Author Topic: Why did we suddnely make two releases in two days?  (Read 1132 times)

0 Members and 1 Guest are viewing this topic.

Offline sudo

  • Hero Member
  • *****
  • Posts: 2255
    • View Profile
  • BitShares: ags
so we need  devshares bak&test enough to release  to bts

Offline cube

  • Hero Member
  • *****
  • Posts: 1404
  • Bit by bit, we will get there!
    • View Profile
  • BitShares: bitcube
I appreciate the prompt action and clear explanation.   +5%
ID: bitcube
bitcube is a dedicated witness and committe member. Please vote for bitcube.

Offline pc

  • Hero Member
  • *****
  • Posts: 1530
    • View Profile
    • Bitcoin - Perspektive oder Risiko?
  • BitShares: cyrano
Thanks for the quick reaction! Keep up the good work, guys!
Bitcoin - Perspektive oder Risiko? ISBN 978-3-8442-6568-2

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12920
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BitShares: xeroc
  • GitHub: xeroc
Any way to tell what version I'm running from the command line?

Offline monsterer

Any way to tell what version I'm running from the command line?
My opinions do not represent those of metaexchange unless explicitly stated. | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Offline theoretical

Quote from: bytemaster
We have a new release out that addresses some late breaking security concerns issues.  Most exchanges have already been notified.  There have been a series of releases over the past two days.  The most recent release fixes a operation numbering bug and is only necessary for those using operation ids.  Otherwise, the unannounced release made last night is identical to the release made today.   

We apologize for the rapid release (3 updates in 3 days), but would like to thank the community members (you know who you are) who helped us identify and fix a significant security vulnerability before any money was lost.

Today's new release 2.0.151216 is basically the same as yesterday's release 2.0.151215, but 2.0.151216 maintains the numbering used by 2.0.151209 and earlier for 1.11.x objects.

The renumbering in 2.0.151215 was an unintended, accidental side effect of fixing a critical security vulnerability.  Our first awareness of this vulnerability was when technical details of it were publicly posted.

The good news:

  • The exchanges have been informed of the problem and the availability of a fix for about 20 hours now.
  • If an exploit was attempted, it would leave evidence on the blockchain.
  • We looked, and did not find any such evidence; no one has actually attempted to exploit this vulnerability.
  • There has been no loss of funds (that we are aware of).
  • Anyone who didn't get the word and is still running 2.0.151209 or earlier will realize they need to upgrade when they desync due to tomorrow's hardfork.

Some more details about the situation:

  • In a private conversation, I found the longstanding community member who discovered the problem was already aware that security-critical vulnerabilities should not be publicly disclosed until a fix is available.  He simply had not realized the security implications of the problem he'd found -- a totally understandable human mistake, he did nothing wrong.  To his credit, after being apprised, he took it upon himself to delete technical details from his postings.
  • As you can imagine, we felt under great time pressure to produce a fix as quickly as possible.  In addition a key developer had to leave suddenly in the middle of the day.  So we weren't able to test and review the patch as much as we would have liked.
  • The nature of the vulnerability made it much more dangerous to exchanges than normal users.  We wanted to give the exchanges some lead time to upgrade their internal systems, as obviously exchanges are key partners in our community.  So we delayed posting about the release on this forum until we were sure the exchanges had their situation under control.
BTS- theoretical / PTS- PZxpdC8RqWsdU3pVJeobZY7JFKVPfNpy5z / BTC- 1NfGejohzoVGffAD1CnCRgo9vApjCU2viY / the delegate formerly known as drltc / Nothing said on these forums is intended to be legally binding / All opinions are my own unless otherwise noted / Take action due to my posts at your own risk