Backport of SSL fix (CVE-2014-0160) for 0.8.6 #4026

Can you maybe publish a fixed version for 0.8.6? 0.9 introduces some changes which affords some changes to my service, so i would be happy if you could publish a fixed 0.8.6 version?

Thanks!!!

The pre-compiled 0.8.6 uses an old OpenSSL version (0.9.8k if I reember correctly), so it's not an issue there. If you built it yourself you can just upgrade your OS'es OpenSSL lib version.

Actually, 0.8.x uses OpenSSL 1.0.1c, but since it doesn't have payment protocol support it's really not applicable anyway. It would only be a concern if you had the RPC server exposed to the internet with SSL enabled, but that's already a security hazard even besides Heartbleed. I'll probably include a fixed OpenSSL in 0.8.7rc2, but it's not a priority and may never get built anyway since 0.9.0 is better in every way.

What kind of problems do you have with 0.9.0? I don't recall any changes that should have broken compatibility with anything...

I don't know, I just read that bitcoin qt is now splitted up into an cli version and i think i have to change some small parts of my monit scripts... Nothing big, but I have to spend some time.. a 0.8.7 version i probably could just drop in... but thanks anyway for the informations...

@lichtamberg Nothing has changed there. There are new commands but the old things work like they always have, at least for now.

Ok, reopening this issue then. I thought 0.8.x still used the old deps. But looking at the deps in 0.8.6 you are right: https://github.com/bitcoin/bitcoin/blob/0.8.6/contrib/gitian-descriptors/deps-win32.yml

As 0.8.x doesn't fetch payment requests, there is only very little risk due to heartbleed: only if you have enabled -rpcssl, a host that is in already the -rpcallow list could execute the attack.

After the initial hysteria has faded, it does not seem worth it to keep open this issue.