The Bitcoin Core security update to version 0.9.1 comes less than 24 hours after an announcement of the discovery of the Heartbleed Bug.
Specifically, the OpenSSL Heartbleed Bug could reveal partial memory contents related to an encrypted SSL/TLS session to an attacker. In the case of Bitcoin, this means that private keys may be revealed.
Any Bitcoin Core GUI that uses a vulnerable version of the OpenSSL library could be vulnerable to the following exploit. Should the user click on a bitcoin: link to initiate a payment via a website controlled by an attacker, it is possible (though unlikely) that one or more of the user’s private keys could be sent to the attacker.
Users of bitcoind who have enabled the -rpcssl option, and allow RPC connections from the Internet, are vulnerable to attackers from whitelisted (-allowip) IP addresses. In this scenario, it is likely that an attacker may discover the rpcpassword and the last RPC request. Again, the developers believe it is possible (but unlikely) that private keys could be sent to the attacker.
If you use the -rpcssl option, or use the Bitcoin Core GUI wallet, you should immediately upgrade to Bitcoin Core version 0.9.1 which is linked against OpenSSL version 1.0.1g. Verify the version of OpenSSL being used from the Bitcoin Core GUI’s Debug window (accessed via the Help menu).
bitcoind users can verify the OpenSSL version being used by executing
$ ldd bitcoind
If you built Bitcoin Core 0.9.0 from source; used the Ubuntu PPA; or the Debian package for the latest Bitcoin build then you are safe as soon as you have upgraded your system’s OpenSSL package via your distribution’s package manager.
Static gitian builds are now supported via core maintainer Wladimir van der Laan’s script implementation in contrib/gitian-descriptors/gitian-linux.yml. Any static builds out there will, of course, need to be rebuilt as soon as possible and Wladimir’s script automates the process in a tried and tested manner.
Last modified: April 9, 2014 06:40 UTC