Bitcoin Forum>Bitcoin>Project Development
Author

Topic: OpenSSL update (Read 1703 times)

ca333
hero member
Activity: 521
Merit: 522
Developer - EthicHacker - BTC enthusiast
OpenSSL update
March 24, 2015, 02:13:56 PM
#6
Quote from: gmaxwell on March 24, 2015, 02:08:45 PM
Quote from: ca333 on March 24, 2015, 01:52:52 PM
but this board is also for the development and technic discussion of general projects for bitcoin i think. so advice for security update should fit in. if not, please advice me.
It very explicitly is not, please see the description of the subforum: "Technical discussion about Satoshi's Bitcoin client and the Bitcoin network in general. No third-party sites/clients, bug reports that do not require much discussion (use github), or support requests.".

I am sorry, my intention of this thread is only to make a benefit for the users/developers of bitcoinprojects overall..
i look for the correct board and move it. excuses.

Quote from: gmaxwell
Quote
#EDIT: it s good when linux distros backport only the fixes which used to remove vulns . but i think most users apply patching manually without waiting for official updatepatch. spescially webmasters. and also not sure what is sense of reformatting in the SAME TIME??? why not only fix vuln and in next version increment reformat codebase?
I do not know why they did that. I think its unreasonable.

yes agree. this sound strange to me. normally so skilled developers take care on this and think about this factors..
gmaxwell
staff
Activity: 4284
Merit: 8808
Re: OpenSSL update
March 24, 2015, 02:08:45 PM
#5
Quote from: ca333 on March 24, 2015, 01:52:52 PM
but this board is also for the development and technic discussion of general projects for bitcoin i think. so advice for security update should fit in. if not, please advice me.
It very explicitly is not, please see the description of the subforum: "Technical discussion about Satoshi's Bitcoin client and the Bitcoin network in general. No third-party sites/clients, bug reports that do not require much discussion (use github), or support requests.".

Quote
#EDIT: it s good when linux distros backport only the fixes which used to remove vulns . but i think most users apply patching manually without waiting for official updatepatch. spescially webmasters. and also not sure what is sense of reformatting in the SAME TIME??? why not only fix vuln and in next version increment reformat codebase?
I do not know why they did that. I think its unreasonable.
ca333
hero member
Activity: 521
Merit: 522
Developer - EthicHacker - BTC enthusiast
Re: OpenSSL update
March 24, 2015, 01:52:52 PM
#4
Quote from: gmaxwell on March 24, 2015, 11:23:11 AM
The disclosed vulnerabilities are not very exciting for Bitcoin implementations and I am not aware of any reason people should rush to deploy in the context of Bitcoin software (the subject of this subforum! your webserver is another matter)

The diff between 1.0.1l and 1.0.1m is over 700k lines of code because they also reformatted the whole codebase at the same time. If someone has told you've they've reviewed the changes carefully they're lying.

Gentoo (and, I believe, Debian) appears to be rejecting openssl's huge patch and is working on backporting the specific fixes.




you are correct regarding the direct danger for bitcoinwallet. but this board is also for the development and technic discussion of general projects for bitcoin i think. so advice for security update should fit in. if not, please advice me.

and so i think service-maintainer must make the update (if affected openssl versions are used) because bitcoin-enviroments will be directly affected by the vulnerability.. True that BTC-core itself is not affected directly. but btc-services offline because a server get crashed by DoS is very bad i think. and many BTC-services are harmed/affected hardly by this downtime-risk.. so in my opinion when you run a btc-related service than you must rush for the update very fast.
operators of high-frequency service in darknet are in update-progress, and i hope the big btc-service in clearnet also make it.

and of course this is only my opinion. so i am thankful for other opinion and also other knowledge.


#EDIT: it s good when linux distros backport only the fixes which used to remove vulns . but i think most users apply patching manually without waiting for official updatepatch. spescially webmasters. and also not sure what is sense of reformatting in the SAME TIME??? why not only fix vuln and in next version increment reformat codebase?
DeathAndTaxes
donator
Activity: 1218
Merit: 1079
Gerald Davis
Re: OpenSSL update
March 24, 2015, 11:40:01 AM
#3
Quote from: gmaxwell on March 24, 2015, 11:23:11 AM
The diff between 1.0.1l and 1.0.1m is over 700k lines of code because they also reformatted the whole codebase at the same time.

Awesome.  Even if not malicious such practices make great cover for other malicious actors.  Glad to see some distros are saying WTF!
gmaxwell
staff
Activity: 4284
Merit: 8808
Re: OpenSSL update
March 24, 2015, 11:23:11 AM
#2
The disclosed vulnerabilities are not very exciting for Bitcoin implementations and I am not aware of any reason people should rush to deploy in the context of Bitcoin software (the subject of this subforum! your webserver is another matter)

The diff between 1.0.1l and 1.0.1m is over 700k lines of code because they also reformatted the whole codebase at the same time. If someone has told you've they've reviewed the changes carefully they're lying.

Gentoo (and, I believe, Debian) appears to be rejecting openssl's huge patch and is working on backporting the specific fixes.

ca333
hero member
Activity: 521
Merit: 522
Developer - EthicHacker - BTC enthusiast
Re: OpenSSL update
March 24, 2015, 09:23:26 AM
#1
#EDIT: BTC-Core/wallet is not affected directly by new openSSL vulns. But server can be attacked because of it through DoS and overload.. or also the second high serverity vuln is reclassification of FREAK attack and gives a risk so a bad certificate will be accepted by victim and then badguy can make the man-in-the-middle attack IF a NULL pointer dereference is triggered.

Referencing to https://www.openssl.org/news/secadv_20150319.txt i advice all user and service-maintainer to upgrade OpenSSL if you run online BTC-project.

Vulnerabilities: (red one is high severity)

OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291) affects OpenSSL version: 1.0.2 - upgrade to 1.0.2a!

Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204) affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.

Multiblock corrupted pointer (CVE-2015-0290)
Segmentation fault in DTLSv1_listen (CVE-2015-0207)
Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286)
Segmentation fault for invalid PSS parameters (CVE-2015-0208)
ASN.1 structure reuse memory corruption (CVE-2015-0287)
PKCS7 NULL pointer dereferences (CVE-2015-0289)
Base64 decode (CVE-2015-0292)
DoS via reachable assert in SSLv2 servers (CVE-2015-0293)
Empty CKE with client auth and DHE (CVE-2015-1787)
Handshake with unseeded PRNG (CVE-2015-0285)
Use After Free following d2i_ECPrivatekey error (CVE-2015-0209)
X509_to_X509_REQ NULL pointer deref (CVE-2015-0288)

source: https://www.openssl.org/news/secadv_20150319.txt

please take it serious!
ca333
Bitcoin Forum>Bitcoin>Project Development
Jump to: