Openssl fix for PPC 0.4?

Bitcoin just release 0.9.1. I am wondering if there is any update for PPC 0.4? or clarification from the Dev team?

A bug in OpenSSL, used by Bitcoin-Qt/Bitcoin Core, could allow your bitcoins to be stolen. Immediately updating Bitcoin Core to 0.9.1 is required in some cases, especially if you’re using 0.9.0.

I am keen to find out too. It is better to store your ppc in cold storage.

It only matters if you use SSL on rpc, and your client is statically built with buggy openssl.

In either case, I’m working on a patch right now that I’ll submit for review. Once I’ve submitted the pull request, I’ll let you guys know, and if anyone is available to clone my branch, I’d appreciate a couple extra sets of eyes on the changes.

For review, prior to submitting a pull request:

Disclaimer: This information I’ve found appears to show that Peercoin 0.3 and Peercoin 0.4 is not affected by this bug unless you allow access to your RPCPORT 9902 from the internet. Please do your own research to be sure.

This bug is CVE-2014-0160 which affects a lot of software that uses OpenSSL 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1)

Concerning Bitcoin 0.9.0 there is a “Payment Protocol feature” that appears in Bitcoin 0.9.0 called BIP70

This Payment Protocol feature is NOT in Peercoin 0.4 (Luckily we’re behind a few releases, here’s where Sunny was smart, we can debate this later).

I have confirmed by looking at the text in the code, that the ppcoind.ese 0.3 and 0.4 win32 binaries use OpenSSL 1.0.1b (which is affected).

The concern for Peercoin specifically is if you are allowing your RPCPORT (usually port 9902) to be accessed externally. I don’t know if that is all it would take, but generally you do not want port 9902 connections inbound from your router.

To check if you have port 9902 accessible by the internet (the default RPC Port for Peercoin) do this

Go here:

Change port 80 to port 9902 and push Check.

If it says the port is closed, then that means nothing can communicate with your Peercoin client on port 9902 (RPC) and you are probably safe from this problem.

So while you may be safe on Peercoin, you must check all other coin wallets you hold, especially those built on a fork from Bitcoin-core 0.9.0

Any other software that has OpenSSL 1.0.1 to 1.0.1f static library support compiled in should re-compile or obtain a new pre-built binary.

As per the OpenSSL website:

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

Pull request submitted, and awaiting Sunny’s review. We were statically building with the vulnerable version (openssl-1.0.1b), so this update makes sure that they are no longer used, and so we’ll be “future proofed”.

Lovely to see you are all over this, great work ben, great info ppcman.