OpenSSL version used with Bitcoin is outdated #2811

issue subSTRATA opened this issue on July 3, 2013

subSTRATA commented at 12:38 PM on July 3, 2013: none

Hello

I have recently noticed one altcoin client is using OpenSSL 1.0.1e 11 Feb 2013 without any issues while version used with Bitcoin is still OpenSSL 1.0.1c 10 May 2012, known to have multiple issues (at least 3 bugs, as explained bellow):

http://www.openssl.org/news/secadv_20130205.txt

Time to upgrade to newer or newest version of OpenSSL, maybe?
kuzetsa commented at 11:22 PM on July 9, 2013: none

@subSTRATA Even if the older version of OpenSSL is:

known to have multiple issues (at least 3 bugs, as explained bellow)

... It probably doesn't hurt anything.

Last I checked, bitcoin mostly is only using the randomizer from openssl and probably one or more hashing functions which are not affected by the security advisories you're referencing.
gavinandresen commented at 12:03 AM on July 10, 2013: contributor

CVE-2013-0169 isn't high priority because it affects approximately zero people (you must be using -rpcssl and you must set an -allowip that lets an attacker connect to your rpc port).

CVE-2012-2686 isn't high priority for similar reasons.

And the last bugfix doesn't affect us (we don't use OCSP... the payment protocol might, eventually...)
Diapolo commented at 10:56 AM on July 12, 2013: none

#2399 ;)
laanwj commented at 12:26 PM on January 17, 2014: member

Fixed, dependencies have been upgraded.
laanwj closed this on Jan 17, 2014
Bushstar referenced this in commit e75760fa7c on Apr 5, 2019
DrahtBot locked this on Sep 8, 2021

Contributors

Labels