bit_stacker
|
|
January 27, 2015, 02:36:53 AM |
|
Any word on 1.0.2 ?
|
|
|
|
|
|
|
"Bitcoin: the cutting edge of begging technology." -- Giraffe.BTC
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
najjmi4u
Newbie
Offline
Activity: 1
Merit: 0
|
|
January 27, 2015, 04:25:54 AM |
|
Thanks a lot for giving us info to us because any info from u is validate For us and it very better for us . good for us
|
|
|
|
arnuschky
|
|
January 27, 2015, 09:34:31 PM |
|
same OS, my version is: OpenSSL 1.0.1f 6 Jan 2014
I understand that this version is fine and I only don't need to upgrade to version 1.0.1k, but wait for the following one. Did I understand that correctly? well, apparently not. Version 1.0.1f (6 Jan 2014) seems to be affected, too. Running reindexing now. I can confirm that Version 1.0.1f (6 Jan 2014) caused 4 test failures here as well. The problem is that distributions tend to backport updates that are marked as security updates (as this one).
|
|
|
|
arnuschky
|
|
January 27, 2015, 09:44:13 PM Last edit: January 27, 2015, 10:22:20 PM by arnuschky |
|
same OS, my version is: OpenSSL 1.0.1f 6 Jan 2014
I understand that this version is fine and I only don't need to upgrade to version 1.0.1k, but wait for the following one. Did I understand that correctly? well, apparently not. Version 1.0.1f (6 Jan 2014) seems to be affected, too. Running reindexing now. I can confirm that Version 1.0.1f (6 Jan 2014) caused 4 test failures here as well. The problem is that distributions tend to backport updates that are marked as security updates (as this one). Here you go for Ubuntu: this is the security update that backports this patch to Ubuntu 14.10, Ubuntu 14.04 LTS, Ubuntu 12.04 LTS, and Ubuntu 10.04 LTS: http://www.ubuntu.com/usn/usn-2459-1/That means: if you are running any of the Ubuntu (server) versions above, you are very likely affected. If you are running Ubuntu LTS, you are for sure affected. In these cases, don't upgrade your OpenSSL installation. Here's the list of package versions that you should NOT install (that is, the package versions with the backported patch): Ubuntu 14.10: libssl1.0.0 1.0.1f-1ubuntu9.1 Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.8 Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.21 Ubuntu 10.04 LTS: libssl0.9.8 0.9.8k-7ubuntu8.23
How to avoid upgrading accidentally? Simply execute: sudo apt-mark hold openssl
PS: don't trust the version reported by as it does not cover the backports. Execute dpkg -s openssl | grep Version to see which version you have.
|
|
|
|
buycoin.cc
Newbie
Offline
Activity: 28
Merit: 0
|
|
January 28, 2015, 12:42:41 AM |
|
Greg Maxwell's announcement: http://sourceforge.net/p/bitcoin/mailman/message/33221963/Summary: There is a problem with the most recent release of OpenSSL which will cause issues for some users of Bitcoin Core on Linux. This is not a critical security issue, but everyone using Bitcoin Core on Linux should read the following information, especially if you're automatically processing Bitcoin payments. The worst-case scenario is that you might accept transactions as confirmed which are later reversed. You are likely to be affected only if: - You use Linux. - You installed Bitcoin Core using your distro's package manager or you compiled Bitcoin Core yourself without using gitian. You are not affected if you use the binaries on bitcoin.org. - You upgrade your system's OpenSSL to 1.0.0p or 1.0.1k. These were security-fix releases, so your package manager might have updated them automatically. If you are affected, then your client might become stuck at a particular block, and you'll have to reindex the block chain to fix it. In some conceivable but unlikely scenarios, you might see incoming transactions as having 6+ confirmations when the transactions are actually invalid. If you are a pool operator, then you could conceivably start mining on a false chain, which would cause you to lose all of your future blocks until you fix this. If you are using an affected version of Bitcoin Core, you should either make sure that your system OpenSSL does not get updated or shut down Bitcoin Core until an update fixing this is released in a day or two. If Bitcoin Core is already stuck and showing the "We do not appear to fully agree with our peers!" message, shut it down until an update fixing this is released; when you run that version, you'll have to run it with the -reindex switch. Hello, I am develop a trading platform now, I must to compile the bitcoin source code by myself, so, which version of the openssl I can use? Thanks. my other question is, why the bitcoin system don't maintain one correct branch of openssl?
|
|
|
|
Luke-Jr
Legendary
Offline
Activity: 2576
Merit: 1186
|
|
January 28, 2015, 01:08:10 AM |
|
I am develop a trading platform now, I must to compile the bitcoin source code by myself, so, which version of the openssl I can use? Thanks. At this point, just use 0.9.4. my other question is, why the bitcoin system don't maintain one correct branch of openssl? Too large a codebase of mostly obfuscated spaghetti code. It's going to be replaced with libsecp256k1 (which we do maintain) "soon" (planned since before this issue).
|
|
|
|
buycoin.cc
Newbie
Offline
Activity: 28
Merit: 0
|
|
January 28, 2015, 02:01:34 AM |
|
I am develop a trading platform now, I must to compile the bitcoin source code by myself, so, which version of the openssl I can use? Thanks. At this point, just use 0.9.4. my other question is, why the bitcoin system don't maintain one correct branch of openssl? Too large a codebase of mostly obfuscated spaghetti code. It's going to be replaced with libsecp256k1 (which we do maintain) "soon" (planned since before this issue). Thank you very much. Can I use 0.9.4 and openssl-0.9.8? I plan to support more peer-to-peer Internet currency on my trading platform, I guess other p2p currency have the same problem, so I want to use the unified version of openssl to compile all the source code.
|
|
|
|
buycoin.cc
Newbie
Offline
Activity: 28
Merit: 0
|
|
January 28, 2015, 02:44:20 AM |
|
I am develop a trading platform now, I must to compile the bitcoin source code by myself, so, which version of the openssl I can use? Thanks. At this point, just use 0.9.4. my other question is, why the bitcoin system don't maintain one correct branch of openssl? Too large a codebase of mostly obfuscated spaghetti code. It's going to be replaced with libsecp256k1 (which we do maintain) "soon" (planned since before this issue). And, I run official bitcoind 0.9.3 to download all block data, no any transactions yet, but a few days ago I change to 0.9.3 source code compile with openssl 1.0.0k , continue to sync the block data. Whether I still need to run -reindex to fix it?
|
|
|
|
triplef
Full Member
Offline
Activity: 338
Merit: 100
https://eloncity.io/
|
|
January 31, 2015, 04:44:15 AM Last edit: January 31, 2015, 04:54:40 AM by triplef |
|
same OS, my version is: OpenSSL 1.0.1f 6 Jan 2014
I understand that this version is fine and I only don't need to upgrade to version 1.0.1k, but wait for the following one. Did I understand that correctly? well, apparently not. Version 1.0.1f (6 Jan 2014) seems to be affected, too. Running reindexing now. I can confirm that Version 1.0.1f (6 Jan 2014) caused 4 test failures here as well. The problem is that distributions tend to backport updates that are marked as security updates (as this one). Here you go for Ubuntu: this is the security update that backports this patch to Ubuntu 14.10, Ubuntu 14.04 LTS, Ubuntu 12.04 LTS, and Ubuntu 10.04 LTS: http://www.ubuntu.com/usn/usn-2459-1/That means: if you are running any of the Ubuntu (server) versions above, you are very likely affected. If you are running Ubuntu LTS, you are for sure affected. In these cases, don't upgrade your OpenSSL installation. Here's the list of package versions that you should NOT install (that is, the package versions with the backported patch): Ubuntu 14.10: libssl1.0.0 1.0.1f-1ubuntu9.1 Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.8 Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.21 Ubuntu 10.04 LTS: libssl0.9.8 0.9.8k-7ubuntu8.23
How to avoid upgrading accidentally? Simply execute: sudo apt-mark hold openssl
PS: don't trust the version reported by as it does not cover the backports. Execute dpkg -s openssl | grep Version to see which version you have. how do you downgrade ? lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 14.04.1 LTS Release: 14.04 Codename: trusty
dpkg -s openssl | grep Version Version: 1.0.1f-1ubuntu2.8
|
|
|
|
arnuschky
|
|
January 31, 2015, 01:29:20 PM |
|
how do you downgrade ? lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 14.04.1 LTS Release: 14.04 Codename: trusty
dpkg -s openssl | grep Version Version: 1.0.1f-1ubuntu2.8 You need to search for the version you need, download if for your architecture, and install it manually. For example, in this case you search for 1.0.1f-1ubuntu2.7. You can find it here: https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.7Select your architecture and download the .deb package of openssl and libssl (and the -dev packages if you need them). Then install them using dbpg. Assuming that you're on 64bit: wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/6463840/+files/openssl_1.0.1f-1ubuntu2.7_amd64.deb wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/6463840/+files/libssl1.0.0_1.0.1f-1ubuntu2.7_amd64.deb dpkg -i openssl_1.0.1f-1ubuntu2.7_amd64.deb dpkg -i libssl1.0.0_1.0.1f-1ubuntu2.7_amd64.deb
That's it
|
|
|
|
gigantic
Member
Offline
Activity: 89
Merit: 10
|
|
January 31, 2015, 05:27:51 PM |
|
how do you downgrade ? lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 14.04.1 LTS Release: 14.04 Codename: trusty
dpkg -s openssl | grep Version Version: 1.0.1f-1ubuntu2.8 You need to search for the version you need, download if for your architecture, and install it manually. For example, in this case you search for 1.0.1f-1ubuntu2.7. You can find it here: https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.7Select your architecture and download the .deb package of openssl and libssl (and the -dev packages if you need them). Then install them using dbpg. Assuming that you're on 64bit: wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/6463840/+files/openssl_1.0.1f-1ubuntu2.7_amd64.deb wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/6463840/+files/libssl1.0.0_1.0.1f-1ubuntu2.7_amd64.deb dpkg -i openssl_1.0.1f-1ubuntu2.7_amd64.deb dpkg -i libssl1.0.0_1.0.1f-1ubuntu2.7_amd64.deb
That's it Thank you very much for this But it seems now i can't update & upgrade ubuntu, it says something about wrong dependencies, any solution for that?
|
|
|
|
arnuschky
|
|
February 01, 2015, 11:14:24 AM |
|
Thank you very much for this But it seems now i can't update & upgrade ubuntu, it says something about wrong dependencies, any solution for that?
Without you telling me which dependencies are wrong, no. Most likely, you downgraded only part of your openssl packages, leaving some at the newer version. Make sure that you downgrade them all. Do a dpkg -l | grep '1.0.1f' so see if there are different versions installed.
|
|
|
|
gigantic
Member
Offline
Activity: 89
Merit: 10
|
|
February 02, 2015, 06:17:21 AM |
|
Thank you very much for this But it seems now i can't update & upgrade ubuntu, it says something about wrong dependencies, any solution for that?
Without you telling me which dependencies are wrong, no. Most likely, you downgraded only part of your openssl packages, leaving some at the newer version. Make sure that you downgrade them all. Do a dpkg -l | grep '1.0.1f' so see if there are different versions installed. Okay, i think you are correct, here is the output- iU libssl1.0.0:amd64 1.0.1f-1ubuntu2.7 amd64 Secure Sockets Layer toolkit - shared libraries iF libssl1.0.0:i386 1.0.1f-1ubuntu2.8 i386 Secure Sockets Layer toolkit - shared libraries hi openssl 1.0.1f-1ubuntu2.7 amd64 Secure Sockets Layer toolkit - cryptographic utility it have libssl 2.8, how do i completly remove it? i am using ubuntu 14.04 64 bit, Thank you very much!
|
|
|
|
arnuschky
|
|
February 02, 2015, 07:37:55 AM |
|
You also need to download the i386 version of libssl (same procedure as the other packages above).
|
|
|
|
dserrano5
Legendary
Offline
Activity: 1974
Merit: 1029
|
|
February 02, 2015, 08:23:59 AM |
|
iU libssl1.0.0:amd64 1.0.1f-1ubuntu2.7 amd64 Secure Sockets Layer toolkit - shared libraries iF libssl1.0.0:i386 1.0.1f-1ubuntu2.8 i386 Secure Sockets Layer toolkit - shared libraries
You have broken packages, those "iU" and "iF" at the beginning of the lines are pretty nasty. Run 'apt-get -f install'.
|
|
|
|
Cryddit
Legendary
Offline
Activity: 924
Merit: 1129
|
|
February 07, 2015, 10:39:56 PM |
|
This is probably well after most people have already patched or defended against this, but the patch in question just got rolled out for Debian Jessie.
Jessie has been on openssl1.0.1j up until now, and they're rolling out the 'k' version.
When upgrading Debian Jessie:
If you are otherwise vulnerable (compiled it yourself) you need to hold three items because of the way Debian breaks things up into smaller chunks.
Before upgrading your system do the following, either with 'sudo' or as root:
apt-mark hold openssl libssl1.0.0 libssl-dev
|
|
|
|
hashman
Legendary
Offline
Activity: 1264
Merit: 1008
|
|
February 07, 2015, 10:56:33 PM |
|
It looks like no altcoins have addressed this. What does this mean for their vulnerability?
|
|
|
|
Cryddit
Legendary
Offline
Activity: 924
Merit: 1129
|
|
February 07, 2015, 11:11:15 PM |
|
It looks like no altcoins have addressed this. What does this mean for their vulnerability?
Those based on Bitcoin or Litecoin sources (which, to be fair, is almost all of them) are at least possibly vulnerable if they have not merged the recent fixes from Bitcoin core or formed equivalent fixes. That said, their blockchains are mostly much smaller and contain, in relative numbers, almost no transactions. Whether they are vulnerable in practice depends on whether their blockchains do or don't contain any blocks that the new SSL will find problematic when their users upgrade their SSL. So, if someone wanted to destroy a whole bunch of altcoins right now, he could deliberately mine blocks that fail the new SSL check and pass the old SSL check. They'd all hang when they tried to process the bogus block.
|
|
|
|
Dogecoin
|
|
February 08, 2015, 12:07:45 PM |
|
It looks like no altcoins have addressed this. What does this mean for their vulnerability?
We applied a patch to our source back on the 9th Jan ( https://github.com/dogecoin/dogecoin/commit/6fa9a5e31a46120ffc772d7e8ca748b851c78f7f), and new binaries have been released compiled against OpenSSL 1.0.1l. I've also worked on a couple of open source libraries to ensure they're compatible as well. I believe Darkcoin patched very early on too. So; I would imagine a large number of alts haven't applied these patches, but it's almost certainly not "no altcoins".
|
Dogecoin developer comments
PMs are not read, please message individuals directly if needed.
|
|
|
Dogecoin
|
|
February 08, 2015, 12:18:47 PM |
|
So, if someone wanted to destroy a whole bunch of altcoins right now, he could deliberately mine blocks that fail the new SSL check and pass the old SSL check. They'd all hang when they tried to process the bogus block.
My understanding (which is to say, I've only read the documentation, I haven't run a full simulation of this) is that the code doesn't hang, it simply rejects non-strict DER signatures. What you'd see is some nodes accepting transactions which others reject, so the result is actually a hard fork.
|
Dogecoin developer comments
PMs are not read, please message individuals directly if needed.
|
|
|
|