On April 8 Bitcoin Core version 0.9.1 was released to fix several bugs. Everyone is advised to download the new version and upgrade the existing one as it is a maintenance release to fix urgent security vulnerability (CVE-2014-0160).
The Bitcoin Core version 0.9.1 is available on Bitcoin.org. Essentially, it aims to solve the following problems:
• CVE-2014-0160 (also known as ‘heartbleed’). A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.
• CVE-2014-0076. The Montgomery ladder implementation in OpenSSL does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack.
However, no code changes were performed in comparison with the previous 0.9.0 version. The main alterations focus on changed dependencies.
It is also advised to upgrade OpenSSL to 1.0.1g and add statically built executables to Linux.
All other fixed and pending Bitcoin issues can be observed on GitHub.
The issue of the new update has already been observed by experts. According to theymos speaking on BitcoinTalk, those using the graphical version of the previous release have to update immediately independent of the platform. He stated:
“If you ever used the payment protocol (you clicked a bitcoin: link and saw a green box in Bitcoin Core's send dialog), then you should consider your wallet to be compromised.”
He advises creating a new wallet and move all present Bitcoins while it is not too late. The old should be deleted as well.
Users who have a different version of Bitcoin-Qt/ Bitcoin Core might suffer from an attack if the rpcssl command-line option is set. The RPC port could have been accessed by an intruder.
The fact is not certain, but should be considered. The research of theymos has shown that the fault lies in the OpenSSL library. He warned:
“If you are using a binary version of Bitcoin Core obtained from bitcoin.org or SourceForge, then updating your system's version of OpenSSL will not help. OpenSSL is packaged with the binary on all platforms.”
Luke-Jr replied to skeptical Bitcoin users, who voiced doubts about the seriousness of the problem. He added one more aspect to the discussion:
“The vulnerability is bidirectional. The server (or anyone MITMing it!) can get the client to leak information too, which could include private wallet data.”
• Bitcoin Core version 0.9.1 on Bitcoin.org
• Bitcoin issues on GitHub