Pages:
Author

Topic: Users of Bitcoin Core on Linux must not upgrade to the latest version of OpenSSL - page 5. (Read 66065 times)

legendary
Activity: 1064
Merit: 1000
I know how to check openssl version, question was about bitcoin-qt binary package from ppa

Just open the debug window and you will see what version of OpenSSL the executable was linked against.


Kind of makes me glad I haven't bothered upgrading openssl in some time.

*blank stare*


Like you said, there is LibreSSL.  Cheesy
sr. member
Activity: 658
Merit: 250
Kind of makes me glad I haven't bothered upgrading openssl in some time.

Heartbleed much?
sr. member
Activity: 264
Merit: 250
I know how to check openssl version, question was about bitcoin-qt binary package from ppa

Just open the debug window and you will see what version of OpenSSL the executable was linked against.


Kind of makes me glad I haven't bothered upgrading openssl in some time.

*blank stare*
legendary
Activity: 1064
Merit: 1000
Kind of makes me glad I haven't bothered upgrading openssl in some time.
sr. member
Activity: 264
Merit: 250
Because openssl is one giant mess, it's so horrid that it is immune to auditing but it is so widely used that we're just stuck with it.
I for one commend the developers for at least trying to fix it, anyone else would have given up years ago.

http://www.libressl.org/
legendary
Activity: 4214
Merit: 1313
ubuntu 14.04
Quote
affected?

Start openssl from terminal wait for it start and use version to see if you have one of the versions in question. Close openssl with quit
I know how to check openssl version, question was about bitcoin-qt binary package from ppa

Perhaps try apt-get upgrade and see if it wants to install the new version. Then do not hit Y to install?

I think it showed up on my ec2 server this morning and I installed it since it is just a web server.  I didn't note it though and am not in a position to check right now.

It looks like there is now a patch for it from Wladimir, per the mail list, btw.

edit:
I did check to see if 14.04 was offering to install the update via apt-get and it was not as of now. 
legendary
Activity: 1493
Merit: 1003
Just for checking, I have version 1.0.1f in ubuntu but I'm using bitcoin core 0.9.2.1 from bitcoin.org, so no need to change or panic, is that right? Smiley
And thanks for the heads up, theymos - this is exactly what makes this community awesome!
full member
Activity: 224
Merit: 100
ubuntu 14.04
Quote
affected?

Start openssl from terminal wait for it start and use version to see if you have one of the versions in question. Close openssl with quit
I know how to check openssl version, question was about bitcoin-qt binary package from ppa
sr. member
Activity: 264
Merit: 250
Lol, what is this? OpenSSL is becoming more of a joke every day.

This is actually a twofold problem - Bitcoin Core's use of signature validation plays an equal part in this.
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
ubuntu 14.04
Quote
affected?

Start openssl from terminal wait for it start and use version to see if you have one of the versions in question. Close openssl with quit
full member
Activity: 224
Merit: 100
legendary
Activity: 1470
Merit: 1006
Bringing Legendary Har® to you since 1952
This is serious.

Anybody knows when is a patch coming ?
legendary
Activity: 1652
Merit: 1016
Arch Linux just updated to 1.0.1k so this affects my node.
Think I'll just shut my node down till the patch.
sr. member
Activity: 658
Merit: 250
The question is, why do the OpenSSL developers push compatibility breaking updates to the stable branches? They have 1.0.2-beta for all kinds of experiments.


Because openssl is one giant mess, it's so horrid that it is immune to auditing but it is so widely used that we're just stuck with it.
I for one commend the developers for at least trying to fix it, anyone else would have given up years ago.
sr. member
Activity: 392
Merit: 268
Tips welcomed: 1CF4GhXX1RhCaGzWztgE1YZZUcSpoqTbsJ
Is the issue having the new version of OpenSSL at compile-time, or at run-time? (My build of 0.10rc1 links dynamically to /lib/x86_64-linux-gnu/libssl.so.1.0.0, but I don't know about 0.9.3 or builds made on the PPA as part of a Debian build process).

Furthermore, to prevent such drama later if OpenSSL is still used down the road, is there a documented, secure, and feasible way to statically link to a known version of OpenSSL that is passing tests?
legendary
Activity: 1218
Merit: 1000
thanks theymos OpenSSL lets me down once again Sad
sr. member
Activity: 474
Merit: 500
Thank you theymos for this info.
Best regards
Christian
legendary
Activity: 2226
Merit: 1052
legendary
Activity: 1242
Merit: 1020
No surrender, no retreat, no regret.
The question is, why do the OpenSSL developers push compatibility breaking updates to the stable branches? They have 1.0.2-beta for all kinds of experiments.
hero member
Activity: 602
Merit: 501
Lol, what is this? OpenSSL is becoming more of a joke every day.

Or maybe it is being done on purpose.
Pages:
Jump to: