Very dangerous
UPDATE NOW!
https://bitcointalksearch.org/topic/m.6132453
And change all your passw in all your accounts (gmail, banking, FB)
https://bitcointalksearch.org/topic/m.6132859
Topic: TLS heartbeat read overrun (CVE-2014-0160) (Read 1178 times)
question: When I'm online, my browser is always using a SSH tunnel as proxy (it's connected to a VPS which I own). Am I still affected by this OpenSSL thing?
Yes they hit the site you're connected to.
question: When I'm online, my browser is always using a SSH tunnel as proxy (it's connected to a VPS which I own). Am I still affected by this OpenSSL thing?
Thanks wumpus for the link. It is really helpful.
BTW, it seems we will have 0.9.1 very soon.
https://twitter.com/gavinandresen/status/453574888587268096
BTW, it seems we will have 0.9.1 very soon.
https://twitter.com/gavinandresen/status/453574888587268096
Quote
Expect a 0.9.1 Bitcoin Core release soon, linked against openssl 1.0.1g, because #heartbleed
@wumpus: I am bit confused about Bitcoin Links. Where do they appear?
I am unable to see them in the Bitcoin-Qt client. Under which tab? Send/Receive/Transactions?
Or are you referring to something like this:
https://coinbase.com/docs/merchant_tools/payment_buttons
I am unable to see them in the Bitcoin-Qt client. Under which tab? Send/Receive/Transactions?
Or are you referring to something like this:
https://coinbase.com/docs/merchant_tools/payment_buttons
Exactly as it says: don't click any bitcoin payment links.
If you want to pay, copy the address and amount manually (until you can upgrade to 0.9.1).
If you want to pay, copy the address and amount manually (until you can upgrade to 0.9.1).
Could someone explain this in more detail?
What exactly is meant by this? I am using Bitcoin-Qt on Windows with OpenSSL 1.0.1.e (so, it is vulnerable according to the link above).
Quote
"If you're using a vulnerable version, do not click any bitcoin: links and you will be protected"
What exactly is meant by this? I am using Bitcoin-Qt on Windows with OpenSSL 1.0.1.e (so, it is vulnerable according to the link above).
Michagogo worded it very well here:
http://www.reddit.com/r/Bitcoin/comments/22i9t1/psa_regarding_the_heartbleed_bug_cve20140160_and/
http://www.reddit.com/r/Bitcoin/comments/22i9t1/psa_regarding_the_heartbleed_bug_cve20140160_and/
Quote
There are exactly two places in Bitcoin Core that may be affected by this issue.
One is RPC SSL. If you're using this, turn it off. If you don't know what that is, you most likely aren't using it.
The other is the payment protocol. Specifically, fetching payment requests. If you're using a vulnerable version, do not click any bitcoin: links and you will be protected. Note that this is only relevant for the GUI, and only for version 0.9.0.
If you're using self-built executables, you're most likely using dynamically linked OpenSSL. Simply upgrade your OpenSSL package and you should be fine. If I'm not mistaken, the same applies if you're using the PPA. If you're using release binaries, a version 0.9.1 is being prepared that will use the fixed OpenSSL 1.0.1g.
Note that if you're running the GUI (p.k.a. Bitcoin-Qt) you can check your OpenSSL version in the debug window's information tab. If you're on anything earlier than 1.0.1, for example 0.9.8, you're safe. If you're on 1.0.1g or later, you're safe. If you're on 1.0.1-1.0.1e, you may be vulnerable. However, that may not necessarily be the case -- for example, Debian has released an update for Wheezy, version 1.0.1e-2+deb7u5, which fixes the security bug without bumping the version number as reported by OpenSSL.
One is RPC SSL. If you're using this, turn it off. If you don't know what that is, you most likely aren't using it.
The other is the payment protocol. Specifically, fetching payment requests. If you're using a vulnerable version, do not click any bitcoin: links and you will be protected. Note that this is only relevant for the GUI, and only for version 0.9.0.
If you're using self-built executables, you're most likely using dynamically linked OpenSSL. Simply upgrade your OpenSSL package and you should be fine. If I'm not mistaken, the same applies if you're using the PPA. If you're using release binaries, a version 0.9.1 is being prepared that will use the fixed OpenSSL 1.0.1g.
Note that if you're running the GUI (p.k.a. Bitcoin-Qt) you can check your OpenSSL version in the debug window's information tab. If you're on anything earlier than 1.0.1, for example 0.9.8, you're safe. If you're on 1.0.1g or later, you're safe. If you're on 1.0.1-1.0.1e, you may be vulnerable. However, that may not necessarily be the case -- for example, Debian has released an update for Wheezy, version 1.0.1e-2+deb7u5, which fixes the security bug without bumping the version number as reported by OpenSSL.
Cold storage of keys FTW?
IIRC, bitcoin-qt uses OpenSSL 1.0.1e.
https://www.openssl.org/news/secadv_20140407.txt
How does this bug affect us?
https://www.openssl.org/news/secadv_20140407.txt
Quote
OpenSSL Security Advisory [07 Apr 2014]
========================================
TLS heartbeat read overrun (CVE-2014-0160)
==========================================
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <[email protected]> and Bodo Moeller <[email protected]> for preparing the fix. Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. 1.0.2 will be fixed in 1.0.2-beta2.
========================================
TLS heartbeat read overrun (CVE-2014-0160)
==========================================
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <[email protected]> and Bodo Moeller <[email protected]> for preparing the fix. Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. 1.0.2 will be fixed in 1.0.2-beta2.
How does this bug affect us?
Jump to: