From 61e469d07831505bb53b1d46052eed14dc2bce3a Mon Sep 17 00:00:00 2001 From: Gavin Andresen Date: Fri, 11 Apr 2014 10:56:33 -0400 Subject: [PATCH] Heartbleed vulnerability alert: https://bitcoin.org/heartbleed --- _alerts/2014-04-11-heartbleed.html | 45 ++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 _alerts/2014-04-11-heartbleed.html diff --git a/_alerts/2014-04-11-heartbleed.html b/_alerts/2014-04-11-heartbleed.html new file mode 100644 index 00000000..1802fddd --- /dev/null +++ b/_alerts/2014-04-11-heartbleed.html @@ -0,0 +1,45 @@ +--- +title: "OpenSSL Heartbleed vulnerability" +alias: "heartbleed" +active: true +banner: "" +--- + +

What happened

+ +

The version of OpenSSL used by Bitcoin Core software version 0.9.0 and earlier +contains a bug that can reveal memory to a remote attacker. See +http://heartbleed.com/ +for details. +

+ +

What you should do

+ +

Immediately upgrade to Bitcoin Core version 0.9.1 which is linked against +OpenSSL version 1.0.1g. + +If you use the official binaries, you can verify the version of OpenSSL being +used from the Bitcoin Core GUI's Debug window (accessed from the Help menu). +If you compiled Bitcoin Core yourself or use the Ubuntu PPA, update your +system's OpenSSL. + +Linux users should also upgrade their system's version of OpenSSL. +

+ +

How serious is the risk

+ +

If you are using the Windows version of the Bitcoin Core GUI without a wallet +passphrase, it is possible that your wallet could be compromised by clicking +on a bitcoin: payment request link. + +If you are using bitcoind (on Linux, OSX, or Windows), +have enabled the -rpcssl option, and allow RPC connections +from the Internet, an attacker from a whitelisted (-allowip) IP address can +very likely discover the rpcpassword and the last rpc request. It is possible +(but unlikely) private keys could be sent to the attacker. +

+ + +
+ This notice last updated: Tue, 11 April 2014 11:00:00 -0500 +