Bitcoin Core (Bitcoin-Qt) 0.9.1 released - update required - page 10.

defaced

legendary

Activity: 2198

Merit: 1014

Franko is Freedom

Quote from: almightyruler on April 08, 2014, 07:58:12 PM

Quote from: mufa23 on April 08, 2014, 07:16:04 PM

I hate being forced into new updates. Like MoonShadow once said (and I am paraphrasing): "I like to wait until they have ironed out the bugs with new releases before I update". I've been following that same rule, and only update if it's absolutely necessary. Which is why I never even upgraded to v0.9

If you know how to use (or can figure it out) Gitian you could always recompile your favourite version of Bitcoin-qt with the newer version of OpenSSL.

Third parties could do the same thing but obviously that would require a lot of trust.

Yup, pretty easy stuff.

theymos

administrator

Activity: 5222

Merit: 13032

Quote from: southerngentuk on April 08, 2014, 08:00:14 PM

Is there a quick guide to install this ?

I have just switched from windows to Ubuntu, Help!

I got 0.9.0 installed via PPA but the PPA is not updated yet ( + I would like to know how to do it without)

I have :-

Downloaded bitcoin-0.9.1-linux.tar.gz

Then tar xvzf bitcoin-0.9.1-linux.tar.gz

This gives me a folder with bin + src but no ./configure. src has but that fails.

Obviously I just don't get it Grin

The downloaded bin directory contains a few executable files. Find the locations of those files already on your system and replace them with the new versions. Maybe they're in /usr/bin?

theymos

administrator

Activity: 5222

Merit: 13032

Quote from: mufa23 on April 08, 2014, 08:02:48 PM

How can you tell when you are using rpcssl? What activates/turns it on? I've never manually ran any RPC commands that had to do with SSL. Just importing privkeys.

When you run bitcoind, you can run it with a number of command-line switches such as -config=..., -connect=..., etc. If you run bitcoind with -rpcssl=1, then you're potentially vulnerable to this bug.

mufa23

legendary

Activity: 1022

Merit: 1001

I'd fight Gandhi.

Quote from: theymos on April 08, 2014, 07:47:54 PM

Quote from: mufa23 on April 08, 2014, 07:16:04 PM

I hate being forced into new updates. Like MoonShadow once said (and I am paraphrasing): "I like to wait until they have ironed out the bugs with new releases before I update". I've been following that same rule, and only update if it's absolutely necessary. Which is why I never even upgraded to v0.9

That's a good policy. I also do that. You don't need to update from versions older than 0.9.0 unless you're using rpcssl. Most people aren't.

How can you tell when you are using rpcssl? What activates/turns it on? I've never manually ran any RPC commands that had to do with SSL. Just importing privkeys.

southerngentuk

sr. member

Activity: 1316

Merit: 254

Sugars.zone | DatingFi - Earn for Posting

Is there a quick guide to install this ?

I have just switched from windows to Ubuntu, Help!

I got 0.9.0 installed via PPA but the PPA is not updated yet ( + I would like to know how to do it without)

I have :-

Downloaded bitcoin-0.9.1-linux.tar.gz

Then tar xvzf bitcoin-0.9.1-linux.tar.gz

This gives me a folder with bin + src but no ./configure. src has but that fails.

Obviously I just don't get it Grin

almightyruler

legendary

Activity: 2268

Merit: 1092

Quote from: mufa23 on April 08, 2014, 07:16:04 PM

I hate being forced into new updates. Like MoonShadow once said (and I am paraphrasing): "I like to wait until they have ironed out the bugs with new releases before I update". I've been following that same rule, and only update if it's absolutely necessary. Which is why I never even upgraded to v0.9

If you know how to use (or can figure it out) Gitian you could always recompile your favourite version of Bitcoin-qt with the newer version of OpenSSL.

Third parties could do the same thing but obviously that would require a lot of trust.

STT

legendary

Activity: 4088

Merit: 1452

Quote from: alani123 on April 08, 2014, 05:47:38 PM

Quote from: theymos on April 08, 2014, 05:41:37 PM

If you ever used the payment protocol (you clicked a bitcoin: link and saw a green box in Bitcoin Core's send dialog), then you should consider your wallet to be compromised.

Quote from: poordeveloper on April 08, 2014, 06:27:24 PM

What about to use ALERT
https://en.bitcoin.it/wiki/Alerts

My exact thoughts. I think this is serious enough.

alert is like defcon 1 I think, Im trying to imagine the crypto equal of an impending nuclear winter

Quote

This vulnerability is caused by a critical bug in the OpenSSL library used by Bitcoin Core. Successfully attacking Bitcoin Core by means of this bug seems to be difficult in most cases, and it seems at this point that even successful attacks may be limited, but I recommend taking the above actions just in case.

I shivered for a monent. Next time try mentioning the good news first.

Thanks for the heads up!

I think action first is probably wise, prevention before cure?

My noob question here is could gox claim this bug had any influence at all in their case

Quote

That's a good policy. I also do that. You don't need to update from versions older than 0.9.0 unless you're using rpcssl. Most people aren't.

Do they do alpha beta test before then allowing a recommended update to the masses

LogicalUnit

sr. member

Activity: 299

Merit: 250

I'm using Armory 0.90-beta with bitcoind 0.9.0. I don't believe I've ever used rcpssl -- but I'm not sure. I have an encrypted online wallet, and an offline wallet. Could my wallets be compromised?

theymos

administrator

Activity: 5222

Merit: 13032

Quote from: mufa23 on April 08, 2014, 07:16:04 PM

I hate being forced into new updates. Like MoonShadow once said (and I am paraphrasing): "I like to wait until they have ironed out the bugs with new releases before I update". I've been following that same rule, and only update if it's absolutely necessary. Which is why I never even upgraded to v0.9

That's a good policy. I also do that. You don't need to update from versions older than 0.9.0 unless you're using rpcssl. Most people aren't.

Quote from: mufa23 on April 08, 2014, 07:16:04 PM

EDIT: Also, are the cold addresses generated from bitaddress.org safe? Most of my cold Bitcoins are stored on addresses (with their keys) generated from bitaddress.org (i.e. the "Bulk Wallet" option)

bitaddress.org's HTTPS may have been compromised due to this OpenSSL bug, which could have allowed a man-in-the-middle to serve you malicious JavaScript.

I recommend not using JavaScript Bitcoin software for anything important.

Quote from: BlockchainHelp? on April 08, 2014, 07:08:35 PM

I created 4 private keys offline in Bitcoin-QT 9.0 via TailsOS. My client never touched the internet, do I need to bring my cold storage online to create 4 new wallets in 9.1?

No, but don't ever run your 0.9.0 installation. When you want to access your cold storage, update to the latest version first.

BlockchainHelp?

newbie

Activity: 28

Merit: 1

Quote from: BlockchainHelp? on April 08, 2014, 07:08:35 PM

I created 4 private keys offline in Bitcoin-QT 9.0 via TailsOS. My client never touched the internet, do I need to bring my cold storage online to create 4 new wallets in 9.1?

Man I'm worried now, I guess I will bring my wallets online tomorrow and create 4 new wallets *sigh*

vayvanne

full member

Activity: 217

Merit: 101

It should depend does rpc accept connections from network by default config or not. If it does then wallets on such systems can be compromised and need a replacement. If it does not and user did not opened it to network then no reasons to worry.

gweedo

legendary

Activity: 1498

Merit: 1000

Quote from: human on April 08, 2014, 07:35:22 PM

How about alt-coin-wallets based on pre-0.9 code?

Yes alt-coin wallets are affected. Unless they switched out openssl.

human

full member

Activity: 197

Merit: 100

How about alt-coin-wallets based on pre-0.9 code?

Bitcopia

hero member

Activity: 715

Merit: 500

Quote from: mufa23 on April 08, 2014, 07:16:04 PM

Quote from: vapourminer on April 08, 2014, 06:54:40 PM

how does this bug get triggered? just by having the client running?

or do you need to click a payment link (or something external to the client).. in other words just initiating a transfer via copy/pasteing an address was safe?

+1
I want to know as well.

EDIT: Also, are the cold addresses generated from bitaddress.org safe? Most of my cold Bitcoins are stored on addresses (with their keys) generated from bitaddress.org (i.e. the "Bulk Wallet" option)

I'm also curios. I'd rather not update if not necessary.

If necessary, is a standard update ok? Or is an entirely new wallet required?

mufa23

legendary

Activity: 1022

Merit: 1001

I'd fight Gandhi.

Quote from: vapourminer on April 08, 2014, 06:54:40 PM

how does this bug get triggered? just by having the client running?

or do you need to click a payment link (or something external to the client).. in other words just initiating a transfer via copy/pasteing an address was safe?

+1
I want to know as well.

I hate being forced into new updates. Like MoonShadow once said (and I am paraphrasing): "I like to wait until they have ironed out the bugs with new releases before I update". I've been following that same rule, and only update if it's absolutely necessary. Which is why I never even upgraded to v0.9

EDIT: Also, are the cold addresses generated from bitaddress.org safe? Most of my cold Bitcoins are stored on addresses (with their keys) generated from bitaddress.org (i.e. the "Bulk Wallet" option)

awesomeami

member

Activity: 98

Merit: 10

Quote from: BlockchainHelp? on April 08, 2014, 07:08:35 PM

I created 4 private keys offline in Bitcoin-QT 9.0 via TailsOS. My client never touched the internet, do I need to bring my cold storage online to create 4 new wallets in 9.1?

If wallets were 100% time offline - I think they can't be abused by this bug.

BlockchainHelp?

newbie

Activity: 28

Merit: 1

I created 4 private keys offline in Bitcoin-QT 9.0 via TailsOS. My client never touched the internet, do I need to bring my cold storage online to create 4 new wallets in 9.1?

Winterfrost

full member

Activity: 725

Merit: 142

Quote from: vayvanne on April 08, 2014, 06:56:15 PM

Did you check control sums? Just offload bitcoin.org a little bit Cheesy

By the way may this bug be used to empty gox and bitfunder?

SHA-256 checksum of the magnet link matches what I have from the bitcoin.org download.

On the other hand, it's a critical piece of software and only ~60MB; I would still only download from the official source.

awesomeami

member

Activity: 98

Merit: 10

Quote from: edonkey on April 08, 2014, 07:01:30 PM

I was using Mac OS X Bitcoin-Qt 0.8.6. As far as I know, I've never used the rpcssl command line option.

So if this rpcssl option is not on by default, then this vulnerability could not have affected me, right?

I've already updated to 0.9.1. I just want to know if I have to go through the emergency measures of creating a new wallet and transferring everything to it.

That's kind of disruptive because it means updating all my miner configs as well. Unless I can preserve my old addresses in the new wallet. Never had to do that so I don't know if it works or not.

If i would be miner - I would create 3-10 OFFLINE wallets with 10+ adreses each. And then re-conf miners every few weeks with new addr.

New wallet form time to time is a good idea.

And they can still mine (for a time) to old wallet - u just can transfer every X days mined BTC to new wallet...
And slowly change your configs...

Just my 2 satoshis

edonkey

legendary

Activity: 1150

Merit: 1004

I was using Mac OS X Bitcoin-Qt 0.8.6. As far as I know, I've never used the rpcssl command line option.

So if this rpcssl option is not on by default, then this vulnerability could not have affected me, right?

I've already updated to 0.9.1. I just want to know if I have to go through the emergency measures of creating a new wallet and transferring everything to it.

That's kind of disruptive because it means updating all my miner configs as well. Unless I can preserve my old addresses in the new wallet. Never had to do that so I don't know if it works or not.

Topic: Bitcoin Core (Bitcoin-Qt) 0.9.1 released - update required - page 10. (Read 64172 times)