stolendata
|
|
January 11, 2015, 05:38:45 PM |
|
IMHO bitcoin core should maintain it's own SSL library to avoid such issues in the future, in fact it shouldn't rely on 3rd party, regardless if they're open source or not dynamically linked libraries to avoid any possible attacks too.
In software development, it's generally considered unwise to reinvent something that already exists in an established and scrutinized form. LibreSSL isn't reinventing the wheel, but rather repairing a broken wheel. As LibreSSL grows more mature, and since it's a drop-in replacement for OpenSSL, it will with time deprecate OpenSSL and I'm sure the Bitcoin devs are wise enough to make the switch at some point.
|
|
|
|
fenghush
|
|
January 11, 2015, 05:40:16 PM |
|
I wasn't implying that they should reinvent the wheel, but to maintain their own fork of the libraries used. The only reason why you want to build dynamically linked binaries is to reduce their size, but it's pointless for bitcoin since you have to download 30 or so gb blockchain data, so why not ship it with a bundle of all libraries used and statically link them, the binary file will be bigger by couple of megabytes but I don't see it as a big deal. And this will prevent issues such as this as well as prevent attacks from 3rd party developers who willingly or unwillingly introduce vulnerabilities in the bitcoin core via updates. IMHO bitcoin core should maintain it's own SSL library to avoid such issues in the future, in fact it shouldn't rely on 3rd party, regardless if they're open source or not dynamically linked libraries to avoid any possible attacks too.
In software development, it's generally considered unwise to reinvent something that already exists in an established and scrutinized form. LibreSSL isn't reinventing the wheel, but rather repairing a broken wheen, and as LibreSSL grows more mature, and since it's a drop-in replacement for OpenSSL, it will with time deprecate OpenSSL and I'm sure the Bitcoin devs are wise enough to make the switch at some point.
|
|
|
|
|
cjp
|
|
January 11, 2015, 10:47:35 PM |
|
...and after applying the patch, Bitcoin passes its test again. Good work!
|
|
|
|
HCLivess
Legendary
Offline
Activity: 2114
Merit: 1090
=== NODE IS OK! ==
|
|
January 12, 2015, 12:34:14 AM |
|
Kind of makes me glad I haven't bothered upgrading openssl in some time.
*blank stare* [/quote] I guess he's being sarcastic
|
|
|
|
doof
|
|
January 12, 2015, 05:53:43 AM |
|
Appologies if its answered already, does this effect Mac OSX?
|
|
|
|
ShadowOfHarbringer
Legendary
Offline
Activity: 1470
Merit: 1006
Bringing Legendary Har® to you since 1952
|
|
January 12, 2015, 07:44:50 AM |
|
Somebody knows ETA of a fix coming out ?
|
|
|
|
stolendata
|
|
January 12, 2015, 04:03:10 PM |
|
Appologies if its answered already, does this effect Mac OSX?
It affects all OSes. But unless you plan on updating your OS X-installation's openssl dylib yourself (and something tells me you're not), then you don't need to worry at this point. Everything is fine.
|
|
|
|
drizzt
Member
Offline
Activity: 61
Merit: 18
Developer
|
|
January 12, 2015, 04:46:33 PM |
|
Arch Linux users only needs to upgrade to 0.9.3-4 version.
|
Community manager of ABCoreBitrated user: drizzt.
|
|
|
Luke-Jr
Legendary
Offline
Activity: 2576
Merit: 1186
|
|
January 12, 2015, 04:51:32 PM |
|
Gentoo 0.8.6-r1 and 0.9.3-r1 have the patch to workaround the issue. LibreSSL isn't reinventing the wheel, but rather repairing a broken wheel. As LibreSSL grows more mature, and since it's a drop-in replacement for OpenSSL, it will with time deprecate OpenSSL and I'm sure the Bitcoin devs are wise enough to make the switch at some point.
Unless LibreSSL is guaranteeing bug-for-bug compatibility with old OpenSSL, it cannot safely be used with Bitcoin. That means it MUST make sure all bugs in OpenSSL 1.0.1j are still bugs in LibreSSL. As far as I know, that is not a goal of either OpenSSL nor LibreSSL, and is exactly why the new version of OpenSSL breaks Bitcoin by fixing a bug.
|
|
|
|
gmaxwell
Staff
Legendary
Offline
Activity: 4242
Merit: 8684
|
|
January 12, 2015, 04:55:37 PM |
|
The binaries from Bitcoin.org are not effected, not on any operating system. Virtually all users on Windows and OSX are not impacted, because virtually all of them use provided binaries. The only way you are possibly effected on those platforms is if you built the software for yourself and if you update OpenSSL. Unless LibreSSL is guaranteeing bug-for-bug compatibility with old OpenSSL, it cannot safely be used with Bitcoin.
I looked at that a while back and their massive house-keeping makes the _changes_ more or less impossible to review. (Of course, OpenSSL is more or less impossible to review to begin with; so for their purposes I cannot blame them.) Keep in mind the Bitcoin protocol doesn't use SSL. That we're using a SSL library here is an accident of history, and a bad call in general. As this update demonstrates, our needs are at odds with the needs of a SSL library.
|
|
|
|
cjp
|
|
January 12, 2015, 06:36:00 PM |
|
Somebody knows ETA of a fix coming out ?
For most people, this will be the answer: The binaries from Bitcoin.org are not effected, not on any operating system.
Virtually all users on Windows and OSX are not impacted, because virtually all of them use provided binaries. The only way you are possibly effected on those platforms is if you built the software for yourself and if you update OpenSSL.
If you did compile your own software, then you can run "make check" in the source tree to see if you're affected. If all tests pass, you're not affected. You might want to check again after you update your system's OpenSSL. Those who compile their own software can fix their software by applying a patch. The required changes are available on Github; e.g. here for the 0.9 branch. I created a version of the 0.9 sources that's nearly identical to the official 0.9.3 source code release for Linux, but with the fix applied: https://github.com/cornwarecjp/bitcoin/tree/b146f97935d6c17927406ea549409d232eb7ce3cI wouldn't recommend doing development on that branch(*), but since it's nearly identical to the official release source code, it should be OK for compiling your own Bitcoin binary. Check for yourself with a diff tool what the differences are with the 0.9.3 sources and make sure you agree. In Linux desktops, you can e.g. use the "Meld" program for this, and use it to compare directories. (*) The reason being that it's become quite different from development branches, which might make it more difficult to merge things.
|
|
|
|
bronan
|
|
January 12, 2015, 07:53:54 PM |
|
I was thinking about setting up a bitcoin node but i guess i'll wait till all these issues gets resolved But i do not think anyone would have believed a year ago, that the most secure systems on the planet would get hacked. This far we constant read about super secure systems being infiltrated. Lets be honest the increase in calculate power and increased usage of the internet does open up doors we never had thought about. Look at the power which modern graphic cards already have, i guess some people used the tech used for mining to make machines to break code as well. As they did in the paste with graphics cards as well
|
|
|
|
dserrano5
Legendary
Offline
Activity: 1974
Merit: 1029
|
|
January 12, 2015, 07:56:51 PM |
|
I was thinking about setting up a bitcoin node but i guess i'll wait till all these issues gets resolved
If you use the binaries from bitcoin.org you are safe (regarding this issue). Go on setting up your peer!
|
|
|
|
cr1776
Legendary
Offline
Activity: 4158
Merit: 1312
|
|
January 12, 2015, 11:52:02 PM |
|
Somebody knows ETA of a fix coming out ?
I moved to 0.10rc2 this morning and if you are running that branch, the notes include preventive measures.
|
|
|
|
curiosity81
Legendary
Offline
Activity: 1778
Merit: 1070
|
|
January 13, 2015, 06:27:13 AM |
|
*schnipp schnapp*
It's an issue of what Bitcoin Core will use. If it's statically linking an OK version of OpenSSL, then updated your system OpenSSL is OK. If it's dynamically linking, then you'll have problems. The binaries on bitcoin.org statically link OpenSSL. I think that almost all Linux distros distribute versions of bitcoind/bitcoin-qt that dynamically link.
I guess this answers my main question! If you're compiling Bitcoin Core using the normal configure+make, then it'll link dynamically. I'm not sure how to force this to link statically.
This problem would also affect self-compiled altcoin-wallets for which no altcoin.org-version exist, wouldn't it?
|
|
|
|
fenghush
|
|
January 13, 2015, 09:05:50 AM |
|
Run make test and see. *schnipp schnapp*
It's an issue of what Bitcoin Core will use. If it's statically linking an OK version of OpenSSL, then updated your system OpenSSL is OK. If it's dynamically linking, then you'll have problems. The binaries on bitcoin.org statically link OpenSSL. I think that almost all Linux distros distribute versions of bitcoind/bitcoin-qt that dynamically link.
I guess this answers my main question! If you're compiling Bitcoin Core using the normal configure+make, then it'll link dynamically. I'm not sure how to force this to link statically.
This problem would also affect self-compiled altcoin-wallets for which no altcoin.org-version exist, wouldn't it?
|
|
|
|
uki
Legendary
Offline
Activity: 1358
Merit: 1000
cryptojunk bag holder
|
|
January 13, 2015, 10:46:49 AM |
|
same OS, my version is: OpenSSL 1.0.1f 6 Jan 2014
I understand that this version is fine and I only don't need to upgrade to version 1.0.1k, but wait for the following one. Did I understand that correctly? well, apparently not. Version 1.0.1f (6 Jan 2014) seems to be affected, too. Running reindexing now.
|
this space is intentionally left blank
|
|
|
siameze
Legendary
Offline
Activity: 1064
Merit: 1000
|
|
January 13, 2015, 02:40:22 PM |
|
Kind of makes me glad I haven't bothered upgrading openssl in some time.
*blank stare* I guess he's being sarcastic Well sarcasm is one of those things that doesn't translate well on forums sometimes. [/sarcasm] tags may be appropriate in the future.
|
|
|
|
Geronymo
Newbie
Offline
Activity: 23
Merit: 0
|
|
January 13, 2015, 07:22:30 PM |
|
Sorry, but what is the actually BC version atm?
|
|
|
|
|