Bitcoin Core 0.9.1 Security Update

April 9, 2014 00:00 UTC

Bitcoin Core version 0.9.1 has been released to update the core OpenSSL library to the bugfixed version 1.0.1g.

The Bitcoin Core security update to version 0.9.1 comes less than 24 hours after an announcement of the discovery of the Heartbleed Bug.

Specifically, the OpenSSL Heartbleed Bug could reveal partial memory contents related to an encrypted SSL/TLS session to an attacker. In the case of Bitcoin, this means that private keys may be revealed.

Specific Vulnerabilities

Any Bitcoin Core GUI that uses a vulnerable version of the OpenSSL library could be vulnerable to the following exploit. Should the user click on a bitcoin: link to initiate a payment via a website controlled by an attacker, it is possible (though unlikely) that one or more of the user’s private keys could be sent to the attacker.

Users of bitcoind who have enabled the -rpcssl option, and allow RPC connections from the Internet, are vulnerable to attackers from whitelisted (-allowip) IP addresses. In this scenario, it is likely that an attacker may discover the rpcpassword and the last RPC request. Again, the developers believe it is possible (but unlikely) that private keys could be sent to the attacker.

What Should I Do?

If you use the -rpcssl option, or use the Bitcoin Core GUI wallet, you should immediately upgrade to Bitcoin Core version 0.9.1 which is linked against OpenSSL version 1.0.1g. Verify the version of OpenSSL being used from the Bitcoin Core GUI’s Debug window (accessed via the Help menu).

bitcoind users can verify the OpenSSL version being used by executing

$ ldd bitcoind

Unaffected Users

If you built Bitcoin Core 0.9.0 from source; used the Ubuntu PPA; or the Debian package for the latest Bitcoin build then you are safe as soon as you have upgraded your system’s OpenSSL package via your distribution’s package manager.

Additional Updates in 0.9.1

Static gitian builds are now supported via core maintainer Wladimir van der Laan’s script implementation in contrib/gitian-descriptors/gitian-linux.yml. Any static builds out there will, of course, need to be rebuilt as soon as possible and Wladimir’s script automates the process in a tried and tested manner.

Last modified: April 9, 2014 06:40 UTC

@venzen

Market analyst and Open source developer with a keen interest in blockchain technology, consensus mechanisms and the decentralizing effect. He has found a solution to the PKI mechanism. Email me to discuss.