Bitcoin Forum>Bitcoin>Development & Technical Discussion>Wallet software>Electrum
Author

Topic: Electrum-4.4.6 Released. Fixes several lightning-related security issues (Read 212 times)

nc50lc
legendary
Activity: 2394
Merit: 5531
Self-proclaimed Genius
Electrum-4.4.6 Released. Fixes several lightning-related security issues
December 16, 2023, 04:17:22 AM
#13
Quote from: billybobjones on December 15, 2023, 03:17:00 PM
Did 4.4.6 remove wallet export option? Is there a way to still export the wallet info for tracking my btc transactions?
Wallet export or Wallet information?

Wallet export isn't available in Android at the moment,
Wallet information is still accessible in both Desktop and Android versions.

But if it's tracking that you want, you only need the master (extended) public key from the wallet information.
To get to wallet info in Android version: Click the wallet name above then select "Wallet details".
Your master public key should be listed there unless you're using an 'imported wallet'.
billybobjones
newbie
Activity: 3
Merit: 0
Re: Electrum-4.4.6 Released. Fixes several lightning-related security issues
December 15, 2023, 03:17:00 PM
#12
Did 4.4.6 remove wallet export option? Is there a way to still export the wallet info for tracking my btc transactions?
JerzyKre
newbie
Activity: 1
Merit: 0
Re: Electrum-4.4.6 Released. Fixes several lightning-related security issues
September 19, 2023, 08:48:56 AM
#11
Today dowloaded electrum-4.4.6.dmg fails on signature verification with electrum-4.4.6.dmg.asc. Both files from https://electrum.org/#download. I use GPG Keychain v.1.12 on macOS 13.5.2 (22G91). Files for version 4.0.9 pass verification.

Update: I found public keys of SomberNight and Emzy. Now verification is ok.
NotATether
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Re: Electrum-4.4.6 Released. Fixes several lightning-related security issues
September 14, 2023, 02:19:40 AM
#10
Quote from: DaveF on September 13, 2023, 09:19:00 PM
And the answer is:
     - https://github.com/spesmilo/electrum/security/advisories/GHSA-9gpc-prj9-89x7
     - https://github.com/spesmilo/electrum/security/advisories/GHSA-8r85-vp7r-hjxf

From: https://github.com/spesmilo/electrum/blob/master/RELEASE-NOTES

So somewhat edge cases with LN. And one of them for Android only.
Guess that is why there was not a lot of people screaming about the problems.

-Dave


All this goes to show that the developer experience with Lightning Network is not perfect yet, as most of the people working on Lightning wallets will occasionally make bugs like these that have to be fixed, and only a few programmers with prior security experience will know how to avoid these kind of problems coming out from a custom protocol like this.
DaveF
legendary
Activity: 3458
Merit: 6231
Crypto Swap Exchange
Re: Electrum-4.4.6 Released. Fixes several lightning-related security issues
September 13, 2023, 09:19:00 PM
#9
And the answer is:
     - https://github.com/spesmilo/electrum/security/advisories/GHSA-9gpc-prj9-89x7
     - https://github.com/spesmilo/electrum/security/advisories/GHSA-8r85-vp7r-hjxf

From: https://github.com/spesmilo/electrum/blob/master/RELEASE-NOTES

So somewhat edge cases with LN. And one of them for Android only.
Guess that is why there was not a lot of people screaming about the problems.

-Dave
ABCbits
legendary
Activity: 2856
Merit: 7410
Crypto Swap Exchange
Re: Electrum-4.4.6 Released. Fixes several lightning-related security issues
August 28, 2023, 09:17:18 AM
#8
It seems to be somewhat serious security issue since Electrum package on Debian got updated quickly with high urgency[1]. Electrum available on Debian repisotry since version 1.8-1, but this is only 4th time the changelog mention high urgency.

Quote from: DaveF on August 27, 2023, 01:51:26 PM
Quote from: Pmalek on August 26, 2023, 12:30:44 PM
--snip--
Yeah, sounds like a bit of snark towards the developers. But, we really don't know when they found out about the vulnerability so we really don't know how long they took to fix it.

I get your point. But on other hand, it's fairly common practice to release update (which fix the vulnerability) first before disclosing the vulnerability so majority of the user wouldn't be impacted.

Quote from: DaveF on August 27, 2023, 01:51:26 PM
Will probably be an interesting discussion next month when we find out what the issue was.
Show stopping easy to exploit and take all of someones BTC issue? Or a if this happens and the user does that followed by the other thing and then this odd occurrence must occur while the user is drinking a cup of coffee then there is the possibility of it happening issue.

-Dave

Meanwhile i expect people will make a guess based on what changed between version 4.4.5 and 4.4.6[1]. My wild guess would be about channel backup/restore.

[1] https://metadata.ftp-master.debian.org/changelogs//main/e/electrum/electrum_4.4.6+dfsg-1_changelog
[2] https://github.com/spesmilo/electrum/compare/4.4.5...4.4.6
DaveF
legendary
Activity: 3458
Merit: 6231
Crypto Swap Exchange
Re: Electrum-4.4.6 Released. Fixes several lightning-related security issues
August 27, 2023, 01:51:26 PM
#7
Quote from: Pmalek on August 26, 2023, 12:30:44 PM
Quote from: logfiles on August 23, 2023, 06:57:05 PM
Quote from: AprilioMP on August 23, 2023, 04:22:51 AM
Elecreum is the best. Don't care about security.
You should care about security at all costs.
Maybe OP didn't express himself properly. Somehow I got the feeling he was being ironic and critical towards Electrum. In his OP, he wrote that he updated his Electrum to the newest version already. If he didn't care about security, he wouldn't be bothered installing the update. The ironic part could be the one where he wrote that the developers needed two months to fix the discovered vulnerabilities.

Maybe he is also confusing the terms security and privacy. We know that Electrum's goal isn't to be a privacy-saving wallet by default. Maybe he wanted to say that he doesn't care about privacy.

Yeah, sounds like a bit of snark towards the developers. But, we really don't know when they found out about the vulnerability so we really don't know how long they took to fix it.

Will probably be an interesting discussion next month when we find out what the issue was.
Show stopping easy to exploit and take all of someones BTC issue? Or a if this happens and the user does that followed by the other thing and then this odd occurrence must occur while the user is drinking a cup of coffee then there is the possibility of it happening issue.

-Dave

Pmalek
legendary
Activity: 2730
Merit: 7065
Farewell, Leo. You will be missed!
Re: Electrum-4.4.6 Released. Fixes several lightning-related security issues
August 26, 2023, 12:30:44 PM
#6
Quote from: logfiles on August 23, 2023, 06:57:05 PM
Quote from: AprilioMP on August 23, 2023, 04:22:51 AM
Elecreum is the best. Don't care about security.
You should care about security at all costs.
Maybe OP didn't express himself properly. Somehow I got the feeling he was being ironic and critical towards Electrum. In his OP, he wrote that he updated his Electrum to the newest version already. If he didn't care about security, he wouldn't be bothered installing the update. The ironic part could be the one where he wrote that the developers needed two months to fix the discovered vulnerabilities.

Maybe he is also confusing the terms security and privacy. We know that Electrum's goal isn't to be a privacy-saving wallet by default. Maybe he wanted to say that he doesn't care about privacy.
AprilioMP
sr. member
Activity: 322
Merit: 306
Farewell LEO o_e_l_e_o
Re: Electrum-4.4.6 Released. Fixes several lightning-related security issues
August 24, 2023, 12:53:31 AM
#5
Quote from: logfiles on August 23, 2023, 06:57:05 PM
Quote from: AprilioMP on August 23, 2023, 04:22:51 AM
Elecreum is the best. Don't care about security.
You should care about security at all costs.
Obviously, most of us here love electrum too, but that shouldn't mean that you should let your guard down. Hackers and malicious people are not sleeping.
Something important must be cared for.
I always try my best to pay attention to security in every way and that includes trying to always be careful not to let anything go wrong.

That's why I always follow and read discussion topics about wallets, security and other techniques that involve members with mastery of knowledge in the scientific fields around it. All that I do for my benefit in finding out what is useful for me.
logfiles
copper member
Activity: 1960
Merit: 1638
Top Crypto Casino
Re: Electrum-4.4.6 Released. Fixes several lightning-related security issues
August 23, 2023, 06:57:05 PM
#4
Quote from: AprilioMP on August 23, 2023, 04:22:51 AM
Elecreum is the best. Don't care about security.
You should care about security at all costs.
Obviously, most of us here love electrum too, but that shouldn't mean that you should let your guard down. Hackers and malicious people are not sleeping.
Pmalek
legendary
Activity: 2730
Merit: 7065
Farewell, Leo. You will be missed!
Re: Electrum-4.4.6 Released. Fixes several lightning-related security issues
August 23, 2023, 11:46:13 AM
#3
I wonder what they discovered and fixed, and how it could have affected the security of coins on the Lightning Network? We will see in 3 weeks. It will be interesting to see if the Electrum devs found these themselves or if it was reported to them using responsible disclosure. The security fixes according to the release notes are only for lightning use. Everything else is of secondary importance for this update.   
AprilioMP
sr. member
Activity: 322
Merit: 306
Farewell LEO o_e_l_e_o
Re: Electrum-4.4.6 Released. Fixes several lightning-related security issues
August 23, 2023, 04:22:51 AM
#2
The release of version 4.4.6 seems to be an important update due to security enhancements.
Yesterday I found update notifications for several applications including electrum on my cellphone and I have updated them to the latest version. Its size is only 30.35 MB.



Update 4.4.5 was done on 20 June. The update to version 4.4.6 occurred on August 18th. It took only two months for security improvements to be made again.

Quote from: https://github.com/spesmilo/electrum/blob/master/RELEASE-NOTES
Code:
# Release 4.4.6 (August 18, 2023) (security update)
 * Lightning:
   - security fix: multiple lightning-related security issues have
     been fixed. We will disclose these in detail on 2023-09-11.
     These release notes will also be updated at that time.
     In the meantime, please update.
   - fix: cannot sweep from channel after local-force-close, if using
     imported channel backup (#8536). Fixing this required adding a
     new field (local_payment_pubkey) to the channel backup
     import/export format and bumping its version number
     (v0->v1). Both v0 and v1 can be imported, and we only export v1
     backups. When you force close a channel, the GUI will prompt you
     to save a backup. In that case, you must export the backup using
     the updated Electrum, and not rely on a backup made with an older
     release of Electrum.  Note that if you request a force close from
     the remote node or co-op close, you do not need to save a channel
     backup.
   - fix: we would sometimes attempt sending MPP even if not supported
     by the invoice (2cf6173c)
 * QML GUI:
   - fix lnurl-pay when config.BTC_AMOUNTS_ADD_THOUSANDS_SEP is True
     (5b4df759)
 * Hardware wallets:
   - Trezor: support longer than 9 character PIN codes (#8526)
   - Jade: support more custom-built DIY Jade devices (#8546)
 * Builds/binaries:
   - include AppStream metainfo.xml in tarballs (#8501)
 * fix: exceptions in some callbacks got lost and not logged (3e6580b9)

Elecreum is the best. Don't care about security.
DaveF
legendary
Activity: 3458
Merit: 6231
Crypto Swap Exchange
Re: Electrum-4.4.6 Released. Fixes several lightning-related security issues
August 22, 2023, 11:42:54 AM
#1
https://twitter.com/ElectrumWallet/status/1693950020028903685
https://github.com/spesmilo/electrum/blob/master/RELEASE-NOTES

https://electrum.org/#download <-- Don't trust any link verify for yourself and and check the signatures.

Normally I'm more of a I'll get to it when I get to it person for updates, but the 3 week embargo on the flaw means IMO that although it's probably not being exploited now it is exploitable in some way, and may be soon.
Could be wrong, but that's the feeling I am getting.

As always let's be careful out there: https://www.youtube.com/watch?v=MJDQewSMB-E

-Dave

Bitcoin Forum>Bitcoin>Development & Technical Discussion>Wallet software>Electrum
Jump to: