Gavin Andresen



Offline



Activity: 1652

Merit: 1066





Chief Scientist







LegendaryActivity: 1652Merit: 1066Chief Scientist Bitcoin-Qt / bitcoind version 0.8.4 released, fixes critical DoS vulnerability September 04, 2013, 01:22:54 AM

Last edit: September 04, 2013, 01:45:20 AM by theymos #1

http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.8.4/



This is a maintenance release to fix a critical bug and three

security issues; we urge all users to upgrade.



Please report bugs using the issue tracker at github:

https://github.com/bitcoin/bitcoin/issues





How to Upgrade

--------------



If you are running an older version, shut it down. Wait

until it has completely shut down (which might take a few minutes for older

versions), then run the installer (on Windows) or just copy over

/Applications/Bitcoin-Qt (on Mac) or bitcoind/bitcoin-qt (on Linux).



If you are upgrading from version 0.7.2 or earlier, the first time you

run 0.8.4 your blockchain files will be re-indexed, which will take

anywhere from 30 minutes to several hours, depending on the speed of

your machine.



0.8.4 Release notes

===================



Security issues

---------------



An attacker could send a series of messages that resulted in

an integer division-by-zero error in the Bloom Filter handling

code, causing the Bitcoin-Qt or bitcoind process to crash.

Bloom filters were introduced with version 0.8, so versions 0.8.0

through 0.8.3 are vulnerable to this critical denial-of-service attack.



A constant-time algorithm is now used to check RPC password

guess attempts; fixes

(CVE-2013-4165)



Implement a better fix for the fill-memory-with-orphan-transactions

attack that was fixed in 0.8.3. See

https://bitslog.wordpress.com/2013/07/18/buggy-cve-2013-4627-patch-open-new-vectors-of-attack/

for a description of the weaknesses of the previous fix.

(CVE-2013-4627)



Bugs fixed

----------



Fix multi-block reorg transaction resurrection.



Fix non-standard disconnected transactions causing mempool orphans.

This bug could cause nodes running with the -debug flag to crash.



OSX: use 'FD_FULLSYNC' with LevelDB, which will (hopefully!)

prevent the database corruption issues many people have

experienced on OSX.



Linux: clicking on bitcoin: links was broken if you were using

a Gnome-based desktop.



Fix a hang-at-shutdown bug that only affects users that compile

their own version of Bitcoin against Boost versions 1.50-1.52.



Other changes

-------------



Checkpoint at block 250,000 to speed up initial block downloads

and make the progress indicator when downloading more accurate.





Thanks to everybody who contributed to the 0.8.4 releases!

----------------------------------------------------------



Pieter Wuille

Warren Togami

Patrick Strateman

pakt

Gregory Maxwell

Sergio Demian Lerner

grayleonard

Cory Fields

Matt Corallo

Gavin Andresen

Bitcoin-Qt version 0.8.4 is now available from:http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.8.4/This is a maintenance release to fix a critical bug and threesecurity issues; we urge all users to upgrade.Please report bugs using the issue tracker at github:https://github.com/bitcoin/bitcoin/issuesHow to Upgrade--------------If you are running an older version, shut it down. Waituntil it has completely shut down (which might take a few minutes for olderversions), then run the installer (on Windows) or just copy over/Applications/Bitcoin-Qt (on Mac) or bitcoind/bitcoin-qt (on Linux).If you are upgrading from version 0.7.2 or earlier, the first time yourun 0.8.4 your blockchain files will be re-indexed, which will takeanywhere from 30 minutes to several hours, depending on the speed ofyour machine.0.8.4 Release notes===================Security issues---------------An attacker could send a series of messages that resulted inan integer division-by-zero error in the Bloom Filter handlingcode, causing the Bitcoin-Qt or bitcoind process to crash.Bloom filters were introduced with version 0.8, so versions 0.8.0through 0.8.3 are vulnerable to this critical denial-of-service attack.A constant-time algorithm is now used to check RPC passwordguess attempts; fixes https://github.com/bitcoin/bitcoin/issues/2838 (CVE-2013-4165)Implement a better fix for the fill-memory-with-orphan-transactionsattack that was fixed in 0.8.3. Seefor a description of the weaknesses of the previous fix.(CVE-2013-4627)Bugs fixed----------Fix multi-block reorg transaction resurrection.Fix non-standard disconnected transactions causing mempool orphans.This bug could cause nodes running with the -debug flag to crash.OSX: use 'FD_FULLSYNC' with LevelDB, which will (hopefully!)prevent the database corruption issues many people haveexperienced on OSX.Linux: clicking on bitcoin: links was broken if you were usinga Gnome-based desktop.Fix a hang-at-shutdown bug that only affects users that compiletheir own version of Bitcoin against Boost versions 1.50-1.52.Other changes-------------Checkpoint at block 250,000 to speed up initial block downloadsand make the progress indicator when downloading more accurate.Thanks to everybody who contributed to the 0.8.4 releases!----------------------------------------------------------Pieter WuilleWarren TogamiPatrick StratemanpaktGregory MaxwellSergio Demian LernergrayleonardCory FieldsMatt CoralloGavin Andresen How often do you get the chance to work on a potentially world-changing project?