1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
|
Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191]
helo=mx.sourceforge.net)
by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <gavinandresen@gmail.com>) id 1VH1i8-0001mk-BZ
for bitcoin-development@lists.sourceforge.net;
Wed, 04 Sep 2013 01:16:44 +0000
Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of gmail.com
designates 74.125.82.53 as permitted sender)
client-ip=74.125.82.53; envelope-from=gavinandresen@gmail.com;
helo=mail-wg0-f53.google.com;
Received: from mail-wg0-f53.google.com ([74.125.82.53])
by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1VH1i6-0006jF-8T
for bitcoin-development@lists.sourceforge.net;
Wed, 04 Sep 2013 01:16:44 +0000
Received: by mail-wg0-f53.google.com with SMTP id n12so5485047wgh.32
for <bitcoin-development@lists.sourceforge.net>;
Tue, 03 Sep 2013 18:16:35 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.180.189.9 with SMTP id ge9mr158968wic.52.1378257395466; Tue,
03 Sep 2013 18:16:35 -0700 (PDT)
Sender: gavinandresen@gmail.com
Received: by 10.194.156.163 with HTTP; Tue, 3 Sep 2013 18:16:35 -0700 (PDT)
Date: Wed, 4 Sep 2013 11:16:35 +1000
X-Google-Sender-Auth: 6Hf4msuf--3GgKTnn5QjGt4tZJM
Message-ID: <CABsx9T1hwD3psM14mGKwWpk3RwZTXJviP=AtcHWpBeYbAB410A@mail.gmail.com>
From: Gavin Andresen <gavin@bitcoinfoundation.org>
To: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Content-Type: multipart/alternative; boundary=001a11c3430277490804e5848e19
X-Spam-Score: -0.5 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(gavinandresen[at]gmail.com)
-0.0 SPF_PASS SPF: sender matches SPF record
1.0 HTML_MESSAGE BODY: HTML included in message
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1VH1i6-0006jF-8T
Subject: [Bitcoin-development] 0.8.4 released,
fixes critical denial-of-service issue
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Wed, 04 Sep 2013 01:16:44 -0000
--001a11c3430277490804e5848e19
Content-Type: text/plain; charset=ISO-8859-1
Bitcoin-Qt version 0.8.4 is now available from:
http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.8.4/
This is a maintenance release to fix a critical bug and three
security issues; we urge all users to upgrade.
There were no changes from 0.8.4 release candidate 2, so if you are running
0.8.4rc2 you do not need to upgrade.
Please report bugs using the issue tracker at github:
https://github.com/bitcoin/bitcoin/issues
How to Upgrade
--------------
If you are running an older version, shut it down. Wait
until it has completely shut down (which might take a few minutes for older
versions), then run the installer (on Windows) or just copy over
/Applications/Bitcoin-Qt (on Mac) or bitcoind/bitcoin-qt (on Linux).
If you are upgrading from version 0.7.2 or earlier, the first time you
run 0.8.4 your blockchain files will be re-indexed, which will take
anywhere from 30 minutes to several hours, depending on the speed of
your machine.
0.8.4 Release notes
===================
Security issues
---------------
An attacker could send a series of messages that resulted in
an integer division-by-zero error in the Bloom Filter handling
code, causing the Bitcoin-Qt or bitcoind process to crash.
Bloom filters were introduced with version 0.8, so versions 0.8.0
through 0.8.3 are vulnerable to this critical denial-of-service attack.
A constant-time algorithm is now used to check RPC password
guess attempts; fixes https://github.com/bitcoin/bitcoin/issues/2838
(CVE-2013-4165)
Implement a better fix for the fill-memory-with-orphan-transactions
attack that was fixed in 0.8.3. See
https://bitslog.wordpress.com/2013/07/18/buggy-cve-2013-4627-patch-open-new-vectors-of-attack/
for a description of the weaknesses of the previous fix.
(CVE-2013-4627)
Bugs fixed
----------
Fix multi-block reorg transaction resurrection.
Fix non-standard disconnected transactions causing mempool orphans.
This bug could cause nodes running with the -debug flag to crash.
OSX: use 'FD_FULLSYNC' with LevelDB, which will (hopefully!)
prevent the database corruption issues many people have
experienced on OSX.
Linux: clicking on bitcoin: links was broken if you were using
a Gnome-based desktop.
Fix a hang-at-shutdown bug that only affects users that compile
their own version of Bitcoin against Boost versions 1.50-1.52.
Other changes
-------------
Checkpoint at block 250,000 to speed up initial block downloads
and make the progress indicator when downloading more accurate.
Thanks to everybody who contributed to the 0.8.4 releases!
----------------------------------------------------------
Pieter Wuille
Warren Togami
Patrick Strateman
pakt
Gregory Maxwell
Sergio Demian Lerner
grayleonard
Cory Fields
Matt Corallo
Gavin Andresen
--001a11c3430277490804e5848e19
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div>Bitcoin-Qt version 0.8.4 is now available from:<br></=
div><div>=A0 <a href=3D"http://sourceforge.net/projects/bitcoin/files/Bitco=
in/bitcoin-0.8.4/">http://sourceforge.net/projects/bitcoin/files/Bitcoin/bi=
tcoin-0.8.4/</a></div>
<div><br></div><div>This is a maintenance release to fix a critical bug and=
three</div><div>security issues; we urge all users to upgrade.</div><div><=
br></div><div>There were no changes from 0.8.4 release candidate 2, so if y=
ou are running</div>
<div>0.8.4rc2 you do not need to upgrade.</div><div><br></div><div>Please r=
eport bugs using the issue tracker at github:</div><div>=A0 <a href=3D"http=
s://github.com/bitcoin/bitcoin/issues">https://github.com/bitcoin/bitcoin/i=
ssues</a></div>
<div><br></div><div><br></div><div>How to Upgrade</div><div>--------------<=
/div><div><br></div><div>If you are running an older version, shut it down.=
Wait</div><div>until it has completely shut down (which might take a few m=
inutes for older</div>
<div>versions), then run the installer (on Windows) or just copy over</div>=
<div>/Applications/Bitcoin-Qt (on Mac) or bitcoind/bitcoin-qt (on Linux).</=
div><div><br></div><div>If you are upgrading from version 0.7.2 or earlier,=
the first time you</div>
<div>run 0.8.4 your blockchain files will be re-indexed, which will take</d=
iv><div>anywhere from 30 minutes to several hours, depending on the speed o=
f</div><div>your machine.</div><div><br></div><div>0.8.4 Release notes</div=
>
<div>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</div><div><b=
r></div><div>Security issues</div><div>---------------</div><div><br></div>=
<div>An attacker could send a series of messages that resulted in</div><div=
>an integer division-by-zero error in the Bloom Filter handling</div>
<div>code, causing the Bitcoin-Qt or bitcoind process to crash.</div><div>B=
loom filters were introduced with version 0.8, so versions 0.8.0</div><div>=
through 0.8.3 are vulnerable to this critical denial-of-service attack.</di=
v>
<div><br></div><div>A constant-time algorithm is now used to check RPC pass=
word</div><div>guess attempts; fixes <a href=3D"https://github.com/bitcoin/=
bitcoin/issues/2838">https://github.com/bitcoin/bitcoin/issues/2838</a></di=
v>
<div>(CVE-2013-4165)</div><div><br></div><div>Implement a better fix for th=
e fill-memory-with-orphan-transactions</div><div>attack that was fixed in 0=
.8.3. See</div><div><a href=3D"https://bitslog.wordpress.com/2013/07/18/bug=
gy-cve-2013-4627-patch-open-new-vectors-of-attack/">https://bitslog.wordpre=
ss.com/2013/07/18/buggy-cve-2013-4627-patch-open-new-vectors-of-attack/</a>=
</div>
<div>for a description of the weaknesses of the previous fix.</div><div>(CV=
E-2013-4627)</div><div><br></div><div>Bugs fixed</div><div>----------</div>=
<div><br></div><div>Fix multi-block reorg transaction resurrection.</div>
<div><br></div><div>Fix non-standard disconnected transactions causing memp=
ool orphans.</div><div>This bug could cause nodes running with the -debug f=
lag to crash.</div><div><br></div><div>OSX: use 'FD_FULLSYNC' with =
LevelDB, which will (hopefully!)</div>
<div>prevent the database corruption issues many people have</div><div>expe=
rienced on OSX.</div><div><br></div><div>Linux: clicking on bitcoin: links =
was broken if you were using</div><div>a Gnome-based desktop.</div><div>
<br></div><div>Fix a hang-at-shutdown bug that only affects users that comp=
ile</div><div>their own version of Bitcoin against Boost versions 1.50-1.52=
.</div><div><br></div><div>Other changes</div><div>-------------</div><div>
<br></div><div>Checkpoint at block 250,000 to speed up initial block downlo=
ads</div><div>and make the progress indicator when downloading more accurat=
e.</div><div><br></div><div><br></div><div>Thanks to everybody who contribu=
ted to the 0.8.4 releases!</div>
<div>----------------------------------------------------------</div><div><=
br></div><div>Pieter Wuille</div><div>Warren Togami</div><div>Patrick Strat=
eman</div><div>pakt</div><div>Gregory Maxwell</div><div>Sergio Demian Lerne=
r</div>
<div>grayleonard</div><div>Cory Fields</div><div>Matt Corallo</div><div>Gav=
in Andresen</div><div><br></div>
</div>
--001a11c3430277490804e5848e19--
|
