Guys,
I'm running Ubuntu 14.04.1, 64-bit, with Bitcoin 0.9.4 from its PPA, I just upgraded everything (openssl version 1.0.1f-1ubuntu2.8, linux version 3.16).
Is that okay?
This node that I am running, have no coins (I have no coins), it is just a node to help the network... I hope to not bring problems...
Cheers!
Topic: Users of Bitcoin Core on Linux must not upgrade to the latest version of OpenSSL (Read 65987 times)
February 15, 2015, 10:11:56 AM
February 13, 2015, 06:16:27 PM
Does this affect Armory, which uses Bitcoin core? If so, how does it affect it?
It seems t wouldn't since a "holy-grail feature of Armory" is that it doesn't download such a huge chunk of the blockchain that BitcoinQt does, right?
It seems t wouldn't since a "holy-grail feature of Armory" is that it doesn't download such a huge chunk of the blockchain that BitcoinQt does, right?
February 08, 2015, 08:18:47 AM
So, if someone wanted to destroy a whole bunch of altcoins right now, he could deliberately mine blocks that fail the new SSL check and pass the old SSL check. They'd all hang when they tried to process the bogus block.
My understanding (which is to say, I've only read the documentation, I haven't run a full simulation of this) is that the code doesn't hang, it simply rejects non-strict DER signatures. What you'd see is some nodes accepting transactions which others reject, so the result is actually a hard fork.
February 08, 2015, 08:07:45 AM
It looks like no altcoins have addressed this. What does this mean for their vulnerability?
We applied a patch to our source back on the 9th Jan (https://github.com/dogecoin/dogecoin/commit/6fa9a5e31a46120ffc772d7e8ca748b851c78f7f), and new binaries have been released compiled against OpenSSL 1.0.1l. I've also worked on a couple of open source libraries to ensure they're compatible as well.
I believe Darkcoin patched very early on too.
So; I would imagine a large number of alts haven't applied these patches, but it's almost certainly not "no altcoins".
February 07, 2015, 07:11:15 PM
It looks like no altcoins have addressed this. What does this mean for their vulnerability?
Those based on Bitcoin or Litecoin sources (which, to be fair, is almost all of them) are at least possibly vulnerable if they have not merged the recent fixes from Bitcoin core or formed equivalent fixes.
That said, their blockchains are mostly much smaller and contain, in relative numbers, almost no transactions. Whether they are vulnerable in practice depends on whether their blockchains do or don't contain any blocks that the new SSL will find problematic when their users upgrade their SSL.
So, if someone wanted to destroy a whole bunch of altcoins right now, he could deliberately mine blocks that fail the new SSL check and pass the old SSL check. They'd all hang when they tried to process the bogus block.
February 07, 2015, 06:56:33 PM
It looks like no altcoins have addressed this. What does this mean for their vulnerability?
February 07, 2015, 06:39:56 PM
This is probably well after most people have already patched or defended against this, but the patch in question just got rolled out for Debian Jessie.
Jessie has been on openssl1.0.1j up until now, and they're rolling out the 'k' version.
When upgrading Debian Jessie:
If you are otherwise vulnerable (compiled it yourself) you need to hold three items because of the way Debian breaks things up into smaller chunks.
Before upgrading your system do the following, either with 'sudo' or as root:
apt-mark hold openssl libssl1.0.0 libssl-dev
Jessie has been on openssl1.0.1j up until now, and they're rolling out the 'k' version.
When upgrading Debian Jessie:
If you are otherwise vulnerable (compiled it yourself) you need to hold three items because of the way Debian breaks things up into smaller chunks.
Before upgrading your system do the following, either with 'sudo' or as root:
apt-mark hold openssl libssl1.0.0 libssl-dev
February 02, 2015, 04:23:59 AM
iU libssl1.0.0:amd64 1.0.1f-1ubuntu2.7 amd64 Secure Sockets Layer toolkit - shared libraries
iF libssl1.0.0:i386 1.0.1f-1ubuntu2.8 i386 Secure Sockets Layer toolkit - shared libraries
iF libssl1.0.0:i386 1.0.1f-1ubuntu2.8 i386 Secure Sockets Layer toolkit - shared libraries
You have broken packages, those "iU" and "iF" at the beginning of the lines are pretty nasty. Run 'apt-get -f install'.
February 02, 2015, 03:37:55 AM
You also need to download the i386 version of libssl (same procedure as the other packages above).
February 02, 2015, 02:17:21 AM
Thank you very much for this
But it seems now i can't update & upgrade ubuntu, it says something about wrong dependencies, any solution for that?
But it seems now i can't update & upgrade ubuntu, it says something about wrong dependencies, any solution for that?
Without you telling me which dependencies are wrong, no.
Most likely, you downgraded only part of your openssl packages, leaving some at the newer version. Make sure that you downgrade them all.Do a dpkg -l | grep '1.0.1f' so see if there are different versions installed.
Okay, i think you are correct, here is the output-
iU libssl1.0.0:amd64 1.0.1f-1ubuntu2.7 amd64 Secure Sockets Layer toolkit - shared libraries
iF libssl1.0.0:i386 1.0.1f-1ubuntu2.8 i386 Secure Sockets Layer toolkit - shared libraries
hi openssl 1.0.1f-1ubuntu2.7 amd64 Secure Sockets Layer toolkit - cryptographic utility
it have libssl 2.8, how do i completly remove it?
i am using ubuntu 14.04 64 bit,
Thank you very much!
February 01, 2015, 07:14:24 AM
Thank you very much for this
But it seems now i can't update & upgrade ubuntu, it says something about wrong dependencies, any solution for that?
But it seems now i can't update & upgrade ubuntu, it says something about wrong dependencies, any solution for that?
Without you telling me which dependencies are wrong, no.
Most likely, you downgraded only part of your openssl packages, leaving some at the newer version. Make sure that you downgrade them all.Do a dpkg -l | grep '1.0.1f' so see if there are different versions installed.
January 31, 2015, 01:27:51 PM
how do you downgrade ?
Code:
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.1 LTS
Release: 14.04
Codename: trusty
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.1 LTS
Release: 14.04
Codename: trusty
Code:
dpkg -s openssl | grep Version
Version: 1.0.1f-1ubuntu2.8
Version: 1.0.1f-1ubuntu2.8
You need to search for the version you need, download if for your architecture, and install it manually.
For example, in this case you search for 1.0.1f-1ubuntu2.7. You can find it here: https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.7
Select your architecture and download the .deb package of openssl and libssl (and the -dev packages if you need them). Then install them using dbpg.
Assuming that you're on 64bit:
Code:
wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/6463840/+files/openssl_1.0.1f-1ubuntu2.7_amd64.deb
wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/6463840/+files/libssl1.0.0_1.0.1f-1ubuntu2.7_amd64.deb
dpkg -i openssl_1.0.1f-1ubuntu2.7_amd64.deb
dpkg -i libssl1.0.0_1.0.1f-1ubuntu2.7_amd64.deb
wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/6463840/+files/libssl1.0.0_1.0.1f-1ubuntu2.7_amd64.deb
dpkg -i openssl_1.0.1f-1ubuntu2.7_amd64.deb
dpkg -i libssl1.0.0_1.0.1f-1ubuntu2.7_amd64.deb
That's it
Thank you very much for this
But it seems now i can't update & upgrade ubuntu, it says something about wrong dependencies, any solution for that?
January 31, 2015, 09:29:20 AM
how do you downgrade ?
Code:
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.1 LTS
Release: 14.04
Codename: trusty
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.1 LTS
Release: 14.04
Codename: trusty
Code:
dpkg -s openssl | grep Version
Version: 1.0.1f-1ubuntu2.8
Version: 1.0.1f-1ubuntu2.8
You need to search for the version you need, download if for your architecture, and install it manually.
For example, in this case you search for 1.0.1f-1ubuntu2.7. You can find it here: https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.7
Select your architecture and download the .deb package of openssl and libssl (and the -dev packages if you need them). Then install them using dbpg.
Assuming that you're on 64bit:
Code:
wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/6463840/+files/openssl_1.0.1f-1ubuntu2.7_amd64.deb
wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/6463840/+files/libssl1.0.0_1.0.1f-1ubuntu2.7_amd64.deb
dpkg -i openssl_1.0.1f-1ubuntu2.7_amd64.deb
dpkg -i libssl1.0.0_1.0.1f-1ubuntu2.7_amd64.deb
wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/6463840/+files/libssl1.0.0_1.0.1f-1ubuntu2.7_amd64.deb
dpkg -i openssl_1.0.1f-1ubuntu2.7_amd64.deb
dpkg -i libssl1.0.0_1.0.1f-1ubuntu2.7_amd64.deb
That's it
January 31, 2015, 12:44:15 AM
same OS, my version is:
Did I understand that correctly?
well, apparently not.Code:
OpenSSL 1.0.1f 6 Jan 2014
I understand that this version is fine and I only don't need to upgrade to version 1.0.1k, but wait for the following one. Did I understand that correctly?
Version 1.0.1f (6 Jan 2014) seems to be affected, too.
Running reindexing now.
I can confirm that Version 1.0.1f (6 Jan 2014) caused 4 test failures here as well.
The problem is that distributions tend to backport updates that are marked as security updates (as this one).
Here you go for Ubuntu: this is the security update that backports this patch to Ubuntu 14.10, Ubuntu 14.04 LTS,
Ubuntu 12.04 LTS, and Ubuntu 10.04 LTS: http://www.ubuntu.com/usn/usn-2459-1/
That means: if you are running any of the Ubuntu (server) versions above, you are very likely affected. If you are running Ubuntu LTS, you are for sure affected. In these cases, don't upgrade your OpenSSL installation.
Here's the list of package versions that you should NOT install (that is, the package versions with the backported patch):
Code:
Ubuntu 14.10: libssl1.0.0 1.0.1f-1ubuntu9.1
Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.8
Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.21
Ubuntu 10.04 LTS: libssl0.9.8 0.9.8k-7ubuntu8.23
Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.8
Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.21
Ubuntu 10.04 LTS: libssl0.9.8 0.9.8k-7ubuntu8.23
How to avoid upgrading accidentally? Simply execute:
Code:
sudo apt-mark hold openssl
PS: don't trust the version reported by
Code:
openssl version
as it does not cover the backports. Execute Code:
dpkg -s openssl | grep Version
to see which version you have.how do you downgrade ?
Code:
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.1 LTS
Release: 14.04
Codename: trusty
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.1 LTS
Release: 14.04
Codename: trusty
Code:
dpkg -s openssl | grep Version
Version: 1.0.1f-1ubuntu2.8
Version: 1.0.1f-1ubuntu2.8
January 27, 2015, 10:44:20 PM
I am develop a trading platform now, I must to compile the bitcoin source code by myself,
so, which version of the openssl I can use? Thanks.
At this point, just use 0.9.4.so, which version of the openssl I can use? Thanks.
my other question is, why the bitcoin system don't maintain one correct branch of openssl?
Too large a codebase of mostly obfuscated spaghetti code.It's going to be replaced with libsecp256k1 (which we do maintain) "soon" (planned since before this issue).
And, I run official bitcoind 0.9.3 to download all block data, no any transactions yet, but a few days ago I change to 0.9.3 source code compile with openssl 1.0.0k , continue to sync the block data. Whether I still need to run -reindex to fix it?
January 27, 2015, 10:01:34 PM
I am develop a trading platform now, I must to compile the bitcoin source code by myself,
so, which version of the openssl I can use? Thanks.
At this point, just use 0.9.4.so, which version of the openssl I can use? Thanks.
my other question is, why the bitcoin system don't maintain one correct branch of openssl?
Too large a codebase of mostly obfuscated spaghetti code.It's going to be replaced with libsecp256k1 (which we do maintain) "soon" (planned since before this issue).
Thank you very much. Can I use 0.9.4 and openssl-0.9.8?
I plan to support more peer-to-peer Internet currency on my trading platform, I guess other p2p currency have the same problem, so I want to use the unified version of openssl to compile all the source code.
January 27, 2015, 09:08:10 PM
I am develop a trading platform now, I must to compile the bitcoin source code by myself,
so, which version of the openssl I can use? Thanks.
At this point, just use 0.9.4.so, which version of the openssl I can use? Thanks.
my other question is, why the bitcoin system don't maintain one correct branch of openssl?
Too large a codebase of mostly obfuscated spaghetti code.It's going to be replaced with libsecp256k1 (which we do maintain) "soon" (planned since before this issue).
January 27, 2015, 08:42:41 PM
Greg Maxwell's announcement:
http://sourceforge.net/p/bitcoin/mailman/message/33221963/
Summary:
There is a problem with the most recent release of OpenSSL which will cause issues for some users of Bitcoin Core on Linux. This is not a critical security issue, but everyone using Bitcoin Core on Linux should read the following information, especially if you're automatically processing Bitcoin payments. The worst-case scenario is that you might accept transactions as confirmed which are later reversed.
You are likely to be affected only if:
- You use Linux.
- You installed Bitcoin Core using your distro's package manager or you compiled Bitcoin Core yourself without using gitian. You are not affected if you use the binaries on bitcoin.org.
- You upgrade your system's OpenSSL to 1.0.0p or 1.0.1k. These were security-fix releases, so your package manager might have updated them automatically.
If you are affected, then your client might become stuck at a particular block, and you'll have to reindex the block chain to fix it. In some conceivable but unlikely scenarios, you might see incoming transactions as having 6+ confirmations when the transactions are actually invalid. If you are a pool operator, then you could conceivably start mining on a false chain, which would cause you to lose all of your future blocks until you fix this.
If you are using an affected version of Bitcoin Core, you should either make sure that your system OpenSSL does not get updated or shut down Bitcoin Core until an update fixing this is released in a day or two. If Bitcoin Core is already stuck and showing the "We do not appear to fully agree with our peers!" message, shut it down until an update fixing this is released; when you run that version, you'll have to run it with the -reindex switch.
http://sourceforge.net/p/bitcoin/mailman/message/33221963/
Summary:
There is a problem with the most recent release of OpenSSL which will cause issues for some users of Bitcoin Core on Linux. This is not a critical security issue, but everyone using Bitcoin Core on Linux should read the following information, especially if you're automatically processing Bitcoin payments. The worst-case scenario is that you might accept transactions as confirmed which are later reversed.
You are likely to be affected only if:
- You use Linux.
- You installed Bitcoin Core using your distro's package manager or you compiled Bitcoin Core yourself without using gitian. You are not affected if you use the binaries on bitcoin.org.
- You upgrade your system's OpenSSL to 1.0.0p or 1.0.1k. These were security-fix releases, so your package manager might have updated them automatically.
If you are affected, then your client might become stuck at a particular block, and you'll have to reindex the block chain to fix it. In some conceivable but unlikely scenarios, you might see incoming transactions as having 6+ confirmations when the transactions are actually invalid. If you are a pool operator, then you could conceivably start mining on a false chain, which would cause you to lose all of your future blocks until you fix this.
If you are using an affected version of Bitcoin Core, you should either make sure that your system OpenSSL does not get updated or shut down Bitcoin Core until an update fixing this is released in a day or two. If Bitcoin Core is already stuck and showing the "We do not appear to fully agree with our peers!" message, shut it down until an update fixing this is released; when you run that version, you'll have to run it with the -reindex switch.
Hello,
I am develop a trading platform now, I must to compile the bitcoin source code by myself,
so, which version of the openssl I can use? Thanks.
my other question is, why the bitcoin system don't maintain one correct branch of openssl?
January 27, 2015, 05:44:13 PM
same OS, my version is:
Did I understand that correctly?
well, apparently not.Code:
OpenSSL 1.0.1f 6 Jan 2014
I understand that this version is fine and I only don't need to upgrade to version 1.0.1k, but wait for the following one. Did I understand that correctly?
Version 1.0.1f (6 Jan 2014) seems to be affected, too.
Running reindexing now.
I can confirm that Version 1.0.1f (6 Jan 2014) caused 4 test failures here as well.
The problem is that distributions tend to backport updates that are marked as security updates (as this one).
Here you go for Ubuntu: this is the security update that backports this patch to Ubuntu 14.10, Ubuntu 14.04 LTS,
Ubuntu 12.04 LTS, and Ubuntu 10.04 LTS: http://www.ubuntu.com/usn/usn-2459-1/
That means: if you are running any of the Ubuntu (server) versions above, you are very likely affected. If you are running Ubuntu LTS, you are for sure affected. In these cases, don't upgrade your OpenSSL installation.
Here's the list of package versions that you should NOT install (that is, the package versions with the backported patch):
Code:
Ubuntu 14.10: libssl1.0.0 1.0.1f-1ubuntu9.1
Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.8
Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.21
Ubuntu 10.04 LTS: libssl0.9.8 0.9.8k-7ubuntu8.23
Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.8
Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.21
Ubuntu 10.04 LTS: libssl0.9.8 0.9.8k-7ubuntu8.23
How to avoid upgrading accidentally? Simply execute:
Code:
sudo apt-mark hold openssl
PS: don't trust the version reported by
Code:
openssl version
as it does not cover the backports. Execute Code:
dpkg -s openssl | grep Version
to see which version you have. January 27, 2015, 05:34:31 PM
same OS, my version is:
Did I understand that correctly?
well, apparently not.Code:
OpenSSL 1.0.1f 6 Jan 2014
I understand that this version is fine and I only don't need to upgrade to version 1.0.1k, but wait for the following one. Did I understand that correctly?
Version 1.0.1f (6 Jan 2014) seems to be affected, too.
Running reindexing now.
I can confirm that Version 1.0.1f (6 Jan 2014) caused 4 test failures here as well.
The problem is that distributions tend to backport updates that are marked as security updates (as this one).
Jump to: