core. Ok. Good to know. So how does one force a static link in lieu of a dynamic link? |
|
|
|
|
MarketNeutral
|
|
January 11, 2015, 02:34:43 PM |
|
Basically any OS with a dynamically linked openssl versions 1.0.0p or 1.0.1k. To build it statically you need to generate the object files with gcc, then use ar to bundle them into a static library. But you do need to use a version of openssl which is NOT 1.0.0p or 1.0.1k, otherwise the whole exercise is pointless. I presume it doesn't matter what version of Linux you are running?
It is just Linux in general?
I second this question. So this affects any flavor of linux or unix-like system, including the BSDs? Got it. Theymos said it affects any system that dynamically links OpenSSL to Bitcoin Core. Ok. Good to know. So how does one force a static link in lieu of a dynamic link? Excellent. Thank you. |
|
|
|
|
|
cjp
|
|
January 11, 2015, 02:52:27 PM |
|
Debian published this update: https://www.debian.org/security/2015/dsa-3125For Wheezy, the version number is still 1.0.1e. However, the description says it solves CVE-2014-8275, which is exactly the change that should trigger the Bitcoin problem. So, on Debian Wheezy, the latest patched 1.0.1e can also cause problems? I guess I should first apply the Bitcoin patch, before applying this OpenSSL upgrade... |
|
|
|
Balthazar
Legendary
Offline
Activity: 3108
Merit: 1359
|
|
January 11, 2015, 03:22:16 PM |
|
Lol, what is this? OpenSSL is becoming more of a joke every day.
Subj. is not a problem of openssl itself. New versions of openssl are rejecting non-standard signatures, while Bitcoin allows them. As the result, you can create block which will be accepted by some nodes but rejected by others. |
|
|
|
|
|
stolendata
|
|
January 11, 2015, 04:39:32 PM |
|
Not stable or tested enough yet.
People, stop suggesting LibreSSL. One can seriously fuck up his/hers system by replacing a core library by an unstable solution.
Once LibreSSL is proven not to be dangerous, it can be used instead of OpenSSL
Not sure where you've gotten "unstable" from, but I suspect you just didn't inform yourself before posting. LibreSSL is a new fork, yes, but it's beyond the "unstable" phase. The current version of OpenBSD has entirely replaced OpenSSL with their LibreSSL project, not just for the OS portion, but consequently also for every single package in the ~9000 items large repository making use of OpenSSL. All of it works, and it's stable. That said, there are still a few odd cases of badly written OpenSSL-centric software that needs reworking before it's even possible to link against LibreSSL. This is a different matter. |
|
|
|
|
|
fenghush
|
|
January 11, 2015, 04:52:32 PM |
|
IMHO bitcoin core should maintain it's own SSL library to avoid such issues in the future, in fact it shouldn't rely on 3rd party, regardless if they're open source or not dynamically linked libraries to avoid any possible attacks too. Not stable or tested enough yet.
People, stop suggesting LibreSSL. One can seriously fuck up his/hers system by replacing a core library by an unstable solution.
Once LibreSSL is proven not to be dangerous, it can be used instead of OpenSSL
Not sure where you've gotten "unstable" from, but I suspect you just didn't inform yourself before posting. LibreSSL is a new fork, yes, but it's beyond the "unstable" phase. The current version of OpenBSD has entirely replaced OpenSSL with their LibreSSL project, not just for the OS portion, but consequently also for every single package in the ~9000 items large repository making use of OpenSSL. All of it works, and it's stable. That said, there are still a few odd cases of badly written OpenSSL-centric software that needs reworking before it's even possible to link against LibreSSL. This is a different matter. |
|
|
|
|
