11:59 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
If you are running a wallet on an exchange, payment gateway, or service,
please pay attention to the following message.
The Monero Vulnerability Response workgroup has received a disclosure of a
wallet bug related to coinbase transactions, that could be disruptive to
anyone running a wallet on an exchange, payment gateway, or service. There
will be a patch released on GitHub on March the 6th, 2019, at 4pm GMT, so
in about 4 days.
In the meantime, you can be safe against anyone trying to exploit this bug
by running "set refresh-type no-coinbase" in monero-wallet-cli. Note that
you will need to first close monero-wallet-rpc, and open the wallet with
monero-wallet-cli. This should be set for every wallet you're running. This
is a persistent flag, so once you quit monero-wallet-cli and start
monero-wallet-rpc on that same wallet, the setting will persist.
NB: this is not a consensus bug, there is no double spend, it does not
allow coins to be created out of thin air, etc.
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEElLc43TUBMvWsvuodVUMt8xzNT80FAlx7tfoACgkQVUMt8xzN
T80VNAf+PKYPaagcGVIhnPCINqSIX/dw9tRMMMaE4q0u1AFTyZz6ynYuVFJrX6Ir
JoMThLf+wQAKlkBoxiSeLskWJ2ILpoP6S+CfZzBzFRYWTwy6NlTZT9WndSFTXPlJ
A/cLTfiHsmzLMc9fiwbcaZI3okcG2XEP7eXkwx5ocUhe1LV77a9Q5CuV1gt8siXA
i1eWNvH1KF33vctwmCvmF3yQf9mGJF4v2eG8IWre4Xr6TBqr4UndL3sBPGy5OS++
IrpBAv1ycTvHWmL2GKVt3AmdA4WwUhBBw7u0Reh1PpLAAWiFdHb5tYZbD9CCryjB
N2lKh+EyNb1DY0GWq4kHxgbMFN7LpA==
=6Pr5
-----END PGP SIGNATURE-----
10:41 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
To update this: since the bug has been irresponsibly, publicly
disclosed by a third-party unrelated to original discloser to the
Vulnerability Response workgroup, the Monero developer community has
decided to fast-forward the update to today. If you are running a
wallet on an exchange, payment gateway, or service, then you can
update to 0.14.0.1 using the appropriate tag, as in 'git checkout
v0.14.0.1'. Binaries for this release should be completed and uploaded
in the next 24 hours.
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEElLc43TUBMvWsvuodVUMt8xzNT80FAlx8THYACgkQVUMt8xzN
T81/Jwf/dqlf0x16Fj3nBXWYrPDr+QfOEIyqh89CpMYIHoM3JlQ+VrZlGdPvEPPI
S5dGZyv7BTymg55xyKKHR+UU+lbkvqBLeczF9ItBv6rJ2D04LHJU49S6Dd9fGa8y
f6A7XkkvSa41g8rmILkLSqM/ntok6YhjMBDjg+I7U6xPkySfvu6AeRCjCEI/E6sp
8lazV9NJpn7EVovu3J2HPJUPnLzXOrUiWOVzzWmc7eNd2pmGvfI7Iyc96k0PqxFF
Ats+zDCJl3vXT7OnT9Am48Ak9J5mwiw29I+gXxUBqv62ZxEgvVz1W15B7HHJKasC
SXLECfw73HCa8af9vvVJLzi+H1W0lA==
=OQVU
-----END PGP SIGNATURE-----
On Sun, 3 Mar 2019 at 13:10, Riccardo Spagni <ric(a)ts.org> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> If you are running a wallet on an exchange, payment gateway, or service, please pay
attention to the following message.
>
> The Monero Vulnerability Response workgroup has received a disclosure of a wallet bug
related to coinbase transactions, that could be disruptive to anyone running a wallet on
an exchange, payment gateway, or service. There will be a patch released on GitHub on
March the 6th, 2019, at 4pm GMT, so in about 4 days.
>
> In the meantime, you can be safe against anyone trying to exploit this bug by running
"set refresh-type no-coinbase" in monero-wallet-cli. Note that you will need to
first close monero-wallet-rpc, and open the wallet with monero-wallet-cli. This should be
set for every wallet you're running. This is a persistent flag, so once you quit
monero-wallet-cli and start monero-wallet-rpc on that same wallet, the setting will
persist.
>
> NB: this is not a consensus bug, there is no double spend, it does not allow coins to
be created out of thin air, etc.
> -----BEGIN PGP SIGNATURE-----
>
> iQEzBAEBCAAdFiEElLc43TUBMvWsvuodVUMt8xzNT80FAlx7tfoACgkQVUMt8xzN
> T80VNAf+PKYPaagcGVIhnPCINqSIX/dw9tRMMMaE4q0u1AFTyZz6ynYuVFJrX6Ir
> JoMThLf+wQAKlkBoxiSeLskWJ2ILpoP6S+CfZzBzFRYWTwy6NlTZT9WndSFTXPlJ
> A/cLTfiHsmzLMc9fiwbcaZI3okcG2XEP7eXkwx5ocUhe1LV77a9Q5CuV1gt8siXA
> i1eWNvH1KF33vctwmCvmF3yQf9mGJF4v2eG8IWre4Xr6TBqr4UndL3sBPGy5OS++
> IrpBAv1ycTvHWmL2GKVt3AmdA4WwUhBBw7u0Reh1PpLAAWiFdHb5tYZbD9CCryjB
> N2lKh+EyNb1DY0GWq4kHxgbMFN7LpA==
> =6Pr5
> -----END PGP SIGNATURE-----
2092
days inactive
2092
days old
monero-announce@lists.getmonero.org
1 comments
1 participants
participants (1)
-
Riccardo Spagni