joshua/dash-docs
1
0
Fork 0
mirror of https://github.com/seigler/dash-docs synced 2025-07-27 01:36:13 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
dash-docs/_alerts/2014-04-11-heartbleed.html
David A. Harding 7d98f798ab
Upgrade to Jekyll 3.0 
Gemfile:

  - Upgrade to Jekyll 3.x (3.0.1 tested).  This brings several new
    features I want to use, most notably *collections* which allows us
    to add blog-like collections. I've converted the `_releases` and
    `_alerts` pages into collections, although their plugins are
    maintained to handle the Download and Active Alert features.

  - Upgrade to latest Kramdown.

  - Lock Less at 2.4.0.  This prevents breaking our Less plugin.  Jekyll
    3.x provides native support for SCSS, so we may want to switch to
    that in time.

  - Lock HTML Proofer at 2.1.0.  The most recent version was taking
    forever to check our pages (I never actually got it to complete).
    I'll look into it when I get more time.

Makefile:

  - New `make clean` command.  Jekyll 3.x by default attempts to do
    incremental rebuilds.  The new `jekyll clean` command cleans up the
    metadata necessary for than so that a full build is performed, and
    this new `make clean` command is a wrapper around it so that we
    automatically do full rebuilds in the relevant cases.  Note: our
    plugins aren't fully compatible with the incremental rebuilds, but
    I'd like to fix that in the future.

  - Remove WEBrick hack to enable previewing with default URL paths (/
    instead of /index.html).

  - Filter out compliants from Rouge

README.md:

  - Now that Alerts (_alerts) are part of a collection, the file names
    are no longer parsed for dates, so instructions on adding the date
    to the YAML metadata have been added.

_alerts/*:

  - Now that alerts are part of a collection, the file names are no
    longer parsed to provide dates, so a `date:` field has been added to
    the YAML metadata.

_config.yml:

  - Some variables renamed per upgrade instructions.

  - Switched from old default syntax highlighter Pygments to new default
    Rouge.  I tried to use Rouge options to keep new output as similar
    to old output as possible to making diffing easy, but Rouge adds
    extra CSS class info.

  - Move `_alerts` and `_releases` into Jekyll 3.x "collections", which
    provide the organizational features we were using plugins to
    manange.  I haven't removed the old plugins because we still use
    some of their features (alerts.rb provides active issue and banner
    features; releases.rb provides info to Download page)

  - _layouts/* can no longer provide default global metadata; that is now
    provided in the new `defaults:` section in _config.yml.

_layouts/*:

  - Default metadata can no longer be provided in the layout files for
    collections, so I've removed it and left a message to see
    _config.yml.

_plugins/*:

  - Remove filter_for.rb. It's completely broken on Jekyll 3.x because
    of changes to Liquid which prevent adding new arguments to the
    inherited Liquid::For class. Existing uses of filter_for have been
    migrated to built-in for loops prefaced by sorts.

  - Remove remove-html-extension.rb: at it said in the comments, this
    was a temporary hack to get us to Jekyll 3.0.

_releases/*:

  - Rename all the files: prefix a v to the file name so the output html
    (e.g. v10.0.0.html) is the same as the source filename (e.g.
    v10.0.0.md).  This is necessary to migrate them to a Jekyll collection.

  - Remove %v from titles: we have to explicitly set the title, like we
    used to.  Again required for migration to collections.

_templates/events.html & en/rss/events.rss:

  - Sort events by date and then loop with regular for loop rather than
    filter_for

en/alerts.html & en/rss/alerts.rss:

  - Sort alerts by date and then loop with regular for loop rather than
    filter_for

en/bitcoin-core/index.md & en/version-history.html & en/rss/releases.rss:

  - Sort alerts by date and then loop with regular for loop rather than
    filter_for
2016-01-06 23:09:56 -05:00

52 lines
1.8 KiB
HTML
Raw Blame History

---
title: "OpenSSL Heartbleed vulnerability"
shorturl: "heartbleed"
active: false
banner: ""
date: 2014-04-11
---
<h2 id="what-happened">What happened</h2>
<p>The version of OpenSSL used by Bitcoin Core software version 0.9.0 and earlier
contains a bug that can reveal memory to a remote attacker. See
<a href="http://heartbleed.com/">http://heartbleed.com/</a>
for details.
</p>
<h2 id="what-you-should-do">What you should do</h2>
<p>Immediately upgrade to <a href="/en/download">Bitcoin Core version 0.9.1</a> which is linked against
OpenSSL version 1.0.1g.
If you use the official binaries, you can verify the version of OpenSSL being
used from the Bitcoin Core GUI's Debug window (accessed from the Help menu).
If you compiled Bitcoin Core yourself or use the Ubuntu PPA, update your
system's OpenSSL.
Linux users should also upgrade their system's version of OpenSSL.
</p>
<h3 id="android">Android</h3>
<p>Android version 4.1.1 is vulnerable to Heartbleed. Try if you can upgrade to at
least Android 4.1.2. If you are using Bitcoin Wallet on an Android phone, you
should upgrade the app to at least version 3.45.</p>
<h2 id="how-serious-is-the-risk">How serious is the risk</h2>
<p>If you are using the Windows version of the Bitcoin Core GUI without a wallet
passphrase, it is possible that your wallet could be compromised by clicking
on a bitcoin: payment request link.
If you are using bitcoind (on Linux, OSX, or Windows),
have enabled the -rpcssl option, and allow RPC connections
from the Internet, an attacker from a whitelisted (-allowip) IP address can
very likely discover the rpcpassword and the last rpc request. It is possible
(but unlikely) private keys could be sent to the attacker.
</p>
<div style="text-align:right">
<i>This notice last updated: Fri, 11 Apr 2014 12:19:23 -0400</i>
</div>
Reference in a new issue View git blame Copy permalink