Pages:
Author

Topic: Users of Bitcoin Core on Linux must not upgrade to the latest version of OpenSSL (Read 66065 times)

legendary
Activity: 1204
Merit: 1000
฿itcoin: Currency of Resistance!
Guys,

I'm running Ubuntu 14.04.1, 64-bit, with Bitcoin 0.9.4 from its PPA, I just upgraded everything (openssl version 1.0.1f-1ubuntu2.8, linux version 3.16).

Is that okay?

This node that I am running, have no coins (I have no coins), it is just a node to help the network... I hope to not bring problems...

Cheers!
sr. member
Activity: 506
Merit: 253
Does this affect Armory, which uses Bitcoin core? If so, how does it affect it?

It seems t wouldn't since a "holy-grail feature of Armory" is that it doesn't download such a huge chunk of the blockchain that BitcoinQt does, right?
full member
Activity: 141
Merit: 231
So, if someone wanted to destroy a whole bunch of altcoins right now, he could deliberately mine blocks that fail the new SSL check and pass the old SSL check.  They'd all hang when they tried to process the bogus block.

My understanding (which is to say, I've only read the documentation, I haven't run a full simulation of this) is that the code doesn't hang, it simply rejects non-strict DER signatures. What you'd see is some nodes accepting transactions which others reject, so the result is actually a hard fork.
full member
Activity: 141
Merit: 231
It looks like no altcoins have addressed this.  What does this mean for their vulnerability?  

We applied a patch to our source back on the 9th Jan (https://github.com/dogecoin/dogecoin/commit/6fa9a5e31a46120ffc772d7e8ca748b851c78f7f), and new binaries have been released compiled against OpenSSL 1.0.1l. I've also worked on a couple of open source libraries to ensure they're compatible as well.

I believe Darkcoin patched very early on too.

So; I would imagine a large number of alts haven't applied these patches, but it's almost certainly not "no altcoins".
legendary
Activity: 924
Merit: 1132
It looks like no altcoins have addressed this.  What does this mean for their vulnerability? 

Those based on Bitcoin or Litecoin sources (which, to be fair, is almost all of them) are at least possibly vulnerable if they have not merged the recent fixes from Bitcoin core or formed equivalent fixes.

That said, their blockchains are mostly much smaller and contain, in relative numbers, almost no transactions.  Whether they are vulnerable in practice depends on whether their blockchains do or don't contain any blocks that the new SSL will find problematic when their users upgrade their SSL.   

So, if someone wanted to destroy a whole bunch of altcoins right now, he could deliberately mine blocks that fail the new SSL check and pass the old SSL check.  They'd all hang when they tried to process the bogus block.


legendary
Activity: 1264
Merit: 1008
It looks like no altcoins have addressed this.  What does this mean for their vulnerability? 
legendary
Activity: 924
Merit: 1132
This is probably well after most people have already patched or defended against this, but the patch in question just got rolled out for Debian Jessie. 

Jessie has been on openssl1.0.1j up until now, and they're rolling out the 'k' version.

When upgrading Debian Jessie:

If you are otherwise vulnerable (compiled it yourself) you need to hold three items because of the way Debian breaks things up into smaller chunks.

Before upgrading your system do the following, either with 'sudo' or as root:  

apt-mark hold openssl libssl1.0.0 libssl-dev
legendary
Activity: 1974
Merit: 1029
iU  libssl1.0.0:amd64                                     1.0.1f-1ubuntu2.7                                   amd64        Secure Sockets Layer toolkit - shared libraries
iF  libssl1.0.0:i386                                      1.0.1f-1ubuntu2.8                                   i386         Secure Sockets Layer toolkit - shared libraries

You have broken packages, those "iU" and "iF" at the beginning of the lines are pretty nasty. Run 'apt-get -f install'.
hero member
Activity: 518
Merit: 502
You also need to download the i386 version of libssl (same procedure as the other packages above).
member
Activity: 89
Merit: 10
Thank you very much for this
But it seems now i can't update & upgrade ubuntu, it says something about wrong dependencies, any solution for that?

Without you telling me which dependencies are wrong, no. Wink Most likely, you downgraded only part of your openssl packages, leaving some at the newer version. Make sure that you downgrade them all.

Do a dpkg -l | grep '1.0.1f' so see if there are different versions installed.

Okay, i think you are correct, here is the output-
iU  libssl1.0.0:amd64                                     1.0.1f-1ubuntu2.7                                   amd64        Secure Sockets Layer toolkit - shared libraries
iF  libssl1.0.0:i386                                      1.0.1f-1ubuntu2.8                                   i386         Secure Sockets Layer toolkit - shared libraries
hi  openssl                                               1.0.1f-1ubuntu2.7                                   amd64        Secure Sockets Layer toolkit - cryptographic utility

it have libssl 2.8, how do i completly remove it?
i am using ubuntu 14.04 64 bit,

Thank you very much!

hero member
Activity: 518
Merit: 502
Thank you very much for this
But it seems now i can't update & upgrade ubuntu, it says something about wrong dependencies, any solution for that?

Without you telling me which dependencies are wrong, no. Wink Most likely, you downgraded only part of your openssl packages, leaving some at the newer version. Make sure that you downgrade them all.

Do a dpkg -l | grep '1.0.1f' so see if there are different versions installed.
member
Activity: 89
Merit: 10
how do you downgrade ?

Code:
 lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.1 LTS
Release:        14.04
Codename:       trusty

Code:
dpkg -s openssl | grep Version
Version: 1.0.1f-1ubuntu2.8

You need to search for the version you need, download if for your architecture, and install it manually.

For example, in this case you search for 1.0.1f-1ubuntu2.7. You can find it here: https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.7
Select your architecture and download the .deb package of openssl and libssl (and the -dev packages if you need them). Then install them using dbpg.

Assuming that you're on 64bit:

Code:
wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/6463840/+files/openssl_1.0.1f-1ubuntu2.7_amd64.deb
wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/6463840/+files/libssl1.0.0_1.0.1f-1ubuntu2.7_amd64.deb
dpkg -i openssl_1.0.1f-1ubuntu2.7_amd64.deb
dpkg -i libssl1.0.0_1.0.1f-1ubuntu2.7_amd64.deb

That's it Smiley

Thank you very much for this
But it seems now i can't update & upgrade ubuntu, it says something about wrong dependencies, any solution for that?
hero member
Activity: 518
Merit: 502
how do you downgrade ?

Code:
 lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.1 LTS
Release:        14.04
Codename:       trusty

Code:
dpkg -s openssl | grep Version
Version: 1.0.1f-1ubuntu2.8

You need to search for the version you need, download if for your architecture, and install it manually.

For example, in this case you search for 1.0.1f-1ubuntu2.7. You can find it here: https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.7
Select your architecture and download the .deb package of openssl and libssl (and the -dev packages if you need them). Then install them using dbpg.

Assuming that you're on 64bit:

Code:
wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/6463840/+files/openssl_1.0.1f-1ubuntu2.7_amd64.deb
wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/6463840/+files/libssl1.0.0_1.0.1f-1ubuntu2.7_amd64.deb
dpkg -i openssl_1.0.1f-1ubuntu2.7_amd64.deb
dpkg -i libssl1.0.0_1.0.1f-1ubuntu2.7_amd64.deb

That's it Smiley
full member
Activity: 338
Merit: 100
https://eloncity.io/
ubuntu 14.04
Quote
affected?
same OS, my version is:
Code:
OpenSSL 1.0.1f 6 Jan 2014
I understand that this version is fine and I only don't need to upgrade to version 1.0.1k, but wait for the following one.
Did I understand that correctly?
well, apparently not.
Version 1.0.1f (6 Jan 2014) seems to be affected, too.
Running reindexing now.

I can confirm that Version 1.0.1f (6 Jan 2014) caused 4 test failures here as well.

The problem is that distributions tend to backport updates that are marked as security updates (as this one).

Here you go for Ubuntu: this is the security update that backports this patch to Ubuntu 14.10, Ubuntu 14.04 LTS,
Ubuntu 12.04 LTS, and Ubuntu 10.04 LTS: http://www.ubuntu.com/usn/usn-2459-1/

That means: if you are running any of the Ubuntu (server) versions above, you are very likely affected. If you are running Ubuntu LTS, you are for sure affected. In these cases, don't upgrade your OpenSSL installation.

Here's the list of package versions that you should NOT install (that is, the package versions with the backported patch):

Code:
Ubuntu 14.10: libssl1.0.0 1.0.1f-1ubuntu9.1 
Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.8
Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.21
Ubuntu 10.04 LTS: libssl0.9.8 0.9.8k-7ubuntu8.23

How to avoid upgrading accidentally? Simply execute:

Code:
sudo apt-mark hold openssl

PS: don't trust the version reported by
Code:
openssl version
as it does not cover the backports. Execute
Code:
dpkg -s openssl | grep Version
to see which version you have.


how do you downgrade ?

Code:
 lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.1 LTS
Release:        14.04
Codename:       trusty

Code:
dpkg -s openssl | grep Version
Version: 1.0.1f-1ubuntu2.8
newbie
Activity: 28
Merit: 0
I am develop a trading platform now, I must to compile the bitcoin source code by myself,
so, which version of the openssl I can use? Thanks.
At this point, just use 0.9.4.

my other question is, why the bitcoin system don't maintain one correct branch of openssl?
Too large a codebase of mostly obfuscated spaghetti code.
It's going to be replaced with libsecp256k1 (which we do maintain) "soon" (planned since before this issue).

And, I run official  bitcoind 0.9.3 to download all block data, no any transactions yet, but a few days ago I change to 0.9.3 source code compile with openssl 1.0.0k , continue to sync the block data. Whether I still need to run -reindex to fix it?
newbie
Activity: 28
Merit: 0
I am develop a trading platform now, I must to compile the bitcoin source code by myself,
so, which version of the openssl I can use? Thanks.
At this point, just use 0.9.4.

my other question is, why the bitcoin system don't maintain one correct branch of openssl?
Too large a codebase of mostly obfuscated spaghetti code.
It's going to be replaced with libsecp256k1 (which we do maintain) "soon" (planned since before this issue).

Thank you very much. Can I use 0.9.4 and openssl-0.9.8?

I plan to support more peer-to-peer Internet currency on my trading platform, I guess other p2p currency have the same problem, so I want to use the unified version of openssl to compile all the source code.
legendary
Activity: 2576
Merit: 1186
I am develop a trading platform now, I must to compile the bitcoin source code by myself,
so, which version of the openssl I can use? Thanks.
At this point, just use 0.9.4.

my other question is, why the bitcoin system don't maintain one correct branch of openssl?
Too large a codebase of mostly obfuscated spaghetti code.
It's going to be replaced with libsecp256k1 (which we do maintain) "soon" (planned since before this issue).
newbie
Activity: 28
Merit: 0
Greg Maxwell's announcement:  
http://sourceforge.net/p/bitcoin/mailman/message/33221963/

Summary:

There is a problem with the most recent release of OpenSSL which will cause issues for some users of Bitcoin Core on Linux. This is not a critical security issue, but everyone using Bitcoin Core on Linux should read the following information, especially if you're automatically processing Bitcoin payments. The worst-case scenario is that you might accept transactions as confirmed which are later reversed.

You are likely to be affected only if:

- You use Linux.
- You installed Bitcoin Core using your distro's package manager or you compiled Bitcoin Core yourself without using gitian. You are not affected if you use the binaries on bitcoin.org.
- You upgrade your system's OpenSSL to 1.0.0p or 1.0.1k. These were security-fix releases, so your package manager might have updated them automatically.

If you are affected, then your client might become stuck at a particular block, and you'll have to reindex the block chain to fix it. In some conceivable but unlikely scenarios, you might see incoming transactions as having 6+ confirmations when the transactions are actually invalid. If you are a pool operator, then you could conceivably start mining on a false chain, which would cause you to lose all of your future blocks until you fix this.

If you are using an affected version of Bitcoin Core, you should either make sure that your system OpenSSL does not get updated or shut down Bitcoin Core until an update fixing this is released in a day or two. If Bitcoin Core is already stuck and showing the "We do not appear to fully agree with our peers!" message, shut it down until an update fixing this is released; when you run that version, you'll have to run it with the -reindex switch.

Hello,

I am develop a trading platform now, I must to compile the bitcoin source code by myself,
so, which version of the openssl I can use? Thanks.

my other question is, why the bitcoin system don't maintain one correct branch of openssl?
hero member
Activity: 518
Merit: 502
ubuntu 14.04
Quote
affected?
same OS, my version is:
Code:
OpenSSL 1.0.1f 6 Jan 2014
I understand that this version is fine and I only don't need to upgrade to version 1.0.1k, but wait for the following one.
Did I understand that correctly?
well, apparently not.
Version 1.0.1f (6 Jan 2014) seems to be affected, too.
Running reindexing now.

I can confirm that Version 1.0.1f (6 Jan 2014) caused 4 test failures here as well.

The problem is that distributions tend to backport updates that are marked as security updates (as this one).

Here you go for Ubuntu: this is the security update that backports this patch to Ubuntu 14.10, Ubuntu 14.04 LTS,
Ubuntu 12.04 LTS, and Ubuntu 10.04 LTS: http://www.ubuntu.com/usn/usn-2459-1/

That means: if you are running any of the Ubuntu (server) versions above, you are very likely affected. If you are running Ubuntu LTS, you are for sure affected. In these cases, don't upgrade your OpenSSL installation.

Here's the list of package versions that you should NOT install (that is, the package versions with the backported patch):

Code:
Ubuntu 14.10: libssl1.0.0 1.0.1f-1ubuntu9.1 
Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.8
Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.21
Ubuntu 10.04 LTS: libssl0.9.8 0.9.8k-7ubuntu8.23

How to avoid upgrading accidentally? Simply execute:

Code:
sudo apt-mark hold openssl

PS: don't trust the version reported by
Code:
openssl version
as it does not cover the backports. Execute
Code:
dpkg -s openssl | grep Version
to see which version you have.
hero member
Activity: 518
Merit: 502
ubuntu 14.04
Quote
affected?
same OS, my version is:
Code:
OpenSSL 1.0.1f 6 Jan 2014
I understand that this version is fine and I only don't need to upgrade to version 1.0.1k, but wait for the following one.
Did I understand that correctly?
well, apparently not.
Version 1.0.1f (6 Jan 2014) seems to be affected, too.
Running reindexing now.

I can confirm that Version 1.0.1f (6 Jan 2014) caused 4 test failures here as well.

The problem is that distributions tend to backport updates that are marked as security updates (as this one).
Pages:
Jump to: