-----BEGIN PGP SIGNED MESSAGE-----
To update this: since the bug has been irresponsibly, publicly
disclosed by a third-party unrelated to original discloser to the
Vulnerability Response workgroup, the Monero developer community has
decided to fast-forward the update to today. If you are running a
wallet on an exchange, payment gateway, or service, then you can
update to 0.14.0.1 using the appropriate tag, as in 'git checkout
v0.14.0.1'. Binaries for this release should be completed and uploaded
in the next 24 hours.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
On Sun, 3 Mar 2019 at 13:10, Riccardo Spagni <ric(a)ts.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> If you are running a wallet on an exchange, payment gateway, or service, please pay
attention to the following message.
> The Monero Vulnerability Response workgroup has received a disclosure of a wallet bug
related to coinbase transactions, that could be disruptive to anyone running a wallet on
an exchange, payment gateway, or service. There will be a patch released on GitHub on
March the 6th, 2019, at 4pm GMT, so in about 4 days.
> In the meantime, you can be safe against anyone trying to exploit this bug by running
"set refresh-type no-coinbase" in monero-wallet-cli. Note that you will need to
first close monero-wallet-rpc, and open the wallet with monero-wallet-cli. This should be
set for every wallet you're running. This is a persistent flag, so once you quit
monero-wallet-cli and start monero-wallet-rpc on that same wallet, the setting will
> NB: this is not a consensus bug, there is no double spend, it does not allow coins to
be created out of thin air, etc.
> -----BEGIN PGP SIGNATURE-----
> -----END PGP SIGNATURE-----