Author

Topic: Electrum-4.4.6 Released. Fixes several lightning-related security issues (Read 212 times)

legendary
Activity: 2534
Merit: 6080
Self-proclaimed Genius
Did 4.4.6 remove wallet export option? Is there a way to still export the wallet info for tracking my btc transactions?
Wallet export or Wallet information?

Wallet export isn't available in Android at the moment,
Wallet information is still accessible in both Desktop and Android versions.

But if it's tracking that you want, you only need the master (extended) public key from the wallet information.
To get to wallet info in Android version: Click the wallet name above then select "Wallet details".
Your master public key should be listed there unless you're using an 'imported wallet'.
newbie
Activity: 3
Merit: 0
Did 4.4.6 remove wallet export option? Is there a way to still export the wallet info for tracking my btc transactions?
newbie
Activity: 1
Merit: 0
Today dowloaded electrum-4.4.6.dmg fails on signature verification with electrum-4.4.6.dmg.asc. Both files from https://electrum.org/#download. I use GPG Keychain v.1.12 on macOS 13.5.2 (22G91). Files for version 4.0.9 pass verification.

Update: I found public keys of SomberNight and Emzy. Now verification is ok.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
And the answer is:
     - https://github.com/spesmilo/electrum/security/advisories/GHSA-9gpc-prj9-89x7
     - https://github.com/spesmilo/electrum/security/advisories/GHSA-8r85-vp7r-hjxf

From: https://github.com/spesmilo/electrum/blob/master/RELEASE-NOTES

So somewhat edge cases with LN. And one of them for Android only.
Guess that is why there was not a lot of people screaming about the problems.

-Dave


All this goes to show that the developer experience with Lightning Network is not perfect yet, as most of the people working on Lightning wallets will occasionally make bugs like these that have to be fixed, and only a few programmers with prior security experience will know how to avoid these kind of problems coming out from a custom protocol like this.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
And the answer is:
     - https://github.com/spesmilo/electrum/security/advisories/GHSA-9gpc-prj9-89x7
     - https://github.com/spesmilo/electrum/security/advisories/GHSA-8r85-vp7r-hjxf

From: https://github.com/spesmilo/electrum/blob/master/RELEASE-NOTES

So somewhat edge cases with LN. And one of them for Android only.
Guess that is why there was not a lot of people screaming about the problems.

-Dave
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
It seems to be somewhat serious security issue since Electrum package on Debian got updated quickly with high urgency[1]. Electrum available on Debian repisotry since version 1.8-1, but this is only 4th time the changelog mention high urgency.

--snip--
Yeah, sounds like a bit of snark towards the developers. But, we really don't know when they found out about the vulnerability so we really don't know how long they took to fix it.

I get your point. But on other hand, it's fairly common practice to release update (which fix the vulnerability) first before disclosing the vulnerability so majority of the user wouldn't be impacted.

Will probably be an interesting discussion next month when we find out what the issue was.
Show stopping easy to exploit and take all of someones BTC issue? Or a if this happens and the user does that followed by the other thing and then this odd occurrence must occur while the user is drinking a cup of coffee then there is the possibility of it happening issue.

-Dave

Meanwhile i expect people will make a guess based on what changed between version 4.4.5 and 4.4.6[1]. My wild guess would be about channel backup/restore.

[1] https://metadata.ftp-master.debian.org/changelogs//main/e/electrum/electrum_4.4.6+dfsg-1_changelog
[2] https://github.com/spesmilo/electrum/compare/4.4.5...4.4.6
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
Elecreum is the best. Don't care about security.
You should care about security at all costs.
Maybe OP didn't express himself properly. Somehow I got the feeling he was being ironic and critical towards Electrum. In his OP, he wrote that he updated his Electrum to the newest version already. If he didn't care about security, he wouldn't be bothered installing the update. The ironic part could be the one where he wrote that the developers needed two months to fix the discovered vulnerabilities.

Maybe he is also confusing the terms security and privacy. We know that Electrum's goal isn't to be a privacy-saving wallet by default. Maybe he wanted to say that he doesn't care about privacy.

Yeah, sounds like a bit of snark towards the developers. But, we really don't know when they found out about the vulnerability so we really don't know how long they took to fix it.

Will probably be an interesting discussion next month when we find out what the issue was.
Show stopping easy to exploit and take all of someones BTC issue? Or a if this happens and the user does that followed by the other thing and then this odd occurrence must occur while the user is drinking a cup of coffee then there is the possibility of it happening issue.

-Dave

legendary
Activity: 2730
Merit: 7065
Elecreum is the best. Don't care about security.
You should care about security at all costs.
Maybe OP didn't express himself properly. Somehow I got the feeling he was being ironic and critical towards Electrum. In his OP, he wrote that he updated his Electrum to the newest version already. If he didn't care about security, he wouldn't be bothered installing the update. The ironic part could be the one where he wrote that the developers needed two months to fix the discovered vulnerabilities.

Maybe he is also confusing the terms security and privacy. We know that Electrum's goal isn't to be a privacy-saving wallet by default. Maybe he wanted to say that he doesn't care about privacy.
sr. member
Activity: 560
Merit: 432
Forum Only For Fun
Elecreum is the best. Don't care about security.
You should care about security at all costs.
Obviously, most of us here love electrum too, but that shouldn't mean that you should let your guard down. Hackers and malicious people are not sleeping.
Something important must be cared for.
I always try my best to pay attention to security in every way and that includes trying to always be careful not to let anything go wrong.

That's why I always follow and read discussion topics about wallets, security and other techniques that involve members with mastery of knowledge in the scientific fields around it. All that I do for my benefit in finding out what is useful for me.
copper member
Activity: 2114
Merit: 1794
Top Crypto Casino
Elecreum is the best. Don't care about security.
You should care about security at all costs.
Obviously, most of us here love electrum too, but that shouldn't mean that you should let your guard down. Hackers and malicious people are not sleeping.
legendary
Activity: 2730
Merit: 7065
I wonder what they discovered and fixed, and how it could have affected the security of coins on the Lightning Network? We will see in 3 weeks. It will be interesting to see if the Electrum devs found these themselves or if it was reported to them using responsible disclosure. The security fixes according to the release notes are only for lightning use. Everything else is of secondary importance for this update.   
sr. member
Activity: 560
Merit: 432
Forum Only For Fun
The release of version 4.4.6 seems to be an important update due to security enhancements.
Yesterday I found update notifications for several applications including electrum on my cellphone and I have updated them to the latest version. Its size is only 30.35 MB.



Update 4.4.5 was done on 20 June. The update to version 4.4.6 occurred on August 18th. It took only two months for security improvements to be made again.

Code:
# Release 4.4.6 (August 18, 2023) (security update)
 * Lightning:
   - security fix: multiple lightning-related security issues have
     been fixed. We will disclose these in detail on 2023-09-11.
     These release notes will also be updated at that time.
     In the meantime, please update.
   - fix: cannot sweep from channel after local-force-close, if using
     imported channel backup (#8536). Fixing this required adding a
     new field (local_payment_pubkey) to the channel backup
     import/export format and bumping its version number
     (v0->v1). Both v0 and v1 can be imported, and we only export v1
     backups. When you force close a channel, the GUI will prompt you
     to save a backup. In that case, you must export the backup using
     the updated Electrum, and not rely on a backup made with an older
     release of Electrum.  Note that if you request a force close from
     the remote node or co-op close, you do not need to save a channel
     backup.
   - fix: we would sometimes attempt sending MPP even if not supported
     by the invoice (2cf6173c)
 * QML GUI:
   - fix lnurl-pay when config.BTC_AMOUNTS_ADD_THOUSANDS_SEP is True
     (5b4df759)
 * Hardware wallets:
   - Trezor: support longer than 9 character PIN codes (#8526)
   - Jade: support more custom-built DIY Jade devices (#8546)
 * Builds/binaries:
   - include AppStream metainfo.xml in tarballs (#8501)
 * fix: exceptions in some callbacks got lost and not logged (3e6580b9)

Elecreum is the best. Don't care about security.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
https://twitter.com/ElectrumWallet/status/1693950020028903685
https://github.com/spesmilo/electrum/blob/master/RELEASE-NOTES

https://electrum.org/#download <-- Don't trust any link verify for yourself and and check the signatures.

Normally I'm more of a I'll get to it when I get to it person for updates, but the 3 week embargo on the flaw means IMO that although it's probably not being exploited now it is exploitable in some way, and may be soon.
Could be wrong, but that's the feeling I am getting.

As always let's be careful out there: https://www.youtube.com/watch?v=MJDQewSMB-E

-Dave

Jump to: